For more information: https://www.fracturelabs.com/posts/effective-spring4shell-scanning-exploitation/
The following code will quickly build a vulnerable Docker image using the following components:
- JDK 11.0.14
- Tomcat 9.0.60
- Spring 2.6.4
git clone https://github.com/fracturelabs/spring4shell_victim.git
cd spring4shell_victim
docker image build -t spring4shell_victim .
docker container run -it -p 8080:8080 --name spring4shell_victim --rm spring4shell_victim
There are two routes defined: /spring4shell_victim
and /spring4shell_victim/vulnerable
. You can use this to verify any scanning tools are properly working. The default route (/) is specifically not vulnerable to get you to think about how to configure your scanning tools to find vulnerable endpoints.
# This route is not vulnerable
curl -is localhost:9000/spring4shell_victim/?class.module.classLoader.URLs%5b-1%5d
# This route is vulnerable
curl -is localhost:9000/spring4shell_victim/vulnerable?class.module.classLoader.URLs%5b-1%5d
You can verify your code deployed correctly by connecting to a shell on the container and looking in the /usr/local/tomcat/webapps/
directory.
docker exec -it spring4shell_victim /bin/bash
NOTE: The POC code above only causes a crash that you can detect (500 error). It does not actually upload any code.