## Spring4Shell Vulnerability - CVE-2022-22965 :closed_book:

* Introduction

The spring4shell vulnerability was named this way due to 2 vulnerabilities found and widely exploited by attackers in early 2022. One of these vulnerabilities is in the framework component called "Spring Cloud Functions" (less critical) and a second and more critical component being at the heart of the framework called "Spring Core". With these 2 critical vulnerabilities, it generated a joke from the community relating another critical vulnerability disclosed in 2021 called Log4shell.

<p align="center">
  <img width="700" height="300" src="./img/x.png">

## How Does it Work?

One of the features of Spring MVC is that it automatically instantiates and populates an object of a specified class when a request is made based on the parameters sent to the endpoint. In simple terms, this could be abused to overwrite important attributes of the parent class, resulting in remote code execution. The majority of the exploits for the Spring4Shell vulnerability operate by forcing the application to write a malicious ```.jsp``` file to the webserver. This webshell can then be executed to gain remote command execution over the target.

## Limitations

For this exploitation to happen, it is necessary to follow a sequence of factors that make the environment vulnerable to the import of this jsp file, they are;

* Spring Core antes da versão 5.2 (versions 5.3.0-17 and 5.2.0-19).
* Java Development Kit (JDK) greater than or equal to 9.
* Apache Tomcat as a server for the Spring application, packaged as a WAR.
* Dependency on the ```spring-webmvc``` and/or ```spring-webflux``` components of the Spring Framework.

## Let's go POC

For this exploration, we will use a script already created for this purpose called `````` attached to this same repository.
> [!note]  
The script ( for this poc is available in this same repository, check it above.

Always use the script help when available, it will be clearer to understand.

<p align="center">
  <img width="700" height="300" src="./img/2.png">

This attack requires an http post method to be able to transmit the file to the server.
On the server we are running for attack, there is a POST that we can find in the page's view-source. 

This is a simple page where an email is registered for notification.

<p align="center">
  <img width="700" height="300" src="./img/3.png">

in view-source we found the post of this form with action for /.

<p align="center">
  <img width="700" height="150" src="./img/4.png">

let's use our script to explore this webserver. Remembering that we need to execute the attack in the POST action, in this case, in the root /.

<p align="center">
  <img width="700" height="80" src="./img/5.png">

The webshell has been sent successfully! Let's access the link generated by the script to confirm the exploration.

<p align="center">
  <img width="700" height="80" src="./img/6.png">

Done! We were able to exploit the vulnerability by sending a webshell to the webserver.

## Patching :white_check_mark:
To remediate Spring4Shell, ensure that you are using a version of Spring released after patch 18 of minor release 5.3 (i.e. after 5.3.18), or after patch 20 if using minor release 5.2 (i.e. after 5.2.20). Upgrading the version of the framework is enough to remove the vulnerability from your applications.