雨笋教育小编又来分享干货了,常见文件包含漏洞复现分析:
前言
日常搬砖过程中在github发现的一个CVE,https://github.com/ARPSyndicate/kenzer-templates/blob/1f1dd550ddbde72cbe378452973b93b3e62003f5/jaeles/cvescan/medium/CVE-2021-21234.yam 看着带了springboot就分析了下
环境搭建
git clone https://github.com/cristianeph/vulnerability-actuator-log-viewer
启动之后访问 //localhost:8887/manage/log/
漏洞复现分析
根据springboot启动日志发现/log/view 对应的方法为eu.hinsch.spring.boot.actuator.logview.LogViewEndpoint.view
对应代码
@RequestMapping("/view")
public void view(@RequestParam String filename,
@RequestParam(required = false) String base,
@RequestParam(required = false) Integer tailLines,
HttpServletResponse response) throws IOException {
securityCheck(filename);
response.setContentType(MediaType.TEXT_PLAIN_VALUE);
Path path = loggingPath(base);
FileProvider fileProvider = getFileProvider(path);
if (tailLines != null) {
fileProvider.tailContent(path, filename, response.getOutputStream(), tailLines);
}
else {
fileProvider.streamContent(path, filename, response.getOutputStream());
}
}
先从RequestParam获取filename参数,然后调用securityCheck进行检查,判断filename是否包含..
安全检查通过之后,将application.properties中logging.path和base拼接,返回path,base从RequestParam获取,并未经过securityCheck
然后生成fileProvider 在调用 streamContent
将path和base拼接,然后用fileinputstream打开,造成任意文件读取
想要和雨笋的大佬们一起挖漏洞吗?渗透测试课程等你来报名,趁这个暑假悄悄拔尖
渗透测试零基础公开课:https://ke.qq.com/course/3383785?quicklink=1
加v:邀请请渗透测试交流群 718860842