GitHub - reznok/Spring4Shell-POC: Dockerized Spring4Shell (CVE-2022-22965) PoC a...
source link: https://github.com/reznok/Spring4Shell-POC
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Spring4Shell PoC Application
This is a dockerized application that is vulnerable to the Spring4Shell vulnerability (CVE-2022-22965). Full Java source for the war is provided and modifiable, the war will get re-built whenever the docker image is built. The built WAR will then be loaded by Tomcat. There is nothing special about this application, it's a simple hello world that's based off Spring tutorials.
Details: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities
Requirements
- Docker
- Python3 + requests library
Instructions
- Clone the repository
- Build and run the container:
docker build . -t spring4shell && docker run -p 8080:8080 spring4shell - App should now be available at http://localhost:8080/helloworld/greeting
- Run the exploit.py script:
python exploit.py --url "http://localhost:8080/helloworld/greeting"
- Visit the created webshell! Modify the
cmdGET parameter for your commands. (http://localhost:8080/shell.jspby default)
Notes
Fixed! As of this writing, the container (possibly just Tomcat) must be restarted between exploitations. I'm actively trying to resolve this.
Re-running the exploit will create an extra artifact file of {old_filename}_.jsp.
PRs/DMs @Rezn0k are welcome for improvements!
Credits
- @esheavyind for help on building a PoC. Check out their writeup at: https://gist.github.com/esell/c9731a7e2c5404af7716a6810dc33e1a
- @LunaSecIO for improving the documentation and exploit
- @rwincey for making the exploit replayable without requiring a Tomcat restart
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK