Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-22965 PoC — Spring Framework 代码注入漏洞

Source
https://github.com/LudovicPatho/CVE-2022-22965_Spring4Shell
Associated Vulnerability
Title:Spring Framework 代码注入漏洞 (CVE-2022-22965)
Description:A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Description
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Readme
# CVE-2022-22965_Spring4Shell

CVE-2022-22965 (Spring4Shell, SpringShell) is a vulnerability in the Spring Framework that uses data binding functionality to bind data stored within an HTTP request to certain objects used by an application. The bug exists in the getCachedIntrospectionResults method, which can be used to gain unauthorized access to such objects by passing their class names via an HTTP request. It creates the risks of data leakage and remote code execution when special object classes are used. This vulnerability is similar to the long-closed CVE-2010-1622, where class name checks were added as a fix so that the name did not match classLoader or protectionDomain. 

## Score impact
According to the CVSSv3 system, it scores as <span style="color:red"> CRITICAL severity.</span>

## Detection
Below are detection opportunities for CVE-2022-22965 that can be used to identify vulnerability.

* Florian Roth created the following Yara rule that will detect possible webshells being implemented and proof-of-concept exploit attempts
* Hilko Bengen created a local CVE-2022-22965 vulnerability scanner written in Go (cross-platform compatible) that searches for Spring artifacts obtained via the Maven Central repository
* The OWASP Dependency Check tool can also be utilized to produce an aggregate report of projects and child projects doing the following command (additional properties for OWASP Dependency Check):

## Conditions
Current conditions for vulnerability (as stated in Spring's announcement of the vulnerability) can be summarised as follows:

* JDK 9+
* A vulnerable version of the Spring Framework (<5.2 | 5.2.0-19 | 5.3.0-17)
* Apache Tomcat as a server for the Spring application, packaged as a WAR
* A dependency on the spring-webmvc and/or spring-webflux components of the Spring Framework


## Exploit 

````
python3 exploit.py http://10.10.10.10/
````

**Note:** the trailing slash is very important here!

Look for the "action" of the contact form (the only POST request available to us).
````
<form id="contactForm" action="/" method="post">
````
The action is "/", meaning that our target URL will simply be: ``http://10.10.10.10/``
File Snapshot

 [4.0K]  /data/pocs/9cb369d96fa0b0b9141277ae2deac2f216a02f0c
├── [2.4K]  exploit.py
└── [2.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →