Exploit for Code Injection in Vmware Spring Framework CVE-2022-22965

Name: Exploit for Code Injection in Vmware Spring Framework CVE-2022-22965
Rating: 5 (89 reviews)

2022-04-07 | CVSS 7.5

## https://sploitus.com/exploit?id=661FCFFE-E5C3-5CF9-9CD5-68869CEDED1E
# CVE-2022-22965 PoC - Payara Arbitrary File Download

Minimal example of how to reproduce CVE-2022-22965 Spring vulnerability in Payara/Glassfish.

Alternative payload for Payara/Glassfish that allows the malicious user to set an arbitrary web root, leading to arbitrary file download. 

## Run using docker compose

1. Build the application using Docker compose
    ```shell
    docker-compose up --build
    ```
2. To test the app browse to [http://localhost:8080/handling-form-submission-complete/greeting](http://localhost:8080/handling-form-submission-complete/greeting)
3. Run the exploit
    ```shell
    ./exploits/run.sh
    ```
## Conditions

The exploit requires Java 9 or above because `module` property was added in Java 9.