渗透干货分享：spring-boot-actuator-logview 文件包含漏洞复现

雨笋教育小编又来分享干货了，常见文件包含漏洞复现分析：

前言

日常搬砖过程中在github发现的一个CVE，https://github.com/ARPSyndicate/kenzer-templates/blob/1f1dd550ddbde72cbe378452973b93b3e62003f5/jaeles/cvescan/medium/CVE-2021-21234.yam 看着带了springboot就分析了下

环境搭建

git clone https://github.com/cristianeph/vulnerability-actuator-log-viewer

启动之后访问 //localhost:8887/manage/log/

漏洞复现分析

根据springboot启动日志发现/log/view 对应的方法为eu.hinsch.spring.boot.actuator.logview.LogViewEndpoint.view

对应代码

@RequestMapping("/view")

public void view(@RequestParam String filename,

@RequestParam(required = false) String base,

@RequestParam(required = false) Integer tailLines,

HttpServletResponse response) throws IOException {

securityCheck(filename);

response.setContentType(MediaType.TEXT_PLAIN_VALUE);

Path path = loggingPath(base);

FileProvider fileProvider = getFileProvider(path);

if (tailLines != null) {

fileProvider.tailContent(path, filename, response.getOutputStream(), tailLines);

}

else {

fileProvider.streamContent(path, filename, response.getOutputStream());

}

}

先从RequestParam获取filename参数，然后调用securityCheck进行检查，判断filename是否包含..

安全检查通过之后，将application.properties中logging.path和base拼接，返回path，base从RequestParam获取，并未经过securityCheck

然后生成fileProvider 在调用 streamContent

将path和base拼接，然后用fileinputstream打开，造成任意文件读取