关联漏洞
标题:
Spring Framework 代码注入漏洞
(CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
描述
CVE-2022-22965 Spring4Shell research & PoC
介绍
# CVE-2022-22965-spring4shell
CVE-2022-22965 Spring4Shell research & PoC for learning purposes
## Blog post
A more detailed analysis and explanation of the vulnerability can be found on my [blog post](https://medium.com/@cxzero/spring4shell-cve-2022-22965-vulnerability-analysis-and-exploitation-fae244dfd3eb).
## Comments on initial research
Based on the initial research I did on https://github.com/GuayoyoCyber/CVE-2022-22965 with these additions:
- modifications on HelloWorld class and helloworld.jsp for a better understanding of the vulnerability
- added Apache Tomcat 9.0.60 embed library dependency for debugging purposes
## Compilation
```
sudo apt install maven
mvn clean package
```
Apache Tomcat 9.0.60 can be downloaded from https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.60/bin/apache-tomcat-9.0.60.zip
Smart Tomcat IntelliJ plugin can be used to speed up running and debugging: https://plugins.jetbrains.com/plugin/9492-smart-tomcat
## Docker
```
sudo docker build -t spring4shell .
```
or
```
sudo docker build -t spring4shell -f Dockerfile2 .
```
```
sudo docker run -p 8082:8080 spring4shell
```
## References
- https://medium.com/@cxzero/spring4shell-cve-2022-22965-vulnerability-analysis-and-exploitation-fae244dfd3eb
- http://blog.o0o.nu/2010/06/cve-2010-1622.html
- https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw
- https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/
- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
- https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/
文件快照
[4.0K] /data/pocs/38f24874f8ac9b9e2bf83dab3ab1a83a49ece963
├── [4.0K] exploits
│ ├── [2.9K] exploit1.py
│ ├── [4.3K] exploit2.py
│ ├── [3.1K] exploit3.py
│ ├── [5.0K] exploit4b.py
│ └── [4.9K] exploit4.py
├── [1.6K] README.md
└── [4.0K] springmvc5-helloworld-exmaple
├── [ 124] Dockerfile
├── [ 457] Dockerfile2
├── [2.8K] pom.xml
├── [4.0K] src
│ └── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] net
│ │ └── [4.0K] javaguides
│ │ └── [4.0K] springmvc
│ │ └── [4.0K] helloworld
│ │ ├── [4.0K] config
│ │ │ ├── [ 862] AppConfig.java
│ │ │ └── [ 620] SpringMvcDispatcherServletInitializer.java
│ │ ├── [4.0K] controller
│ │ │ └── [ 886] HelloWorldController.java
│ │ └── [4.0K] model
│ │ ├── [ 361] Auxiliar.java
│ │ └── [ 776] HelloWorld.java
│ └── [4.0K] webapp
│ ├── [ 72] index.jsp
│ └── [4.0K] WEB-INF
│ └── [4.0K] views
│ └── [ 484] helloworld.jsp
└── [4.0K] target
└── [9.2M] example.war
16 directories, 17 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。