关联漏洞
标题:
Spring Framework 代码注入漏洞
(CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
描述
POC firewall with rules designed to detect and block Spring4Shell vulnerability (CVE-2022-22965) exploit
介绍
<h1 align="center"> Project Spring4Shell (CVE-2022-22965 ) Blocker </h1>
## Firewall Server Handler -
This project is a proof-of-concept (POC) firewall server designed to detect and block attacks exploiting the CVE-2022-22965 vulnerability, commonly known as Spring4Shell. The server inspects incoming HTTP requests and blocks any that match known malicious patterns associated with this vulnerability.
## Overview
The Firewall Server Handler is a simple Python-based HTTP server, built using the http.server library. It monitors incoming HTTP POST requests, looking for specific headers and payload patterns associated with the Spring4Shell vulnerability. If a request matches these patterns, it is blocked, and the server responds with a 403 Forbidden status.
## Requirements
- Python 3.x
## Setup and Usage
1. Clone the Repository
```bash
git clone https://github.com/BlackBird63030/Block-Spring4Shell
cd Block-Spring4Shell
```
2. Run the Server
```bash
python frs.py
```
By default, the server will run on localhost at port 8000.
3. Test the Firewall Rule
- To test, you can send use the tnt.py script that simulates the attack by doig 5 connections.
## Blocking Rules
This POC uses two main rules to detect and block CVE-2022-22965 exploit attempts:
1. Rule 1: Blocking Payload Pattern
- Detects requests containing the payload pattern class.module.classLoader.resources.context.parent.pipeline.first, which is used in Spring4Shell exploits to inject malicious Java code.
2. Rule 2: Blocking Suspicious Headers
- Blocks requests with specific headers characteristic of Spring4Shell attack payloads:
- suffix: %>//
- C1: Runtime
- C2: <%
- DNT: 1
- Content-Type: application/x-www-form-urlencoded
If either rule matches, the server responds with a 403 Forbidden status and returns a JSON message:
{"error": "Forbidden Access"}
If no conditions are met, the server responds with 200 OK and:
{"message": "Request received"}
## Code Structure
- ServerHandler: The main class handling HTTP requests.
- block_request(): Sends a 403 response when a request is blocked.
- rule_1(): Checks the payload for patterns associated with CVE-2022-22965.
- rule_2(): Checks for specific headers known to be part of Spring4Shell exploits.
- do_GET() and do_POST(): Process incoming GET and POST requests, applying the firewall rules.
## Example
To test the firewall, use the tnt.py script. It gonna send 5 POST requests to the firewall script
```bash
python tnt.py
```
The server will respond with:
{"error": "Forbidden Access"}
## Purpose
This POC is intended for educational and testing purposes to demonstrate a basic firewall rule that blocks specific attack vectors targeting the Spring4Shell vulnerability. It is not a substitute for a comprehensive firewall solution in production environments.
## License
MIT License
文件快照
[4.0K] /data/pocs/c7a901435e6242b94d3395719f088ec657deea37
├── [2.3K] frs.py
├── [1.0K] LICENSE
├── [2.8K] README.md
└── [1.8K] tnt.py
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。