Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-22947 PoC — VMware Spring Cloud Gateway 代码注入漏洞

Source
https://github.com/charonlight/SpringExploitGUI
Associated Vulnerability
Title:VMware Spring Cloud Gateway 代码注入漏洞 (CVE-2022-22947)
Description:In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
Description
一款Spring综合漏洞的利用工具,工具目前支持Spring Cloud Gateway RCE(CVE-2022-22947)、Spring Framework RCE (CVE-2022-22965) 的检测以及利用
Readme
# SpringExploitGUI_v1.0

### 0x01 前言

​		今天复现了几个spring之前的漏洞,顺手就武器化了下,工具目前支持Spring Cloud Gateway RCE(CVE-2022-22947)、Spring Cloud Function SpEL RCE (CVE-2022-22963)、Spring Framework RCE (CVE-2022-22965) 的检测以及利用,目前仅为第一个版本,后续会添加更多漏洞POC,以及更多的持久化利用方式



### 0x02 工具使用说明

**单个检测&&批量检测**

工具支持单个漏洞单个目标检测,也支持多个目标检测

![image-20240206162527190](./typora-img/README/image-20240206162527190.png)

![image-20240206163950156](./typora-img/README/image-20240206163950156.png)

![image-20240206162356049](./typora-img/README/image-20240206162356049.png)

**漏洞利用**

Spring Cloud Gateway RCE(CVE-2022-22947) 目前支持命令执行、一键反弹shell、哥斯拉内存马注入

![image-20240206163122582](./typora-img/README/image-20240206163122582.png)

![image-20240206163709925](./typora-img/README/image-20240206163709925.png)

Spring Cloud Function SpEL RCE (CVE-2022-22963)目前支持一键反弹shell

![image-20240206164053611](./typora-img/README/image-20240206164053611.png)



Spring Framework RCE (CVE-2022-22965) 目前支持命令执行,通过写入webshell实现的,后续会继续实现写入ssh公钥、计划任务等利用方式

![image-20240206162225924](./typora-img/README/image-20240206162225924.png)



### 0x03 免责声明

该开源工具是由作者按照开源许可证发布的,仅供个人学习和研究使用。作者不对您使用该工具所产生的任何后果负任何法律责任。

![gzh](./typora-img/README/gzh.png)
File Snapshot

 [4.0K]  /data/pocs/7a45aa6430050edf149685695b34438604d9b4dc
├── [1.6K]  README.md
└── [4.0K]  typora-img
    └── [4.0K]  README
        ├── [ 59K]  gzh.png
        ├── [ 30K]  image-20240206162225924.png
        ├── [ 24K]  image-20240206162356049.png
        ├── [ 29K]  image-20240206162527190.png
        ├── [ 35K]  image-20240206163122582.png
        ├── [ 80K]  image-20240206163709925.png
        ├── [ 25K]  image-20240206163950156.png
        └── [ 37K]  image-20240206164053611.png

2 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →