CVE-2022-22947加入常见目录/prod-api

Author: metaStor

README.md

@@ -58,7 +58,10 @@
 
 检测方法：
 
-* 首先随机访问一个不存在的路径，根据特征`Whitelabel Error Page`判断是否是Spring框架(1.x/2.x)；是则打POC，分五个请求：`包含恶意SpEL表达式的路由 -> 刷新路由 -> 访问添加的路由查看RCE结果 -> 删除路由 -> 刷新路由`
+* 两种方法判断是否是SpringGateway:
+* 1.随机访问一个不存在的路径，根据特征`Whitelabel Error Page`判断是否是Spring框架(1.x/2.x); 
+* 2.直接访问/actuator/gateway/routes、/prod-api/actuator/gateway/routes，根据特征`route_id`判断；
+* 3.POC分五个请求：`包含恶意SpEL表达式的路由 -> 刷新路由 -> 访问添加的路由查看RCE结果 -> 删除路由 -> 刷新路由`
 
 ## 插件情况
 

src/main/java/burp/BurpExtender.java

@@ -14,7 +14,7 @@
 public class BurpExtender implements IBurpExtender, IExtensionStateListener
 {
     private final String NAME = "SpringScan";
-    private final String VERSION = "1.6";
+    private final String VERSION = "1.7";
 
     public IBurpExtenderCallbacks callbacks;
     public IExtensionHelpers helpers;

src/main/java/burp/scan/Scanner.java

@@ -481,10 +481,18 @@ private byte[] CloudFunctionSpelPOC(IHttpRequestResponse httpRequestResponse, St
      * @return IScanIssue
      */
     private IScanIssue CloudGatewayScan(IHttpRequestResponse httpRequestResponse) {
+        boolean isProdApi = false;
         // 这里判断是否有spring 404的特征: Whitelabel Error Page
-        if (!this.isSpringFinger(httpRequestResponse, false) && !this.isSpringFinger(httpRequestResponse, true)) return null;
+        if (!this.isSpringFinger(httpRequestResponse, false) && !this.isSpringFinger(httpRequestResponse, true)) {
+            // 无spring 404特征的情况下判断是否有routes
+            if (this.isSpringGatewayFinger(httpRequestResponse, true)) {
+                isProdApi = true;
+            } else if (!this.isSpringGatewayFinger(httpRequestResponse, false)){
+                return null;
+            }
+        }
         URL url = this.helpers.analyzeRequest(httpRequestResponse).getUrl();
-        String uri = Utils.getUri(url.toString());
+        String uri = Utils.getUri(url.toString()) + (isProdApi ? "prod-api/" : "");
         String random_uri = Utils.randomStr(5);
         if (this.CloudGatewayRegisterRoute(httpRequestResponse, uri, random_uri, "whoami")) {
             if (this.CloudGatewayRefresh(httpRequestResponse, uri)) {
@@ -684,6 +692,54 @@ private boolean isSpringFinger(IHttpRequestResponse httpRequestResponse, boolean
         return false;
     }
 
