# 路由滥用

## 暴露路由

暴露Spring应用程序的相关接口和参数信息并不是漏洞，但它有助于理解应用程序。此外，在检查访问控制漏洞等时可以使用它。

检查以下路由以查看应用程序是否提供路径和参数信息：

此外，检查以下Spring Boot Actuators相关路由，它们可以暴露接口地址信息（但不包括参数相关信息）：

参考：

* [Spring Boot Vulnerability Exploit Check List: Leakage of routing address and interface call details](https://github.com/LandGrey/SpringBootVulExploit#0x01%E8%B7%AF%E7%94%B1%E5%9C%B0%E5%9D%80%E5%8F%8A%E6%8E%A5%E5%8F%A3%E8%B0%83%E7%94%A8%E8%AF%A6%E6%83%85%E6%B3%84%E6%BC%8F)

## 使用/..;/进行路径遍历

Spring Boot > 2.2.6将`https://website.com/allowed/..;/internal`视为与`https://website.com/allowed/../internal`相同。

这可能导致Spring和中间件之间的不一致性。例如，如果应用程序部署在nginx后面，您可以绕过对允许路径的限制。假设nginx将所有对`/allowed/`的请求转发到应用程序并拒绝其他请求。在这种情况下，对`/allowed/../internal`的请求将被阻止，但是`/allowed/..;/internal`不会被阻止 - nginx会将其原样传递给应用程序，它将命中`/internal`。

参考：

* [@0xsapra tweet](https://mobile.twitter.com/0xsapra/status/1468551562712682499)

## useSuffixPatternMatch错误配置

Spring Framework版本< 5.3有一个名为[useSuffixPatternMatch](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/PathMatchConfigurer.html)的设置（在5.2.4中已弃用）。它启用了后缀模式匹配，默认设置为`true`。这意味着映射到`/adminURL`的方法也会匹配`/adminURL[.].*`。因此，这可能导致潜在的URL过滤器绕过，从而允许访问受限区域。

![](https://2241975275-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7lonY2zgW7DNoIQMqYtw%2Fuploads%2Fgit-blob-0452c933cdd8f300f958b1637e95063e341a96b1%2Fspring-auth-bypass-with-useSuffixPatternMatch.png?alt=media)

参考：

* [@ptswarm tweet](https://twitter.com/ptswarm/status/1631287479604060161)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.cdxiaodong.life/kuang-jia-an-quan/spring/routing-abuse.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.