Spring Cloud Gateway远程代码执行漏洞POC,基于命令执行的基础上,增加了反弹shell操作# CVE-2022-22947-Spring-Cloud-Gateway-SpelRCE
## CVE-2022-22947简介
```
危害等级:高危
POC/EXP情况:已公开
CNVD编号:CNNVD-2022-16402
影响范围:
Spring Cloud GateWay 3.1.0
Spring Cloud GateWay >=3.0.0,<=3.0.6
Spring Cloud GateWay <3.0.0
```
## 漏洞描述
Spring Cloud Gateway存在远程代码执行漏洞,该漏洞是发生在Spring Cloud Gateway应用程序的Actuator端点,其在启用、公开和不安全的情况下容易受到代码注入的攻击。攻击者可利用该漏洞通过恶意创建允许在远程主机上执行任意远程请求。
## CVE-2022-22947.py
为了方便,写了一个脚本,方便执行和反弹shell
### 执行正常命令
```
python3 CVE-2022-22947.py http://localhost:9000
```
<img width="865" alt="image" src="https://user-images.githubusercontent.com/62680449/156988608-306b9a9c-834e-494c-932a-0ea048ee0e2f.png">
<img width="865" alt="image" src="https://user-images.githubusercontent.com/62680449/156988724-cea6c22b-3669-4eae-a9c6-754753dfe06c.png">
### 反弹shell
1、首先nc开启监听
```
nc -lvvp 5000
```
<img width="730" alt="image" src="https://user-images.githubusercontent.com/62680449/156988870-510229c5-1733-45ea-96a8-ddae72d11b78.png">
2、输入shell,跳转到反弹shell操作
<img width="865" alt="image" src="https://user-images.githubusercontent.com/62680449/156988914-18b5147c-ef88-4007-a170-6d461331049d.png">
3、输入反弹shell命令即可获取shell
<img width="1238" alt="image" src="https://user-images.githubusercontent.com/62680449/156990139-dd95f2c7-5d55-45d1-b820-b64f3b98064f.png">
[4.0K] /data/pocs/53302cc9e207b818573722054481074c18fd352f
├── [3.2K] CVE-2022-22947.py
└── [1.6K] README.md
0 directories, 2 files