First encounter with difficulties

When I find a bQc station, try to hit the main site first. First try scanning the directory to see if I can find some backgrounds and so on. I am using dirsearch here. But unfortunately, there is no valuable directory and I can't even scan the background, but this is expected. After all, most spinach website protection is done well. Next, try to register an account and take a look. Try injecting, and find that the encryption is not reversed, I can only give up temporarily.After registration, it was found that an upload interface was found.According to the upload, it was found that it was stored in the form of id, and the upload vulnerability could not be caused. This website cannot be obtained and changes its thinking. Try to penetrate the entire IP. First, scan the entire port of this IP and try to obtain more complete information. Two web pages were obtained. rocketmq, this latest version of vulnerability has been exposed and tried. found the tool to try to attack, but failed to execute the command. There is another login interface The shiro framework was found Attempted to blast but no secret key was found.

The willows and flowers are bright

Breakthrough point: He has a port 8888, and he will jump to the illegal IP when accessing it. After looking at burp, he found that he would visit the login page and then jump to it. Frowning and found that things were not simple. He added a little bit after the IP, which caused him to report an error. He found that he was using the spring framework.Actuator is a functional module provided by Spring Boot for introspection and monitoring of application systems. With the help of Actuator developers, they can easily view and count certain monitoring indicators of application systems. Actuator

The core is the endpoint Endpoint, which is used to monitor applications and interactions. There are already many built-in in spring-boot-actuator

Endpoint (health, info, beans, metrics, httptrace, shutdown, etc.), and also allows us to expand our own

Endpoints. Each Endpoint can be enabled and disabled. To access Endpoint remotely, it must also be exposed via JMX or HTTP, and most applications choose HTTP. Whether the path is enabled by default Function Description /auditevents is to display the audit event information of the current application /beans is to display the complete list of all Spring beans in an application /conditions is to display the status of configuration classes and auto-configuration classes and the reasons why they are applied or not applied /configprops is to display a collection list of all @ConfigurationProperties /env is to display from Spring The property of ConfigurableEnvironment /flyway is to display the database migration path (if present) /health is to display the application's health information (when accessed using an unauthenticated connection, it displays all information details when accessed using an authenticated connection) /info is to display any application information /liquibase is to display any Liquibase database migration path (if present) /metrics is to display the current application's metrics information /mappings is to display Show a list of all @RequestMapping paths /scheduledtasks is showing scheduled tasks in the application /sessions does not allow user sessions to be retrieved and deleted from Spring session supported session storage /shutdown does not allow the application to be closed elegantly (not enabled by default) /threaddump is executing a thread dump/heapdump is returning a GZip compressed hprof heap dump file /jolokia is exposing JMX via HTTP beans (Which when Jolokia is on the classpath, WebFlux is not available) /logfile returns the content of the log file (if the logging.file or logging.path attribute is set), and supports the use of HTTP Range headers to receive part of the information of the log file content. Prometheus is to display metrics information in a format that can be crawled by the Prometheus server and directly use the directory collected by spring for directory scanning. actuator

actuator/auditLog

actuator/auditevents

actuator/autoconfig

actuator/beans

actuator/caches

actuator/conditions

actuator/configurationMetadata

actuator/configprops

actuator/dump

actuator/env

actuator/events

actuator/exportRegisteredServices

actuator/features

actuator/flyway

actuator/health

actuator/heapdump

actuator/healthcheck

actuator/heapdump

actuator/httptrace

actuator/hystrix.stream

actuator/info

actuator/integrationgraph

actuator/jolokia

actuator/logfile

actuator/loggers

actuator/loggingConfig

actuator/liquibase

actuator/metrics

actuator/mappings

actuator/scheduledtasks

actuator/swagger-ui.html

actuator/prometheus

actuator/refresh

actuator/registeredServices

actuator/releaseAttributes

actuator/resolveAttributes

actuator/scheduledtasks

actuator/sessions

actuator/springWebflow

actuator/shutdown

actuator/sso

actuator/ssoSessions

actuator/statistics

actuator/status

actuator/threaddump

actuator/trace

auditivets

autoconfig

api.html

api/index.html

api/swagger-ui.html

api/v2/api-docs

api-docs

beans

caches

cloudfoundryapplication

conditions

configprops

distv2/index.html

docs

druid/index.html

druid/login.html

druid/websession.html

dubbo-provider/distv2/index.html

dump

entity/all

env

env/(name)

eureka

flyway

gateway/actuator

gateway/actuator/auditevents

gateway/actuator/beans

gateway/actuator/conditions

gateway/actuator/configprops

gateway/actuator/env

gateway/actuator/health

gateway/actuator/heapdump

gateway/actuator/httptrace

gateway/actuator/hystrix.stream

gateway/actuator/info

gateway/actuator/jolokia

gateway/actuator/logfile

gateway/actuator/loggers

gateway/actuator/mappings

gateway/actuator/metrics

gateway/actuator/scheduledtasks

gateway/actuator/swagger-ui.html

gateway/actuator/threaddump

gateway/actuator/trace

health

heapdump

heapdump.json

httptrace

hystrix

hystrix.stream

info

integrationgraph

jolokia

jolokia/list

liquibase

list

logfile

loggers

liquibase

metrics

mappings

Monitor

prometheus

Refresh

scheduledtasks

sessions

shutdown

spring-security-oauth-resource/swagger-ui.html

spring-security-rest/api/swagger-ui.html

static/swagger.json

sw/swagger-ui.html

swagger

swagger/codes

swagger/index.html

swagger/static/index.html

swagger/swagger-ui.html

swagger-dubbo/api-docs

swagger-ui

swagger-ui.html

swagger-ui/html

swagger-ui/index.html

system/druid/index.html

threaddump

template/swagger-ui.html

trace

user/swagger-ui.html

Version

v1.1/swagger-ui.html

v1.2/swagger-ui.html

v1.3/swagger-ui.html

v1.4/swagger-ui.html

v1.5/swagger-ui.html

v1.6/swagger-ui.html

v1.7/swagger-ui.html

/v1.8/swagger-ui.html

/v1.9/swagger-ui.html

/v2.0/swagger-ui.html

v2.1/swagger-ui.html

v2.2/swagger-ui.html

v2.3/swagger-ui.html

v2/swagger.json

webpage/system/druid/index.html

%20/swagger-ui.html starts scanning and finds heapdump exists in it, download it. Heap Dump is also called a heap dump file. It is a memory snapshot of a Java process at a certain point in time. The leaked heapdump file can be analyzed through the Eclipse MemoryAnalyzer tool and query the plaintext password information loaded into memory, such as redis password, mysql database account and password. Here I am using Master Whwlsfb's JDumpSpider

https://github.com/whwlsfb/JDumpSpider Successfully obtain shiro's key into the memory horse. Obtain administrator permissions

Reprinted from the original link address: https://mp.weixin.qq.com/s/-ZdaVuqVmsw9PCHYDYuABA