Skip to content

Instantly share code, notes, and snippets.

@esell
Last active Apr 12, 2022
Embed
What would you like to do?
At this point, it is probably easier to just use something like this: https://github.com/reznok/Spring4Shell-POC
- clone https://spring.io/guides/gs/handling-form-submission/
- you can skip right to gs-handling-form-submission/complete, no need to follow the tutorial
- modify it so that you can build a war file (https://www.baeldung.com/spring-boot-war-tomcat-deploy)
- install tomcat9 + java 11 (i did it on ubuntu 20.04)
- deploy the war file
- update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT
- run PoC (ignore the URL it gives you for the webshell): python3 exp.py --url http://your.ip.here:8080/handling-form-submission-complete/greeting
- you should see the "tomcatwar.jsp" file now in webapps/handling-form-submission
- hit http://your.ip.here:8080/handling-form-submission/tomcatwar.jsp?pwd=j&cmd=id to see the results
@BobTheShoplifter
Copy link

BobTheShoplifter commented Mar 30, 2022

Hey! Would you like to create a pr with this on my spring4shell info/poc repo, would be awsome to include this!

@esell
Copy link
Author

esell commented Mar 30, 2022

Hey! Would you like to create a pr with this on my spring4shell info/poc repo, would be awsome to include this!

done!

@hahwul
Copy link

hahwul commented Mar 31, 2022

🤩

@esfomeado
Copy link

esfomeado commented Mar 31, 2022

Does Spring Boot suffer from this vulnerability?

@Ward-Jaabary
Copy link

Ward-Jaabary commented Mar 31, 2022

the zip file requires on https://share.vx-underground.org/ a password, what should I give ?

@cndycc
Copy link

cndycc commented Mar 31, 2022

zip password is mentioned at second 12 in this clip: https://www.youtube.com/watch?v=n8FbMY-quW4

@DamianFekete
Copy link

DamianFekete commented Mar 31, 2022

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Am I Impacted?
These are the requirements for the specific scenario from the report:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.

@satellite92
Copy link

satellite92 commented Apr 1, 2022

what is the zip password, bro?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment