In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. more details can be found in the CVE-2022-22963 Detail.
Based on the PoC provided by AayushmanThapaMagar, I am creating a simple exploit of this vulnerability to get a reverse shell from the vulnerable server.
The porpuse of this project is to make it easier to test the vulnerability and to learn how to exploit it. I will add more details about the reason behind this vulnerability later.
To run this exploit, you only need docker.
Clone the repository and run the following command:
docker-compose up -d
This will start two containers, one with the vulnerable server and the other with the attacker machine.
Now you can run the exploit:
In Linux, you can run the exploit with the following command:
./run.sh
Note: you may need sudo to run the commands above.
........
To stop the containers, run the following command:
docker-compose down