POC详情: 95efe438e3332060d814f121c352b67c07990883

来源
https://github.com/BobTheShoplifter/Spring4Shell-POC
关联漏洞
标题: Spring Framework 代码注入漏洞 (CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
描述
Spring4Shell Proof Of Concept/And vulnerable application CVE-2022-22965
介绍
# Spring4Shell-POC (CVE-2022-22965)

![Spring4Shell](spring4shell.png)

![Docker Build](https://github.com/BobTheShoplifter/Spring4Shell-POC/actions/workflows/docker-publish.yml/badge.svg) ![Docker App Build](https://github.com/BobTheShoplifter/Spring4Shell-POC/actions/workflows/app-docker-publish.yml/badge.svg) ![Stars](https://img.shields.io/github/stars/BobTheShoplifter/Spring4Shell-POC?style=social) ![Docker Run](https://img.shields.io/github/followers/BobTheShoplifter?label=Follow&style=social)

Spring4Shell (CVE-2022-22965) Proof Of Concept/Information + [A vulnerable Tomcat server with a vulnerable spring4shell application.](vulnerable-tomcat/)

Early this morning, multiple sources has informed of a possible RCE exploit in the popular java framework spring.

The naming of this flaw is based on the similarities to the infamous Log4j LOG4Shell.

## Details about this vulnerability

- [https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc](https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc)
- [https://www.springcloud.io/post/2022-03/spring-0day-vulnerability](https://www.springcloud.io/post/2022-03/spring-0day-vulnerability)
- [https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)

## POC Usage

The usage is simple! You can either run the docker image, or just run the python script!

Please see vulnerable-tomcat for inscructions on setting up your own spring4shell vulnerable application [here!](vulnerable-tomcat/)

### Requirements

- Python3 or [Docker](https://hub.docker.com/r/bobtheshoplifter/spring4shell-poc)

### Python

```python
pip install -r requirements.txt
poc.py --help
```

![image](https://user-images.githubusercontent.com/22559547/161398549-05d279b2-51d6-49fb-9245-018747606321.png)

### Docker

```sh
## Dockerhub
docker pull bobtheshoplifter/spring4shell-poc:latest
docker run bobtheshoplifter/spring4shell-poc:latest --url https://example.io/
## Github docker repository
docker pull ghcr.io/bobtheshoplifter/spring4shell-poc:main
docker run ghcr.io/bobtheshoplifter/spring4shell-poc:main --url https://example.io/
```

![image](https://user-images.githubusercontent.com/22559547/161400099-fb6c4f02-9d48-457a-8c91-041a9a8438b7.png)

## Vulnerable Tomcat server

I have now made a docker image for this, which includes a vulnerable spring + tomcat application.

The application should be enough to test this vulnerability.

[Please see (vulnerable-tomcat/README.md)](vulnerable-tomcat/README.md)

## Mitigations

!!(The following mitigations are only theoretical as nothing has been confirmed)!!

### JDK Version under 9

Cyberkendra informed that JDK versions lower than JDK 9

You can easily check this by running

```sh
java -version
```

That will display something similar to this

```sh
openjdk version "17.0.2" 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8-Ubuntu-120.04)
OpenJDK 64-Bit Server VM (build 17.0.2+8-Ubuntu-120.04, mixed mode, sharing)
```

If your JDK version is under 8, you might be safe, but nothing is confirmed yet

The following article will be updated

### Check if you are using the spring framework

Do a global search after `spring-beans*.jar` and `spring*.jar`

```sh
find . -name spring-beans*.jar
```

[^1]: POC, translated fron this repository.

POC, translated fron this repository: https://github.com/craig/SpringCore0day/blob/main/exp.py
文件快照

 [4.0K]  /data/pocs/95efe438e3332060d814f121c352b67c07990883
├── [ 130]  Dockerfile
├── [3.6K]  poc.py
├── [3.4K]  README.md
├── [  26]  requirements.txt
├── [ 10K]  spring4shell.png
└── [4.0K]  vulnerable-tomcat
    ├── [ 133]  Dockerfile
    ├── [2.7K]  README.md
    ├── [ 22K]  spring4shellapplication.png
    ├── [ 18M]  spring-form.war
    └── [4.0K]  spring-war
        ├── [ 505]  build.gradle
        ├── [4.0K]  gradle
        │   └── [4.0K]  wrapper
        │       └── [ 200]  gradle-wrapper.properties
        ├── [5.6K]  gradlew
        ├── [2.6K]  gradlew.bat
        ├── [9.7K]  mvnw
        ├── [6.2K]  mvnw.cmd
        ├── [1.6K]  pom.xml
        ├── [  33]  settings.gradle
        └── [4.0K]  src
            ├── [4.0K]  main
            │   ├── [4.0K]  java
            │   │   └── [4.0K]  com
            │   │       └── [4.0K]  example
            │   │           └── [4.0K]  handlingformsubmission
            │   │               ├── [ 682]  GreetingController.java
            │   │               ├── [ 330]  Greeting.java
            │   │               └── [ 481]  HandlingFormSubmissionApplication.java
            │   └── [4.0K]  resources
            │       └── [4.0K]  templates
            │           ├── [ 560]  greeting.html
            │           └── [ 400]  result.html
            └── [4.0K]  test
                └── [4.0K]  java
                    └── [4.0K]  com
                        └── [4.0K]  example
                            └── [4.0K]  handlingformsubmission
                                └── [1.9K]  HandlingFormSubmissionApplicationTest.java

17 directories, 23 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。