+    /**
+     *
+     * SpringGateway
+     * 访问/actuator/gateway/routes、/prod-api/actuator/gateway/routes
+     * 判断响应内容是否有SpringGateway特征: route_id
+     *
+     * @param httpRequestResponse
+     * @return
+     */
+    private boolean isSpringGatewayFinger(IHttpRequestResponse httpRequestResponse, boolean isProdApi) {
+        try {
+            IRequestInfo requestInfo = this.helpers.analyzeRequest(httpRequestResponse);
+            IHttpService service = httpRequestResponse.getHttpService();
+            String url = Utils.getUri(requestInfo.getUrl().toString());
+            if (isProdApi) {
+                url = url + "prod-api/actuator/gateway/routes";
+            } else {
+                url = url + "actuator/gateway/routes";
+            }
+            byte[] newRequest = this.helpers.buildHttpRequest(new URL(service.getProtocol(), service.getHost(), service.getPort(), url));
+            requestInfo = this.helpers.analyzeRequest(service, newRequest);  // 重新打包好新的uri请求
+            // header中Accpet: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+            List<String> headers = requestInfo.getHeaders();
+            for (String header: headers) {
+                if (header.startsWith("Accept")) {  // 坑点: 带冒号匹配会报错
+                    headers.remove(header);
+                    headers.add("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8");
+                    break;
+                }
+            }
+            // 截取新请求, buildHttpRequest()之后会包含原本的GET请求内容和自定义构造的headers内容, 所以要截取
+            IRequestInfo requestInfo1 = this.helpers.analyzeRequest(service, newRequest);
+            newRequest = new String(newRequest).substring(requestInfo1.getBodyOffset()).getBytes();
+            // 组装请求
+            newRequest = this.helpers.buildHttpMessage(headers, newRequest);
+            IHttpRequestResponse requestResponse = this.burpExtender.callbacks.makeHttpRequest(httpRequestResponse.getHttpService(), newRequest);
+            String body = new String(requestResponse.getResponse()).substring(this.helpers.analyzeResponse(requestResponse.getResponse()).getBodyOffset()).toLowerCase();
+            if (body.contains("route_id")) {
+                this.burpExtender.stdout.println("[*] Detect SpringGateway Finger: " + url);
+                return true;
+            }
+        } catch (MalformedURLException e) {
+            e.printStackTrace();
+            this.burpExtender.stderr.println(e.getMessage());
+        }
+        return false;
+    }
+
     /**
      * 随机Agent头
      * 先将原来的Agent删掉，再添加随机Agent

src/main/java/burp/util/Utils.java

@@ -93,7 +93,8 @@ public static String getUriExt(String url) {
      */
     public static String getUri(String url) {
         url = url.replace("https://", "").replace("http://", "");  // 截去http://或https://
-        String pureUrl = url.substring(0, url.contains("?") ? url.indexOf("?") : url.length());  // 排除参数和锚点
+        String pureUrl = url.substring(0, url.contains("#") ? url.indexOf("#") : url.length());  // 排除锚点
+        pureUrl = pureUrl.substring(0, pureUrl.contains("?") ? pureUrl.indexOf("?") : pureUrl.length());  // 排除参数
         pureUrl = pureUrl.substring(pureUrl.contains("/") ? pureUrl.indexOf("/") : pureUrl.length(), pureUrl.contains("/") ? pureUrl.lastIndexOf("/") : pureUrl.length());  // 取最后一个/之前的uri
         return pureUrl + "/";
     }

src/test/java/Test.java

@@ -1,3 +1,5 @@
+import burp.util.Utils;
+
 /**
  * @author : metaStor
  * @date : Created 2022/4/6 10:05 PM
@@ -6,12 +8,13 @@
 public class Test {
 
     public static void main(String[] args) throws InterruptedException {
-        String url = String.valueOf("http://localhost:8088/x?test=1").split("\\?")[0];  // 获取?之前的url
-        String url2 = String.valueOf("http://localhost:8080/").split("\\?")[0];  // 获取?之前的url
-        System.out.println(url);
-        System.out.println(url2);
-        String root = "u3yffici9aabcqyfm0gv616ih9nzbo.burpcollaborator.net";
-        String test = "12345." + root;
-        System.out.println(test.split("\\." + root)[0]);
+//        String url = String.valueOf("http://localhost:8088/x?test=1").split("\\?")[0];  // 获取?之前的url
+//        String url2 = String.valueOf("http://localhost:8080/").split("\\?")[0];  // 获取?之前的url
+//        System.out.println(url);
+//        System.out.println(url2);
+//        String root = "u3yffici9aabcqyfm0gv616ih9nzbo.burpcollaborator.net";
+//        String test = "12345." + root;
+//        System.out.println(test.split("\\." + root)[0]);
+        System.out.println(Utils.getUri("http://218.203.103.138:9110/#/login?redirect=%2F"));
     }
 }