#
One, spring boot#
In daily testing or penetration testing, vulnerabilities like shiro and fastjson are becoming less and less common. However, with the widespread use of the spring boot framework, there are also increasing security issues brought by spring boot. This article only introduces the unauthorized access to heapdump to obtain database passwords and achieve the purpose of connecting to the database. For other spring boot security vulnerabilities, please refer to https://xz.aliyun.com/t/7811
Heap Dump, also known as a heap dump file, is a memory snapshot of a Java process at a certain point in time. Heap Dump has multiple types. However, in general, heap dump saves information about Java objects and classes when the snapshot is triggered. Usually, a FullGC is triggered before writing the heap dump file, so the heap dump file contains information about the objects left after FullGC. For more details, please refer to: https://blog.csdn.net/hehmxy/article/details/89114116
Two, unauthorized access#
The security issues caused by unauthorized access to spring boot are still quite serious, and issues like env leakage can even lead to RCE.
During a test, it was discovered that the heapdump file could be downloaded by scanning the directory. By using the mat tool to analyze the heapdump file, sensitive information stored in memory can be obtained.
Accessing the file allows for downloading
Three, related tools and syntax#
Eclipse Memory Analyzer is a fast and feature-rich Java heap analyzer that can be used to find memory leaks and reduce memory consumption.
Download link: https://www.eclipse.org/mat/
Four, OQL#
OQL is a SQL-like query language used to query the Java heap. OQL allows for filtering/selecting information obtained from the Java heap. Although HAT already supports predefined queries, such as "display all instances of class X", OQL adds more flexibility. OQL is based on the JavaScript expression language.
Five, analyzing heapdump#
Drag the heapdump file into mat, and after analyzing the file, it should look like this
But here, pay attention to a pit, it is recommended to decompress the dump file in a different directory, otherwise a bunch of files will be analyzed and returned.
Use the OOL button here to query
Syntax:
select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password"))
or:
select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("keyword to query the attribute")) //1.x
select * from java.util.LinkedHashMap$Entry x WHERE (toString(x.key).contains("password")) //2.x
You can query the database account passwords contained in the memory file, and if the IP address is externally accessible, you can utilize it.
Some GitHub tools already support running shiro keys, so the details of this article are limited.