# Spring4Shell-PoC Application

This application has been containerized and is susceptible to the Spring4Shell flaw (CVE-2022-22965). The war's complete Java source is available and changeable; it may be rebuilt each time the docker image is created. Tomcat will then start loading the created WAR. This application is a straightforward hello world that is based on [Spring tutorials]( It has nothing exceptional to offer.

## Requirements

1. Docker
2. Python3 + requests library

## Instructions

1. Clone the repository
2. Build and run the container: `docker build . -t spring4shell && docker run -p 8080:8080 spring4shell`
3. App should now be available at http://localhost:8080/helloworld/greeting
4. Run the script:
 `python --url "http://localhost:8080/helloworld/greeting"`
5. Visit the created webshell! Modify the `cmd` GET parameter for your commands. (`http://localhost:8080/shell.jsp` by default)

Document is added explaining full exploit detail.