Exploit a Spring Application vulnerable to the Spring4Shell vulnerability. Read more about Spring4shell on our blog.
Requirements: Docker and docker-compose
$ ./exploit.sh
The vulnerable Spring application contains a GET and POST request handler for /helloworld/greeting. The exploit.sh script starts the app container running Tomcat 9.0 with the application packaged as a WAR and uses curl to write a webshell to http://localhost:8080/shell.jsp. The shell is used to grab the flag present at /flag inside the container's filesystem.
The CVE-2022-22965 with a CVSS score of 9.8 has been to the vulnerability in Spring Core allowing Remote Code Execution. The exploit is easy to achieve and hence the high CVSS score, pre-requisites for the exploit are:
- JDK version 9+
- Application built on Spring Or derived frameworks
- Running Tomcat with WAR deployment
- Spring Blog Early Announcement
- Lunasec blog
- English translation of chinese researcher's original report
Based on the exploit and application by reznok.