<h1 align="center">

<h4 align="center">Intentionally vulnerable Spring app to test CVE-2022-22965</h4>
<p align="center">For more information: <a href=""></a></p>
<p align="center">
  <a href=""><img src="" alt="@fracturelabs" height="18"></a>
  <a href=""><img src="" alt="@brkr19" height="18"></a>

# Usage

## Build
The following code will quickly build a vulnerable Docker image using the following components:
* JDK 11.0.14
* Tomcat 9.0.60
* Spring 2.6.4

git clone
cd spring4shell_victim
docker image build -t spring4shell_victim .

## Run
docker container run -it -p 8080:8080 --name spring4shell_victim --rm spring4shell_victim

## Exploit
There are two routes defined: `/spring4shell_victim` and `/spring4shell_victim/vulnerable`. You can use this to verify any scanning tools are properly working. The default route (/) is specifically not vulnerable to get you to think about how to configure your scanning tools to find vulnerable endpoints.

### Example
# This route is not vulnerable
curl -is localhost:9000/spring4shell_victim/?class.module.classLoader.URLs%5b-1%5d

# This route is vulnerable
curl -is localhost:9000/spring4shell_victim/vulnerable?class.module.classLoader.URLs%5b-1%5d


### Verification
You can verify your code deployed correctly by connecting to a shell on the container and looking in the `/usr/local/tomcat/webapps/` directory.
docker exec -it spring4shell_victim /bin/bash
NOTE: The POC code above only causes a crash that you can detect (500 error). It does not actually upload any code.