Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-22965 PoC — Spring Framework 代码注入漏洞

Source
https://github.com/NickoPS87/Spring4Shell-Python-Firewall-POC
Associated Vulnerability
Title:Spring Framework 代码注入漏洞 (CVE-2022-22965)
Description:A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Description
Proof-of-Concept (POC) of a simple firewall in Python designed to mitigate the Spring4Shell (CVE-2022-22965) RCE attack by inspecting and blocking malicious request bodies.
Readme
# Python Firewall for Spring4Shell (CVE-2022-22965) Mitigation

## 1. Overview

This project is a simple but effective firewall implemented as a Proof-of-Concept (POC) in Python. It's designed to act as an HTTP server that inspects incoming POST requests to detect and block the specific payload pattern associated with the Spring4Shell (CVE-2022-22965) remote code execution (RCE) vulnerability.

## 2. How It Works

The firewall leverages Python's built-in `http.server` module. The core logic resides in the `do_POST` method of the `ServerHandler` class.

1.  The server intercepts all incoming `POST` requests.
2.  It reads the entire request body.
3.  It searches for the malicious signature string: `class.module.classLoader`. This string is the fundamental component of the Spring4Shell exploit and is difficult for an attacker to obfuscate.
4.  **If the pattern is found**, the server immediately blocks the request by sending a `403 Forbidden` HTTP response.
5.  **If the pattern is not found**, the request is considered legitimate and is handled normally with a `200 OK` response.

## 3. Why This Approach?

While other mitigation strategies could focus on headers or specific URL paths, this method was chosen for its robustness:

*   **Resilient:** It is not dependent on fragile indicators like filenames (e.g., `tomcatwar.jsp` ) or custom header names, which can be easily changed by an attacker.
*   **Effective:** It targets the core mechanism of the exploit itself, making it a highly reliable detection method against this specific vulnerability.

## 4. Usage

To run the firewall, use the main script [`firewall_server.py`](firewall_server.py):

```bash
python firewall_server.py
```
The server will start on localhost:8000.
You can then use the provided [`Test_Requester.py`](Test_Requester.py) script to simulate malicious requests and verify that they are being blocked.


## 5. Disclaimer

This is a Proof-of-Concept and is intended for educational and demonstrative purposes only. It is not a production-ready firewall solution.
File Snapshot

 [4.0K]  /data/pocs/c8e4943fd7cd42ab62b894b17661c7edab4dcfbd
├── [2.0K]  firewall_server.py
├── [1.0K]  LICENSE
├── [2.0K]  README.md
└── [1.8K]  Test_Requester.py

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →