POC详情: c0020d8cd1065cd00d69a2f8ab405206fcbf934b

来源
https://github.com/gokul-ramesh/Spring4Shell-PoC-exploit
关联漏洞
标题: Spring Framework 代码注入漏洞 (CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
描述
Demonstrable Proof of Concept Exploit for Spring4Shell Vulnerability (CVE-2022-22965)
介绍
# Spring4Shell - PoC
# CVE - 2022 - 22965
## Versions affected : 
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older versions
- Java JDK 9
- Apache Tomcat versions below 10..0.20, 9.0.62, and 8.5.78
- Applications that are packaged as a traditional WAR with spring-webmvc or spring-webflux dependency and deployed on a standalone Servlet container alone are affected
## Description
- The issue can be elevated by classLoader manipulation
- Improper data binding that is used to populate an object from request parameters (Request Mapping annotation) causes this vulnerability
- Attackers can load arbitrary classes and can inject arbitrary code that can be executed by the application
- A similar vulnerability ([CVE-2010-1622](https://nvd.nist.gov/vuln/detail/CVE-2010-1622)) had been disclosed earlier and patches have been applied to restrict ```class.classLoader``` and ```class.protectionDomain```
- But JDK9 introduced a new method ```class.getMethod()```, which bypasses that restriction by using ```class.module.classLoader``` to access any child property of class object
## Impact
- Successful exploitation of this vulnerability can lead to arbitrary code execution on the vulnerable machine.
## Test Application
- [gokul-ramesh/Spring4Shell-POC](https://github.com/gokul-ramesh/Spring4Shell-POC) (forked from [lunasec-io/Spring4Shell-POC](https://github.com/lunasec-io/Spring4Shell-POC) )
- Clone the repository and build the application
```
docker build . -t spring4shell-poc-app
```
Else get the docker image from [gokul2/spring4shell-poc]
```
docker pull gokul2/spring4shell-poc-app
```
- Bring up the application
```
docker run -p 8080:8080 spring4shell-poc-app
```
- The application will be available at [localhost:8080](http://localhost:8080) now.
- Run the exploit.py file
文件快照

 [4.0K]  /data/pocs/c0020d8cd1065cd00d69a2f8ab405206fcbf934b
├── [ 711]  exploit.py
└── [1.8K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。