漏洞描述
A Spring Boot Actuator heap dump was detected. A heap dump is a snapshot of JVM memory, which could expose environment variables and HTTP requests.
springboot-heapdump: Spring Boot Actuator - Heap Dump Detection
PoC代码[已公开]
id: springboot-heapdump
info:
name: Spring Boot Actuator - Heap Dump Detection
author: that_juan_,dwisiswant0,wdahlenb
severity: critical
description: |
A Spring Boot Actuator heap dump was detected. A heap dump is a snapshot of JVM memory, which could expose environment variables and HTTP requests.
reference:
- https://github.com/pyn3rd/Spring-Boot-Vulnerability
metadata:
max-request: 3
tags: springboot,exposure,misconfig,vuln
variables:
str: "{{rand_base(6)}}"
http:
- raw:
- |
GET /{{str}} HTTP/1.1
Host: {{Hostname}}
- |
GET /heapdump HTTP/1.1
Host: {{Hostname}}
- |
GET /actuator/heapdump HTTP/1.1
Host: {{Hostname}}
max-size: 2097152 # 2MB - Max Size to read from server response
stop-at-first-match: true
matchers-condition: or
matchers:
- type: dsl
dsl:
- "!contains(hex_encode(body_1), '1f8b080000000000')"
- "contains(hex_encode(body_2), '1f8b080000000000')"
condition: and
- type: dsl
dsl:
- "!contains(hex_encode(body_1), '1f8b080000000000')"
- "contains(hex_encode(body_3), '1f8b080000000000')"
condition: and
- type: dsl
dsl:
- "contains(hex_encode(body_2), '4a4156412050524f46494c45') || contains(hex_encode(body_2), '4850524f46')"
- "contains(hex_encode(body_3), '4a4156412050524f46494c45') || contains(hex_encode(body_3), '4850524f46')"
condition: or
# digest: 4b0a00483046022100e396822d2816e9b126d70aef977217ea82f948a88f6e30224d3c08c62b02d656022100c4cacff53f0a2530e8530870881bca2366151523cb65512a79494ae1951bf9d3:922c64590222798bb761d5b6d8e72950