A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.# CVE-2022-22965_Spring4Shell
CVE-2022-22965 (Spring4Shell, SpringShell) is a vulnerability in the Spring Framework that uses data binding functionality to bind data stored within an HTTP request to certain objects used by an application. The bug exists in the getCachedIntrospectionResults method, which can be used to gain unauthorized access to such objects by passing their class names via an HTTP request. It creates the risks of data leakage and remote code execution when special object classes are used. This vulnerability is similar to the long-closed CVE-2010-1622, where class name checks were added as a fix so that the name did not match classLoader or protectionDomain.
## Score impact
According to the CVSSv3 system, it scores as <span style="color:red"> CRITICAL severity.</span>
## Detection
Below are detection opportunities for CVE-2022-22965 that can be used to identify vulnerability.
* Florian Roth created the following Yara rule that will detect possible webshells being implemented and proof-of-concept exploit attempts
* Hilko Bengen created a local CVE-2022-22965 vulnerability scanner written in Go (cross-platform compatible) that searches for Spring artifacts obtained via the Maven Central repository
* The OWASP Dependency Check tool can also be utilized to produce an aggregate report of projects and child projects doing the following command (additional properties for OWASP Dependency Check):
## Conditions
Current conditions for vulnerability (as stated in Spring's announcement of the vulnerability) can be summarised as follows:
* JDK 9+
* A vulnerable version of the Spring Framework (<5.2 | 5.2.0-19 | 5.3.0-17)
* Apache Tomcat as a server for the Spring application, packaged as a WAR
* A dependency on the spring-webmvc and/or spring-webflux components of the Spring Framework
## Exploit
````
python3 exploit.py http://10.10.10.10/
````
**Note:** the trailing slash is very important here!
Look for the "action" of the contact form (the only POST request available to us).
````
<form id="contactForm" action="/" method="post">
````
The action is "/", meaning that our target URL will simply be: ``http://10.10.10.10/``
登录后查看神龙缓存的 POC 文件快照
登录查看