https://github.com/marschall/spring4shell-poc

https://github.com/marschall/spring4shell-poc

Last synced: 23 days ago
JSON representation

• Host: GitHub
• URL: https://github.com/marschall/spring4shell-poc
• Owner: marschall
• Archived: true
• Created: 2022-03-31T13:44:32.000Z (about 3 years ago)
• Default Branch: master
• Last Pushed: 2022-04-09T15:55:47.000Z (about 3 years ago)
• Last Synced: 2025-05-07T23:02:57.411Z (24 days ago)
• Language: Java
• Size: 66.4 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        


## Insights

Parameters not annotated or annotated with `@ModelAttribute` cause the problem. Other annotated ones eg. with `@RequestBody` do not cause the problem.

org.apache.catalina.loader.WebappClassLoaderBase.getResources().getContext()

gives access to the context

Set break points in

- `org.springframework.web.bind.WebDataBinder.doBind(MutablePropertyValues)`

- `org.apache.catalina.valves.AccessLogValve.setSuffix(String)`

## Installing

    ln -s ${HOME}/git/spring4shell-poc/spring4shell-war/target/spring4shell-war-0.1.0-SNAPSHOT.war spring4shell.war

## Running

    ./catalina.sh jpda run

    mvn -am -pl spring4shell-war jetty:run

## Classloaders

- `org.jboss.modules.ModuleClassLoader`

  -> does not seem to expose anything

- `org.springframework.boot.loader.LaunchedURLClassLoader`

  -> does not seem to expose anything

- `org.eclipse.jetty.webapp.WebAppClassLoader`

  -> exposes a context as well

## Disable Tomcat JSP Support

Remove `jsp` / `org.apache.jasper.servlet.JspServlet` from `${TOMCAT_HOME}/conf/web.xml`

## Custom Valve

Add to `${TOMCAT_HOME}/conf/server.xml`

    

## Agent

    jcmd $PID JVMTI.agent_load $(pwd)/spring4shell-agent/target/spring4shell-agent-0.1.0-SNAPSHOT.jar