Skip to content

Instantly share code, notes, and snippets.

@esell
Last active April 12, 2022 15:55
Show Gist options
  • Save esell/c9731a7e2c5404af7716a6810dc33e1a to your computer and use it in GitHub Desktop.
Save esell/c9731a7e2c5404af7716a6810dc33e1a to your computer and use it in GitHub Desktop.
At this point, it is probably easier to just use something like this: https://github.com/reznok/Spring4Shell-POC
- clone https://spring.io/guides/gs/handling-form-submission/
- you can skip right to gs-handling-form-submission/complete, no need to follow the tutorial
- modify it so that you can build a war file (https://www.baeldung.com/spring-boot-war-tomcat-deploy)
- install tomcat9 + java 11 (i did it on ubuntu 20.04)
- deploy the war file
- update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT
- run PoC (ignore the URL it gives you for the webshell): python3 exp.py --url http://your.ip.here:8080/handling-form-submission-complete/greeting
- you should see the "tomcatwar.jsp" file now in webapps/handling-form-submission
- hit http://your.ip.here:8080/handling-form-submission/tomcatwar.jsp?pwd=j&cmd=id to see the results
@BobTheShoplifter
Copy link

Hey! Would you like to create a pr with this on my spring4shell info/poc repo, would be awsome to include this!

@esell
Copy link
Author

esell commented Mar 30, 2022

Hey! Would you like to create a pr with this on my spring4shell info/poc repo, would be awsome to include this!

done!

@hahwul
Copy link

hahwul commented Mar 31, 2022

🤩

@esfomeado
Copy link

Does Spring Boot suffer from this vulnerability?

@Ward-Jaabary
Copy link

the zip file requires on https://share.vx-underground.org/ a password, what should I give ?

@cndycc
Copy link

cndycc commented Mar 31, 2022

zip password is mentioned at second 12 in this clip: https://www.youtube.com/watch?v=n8FbMY-quW4

@DamianFekete
Copy link

DamianFekete commented Mar 31, 2022

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Am I Impacted?
These are the requirements for the specific scenario from the report:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.

@satellite92
Copy link

what is the zip password, bro?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment