# Spring4Shell-PoC Application
This application has been containerized and is susceptible to the Spring4Shell flaw (CVE-2022-22965). The war's complete Java source is available and changeable; it may be rebuilt each time the docker image is created. Tomcat will then start loading the created WAR. This application is a straightforward hello world that is based on [Spring tutorials](https://spring.io/guides/gs/handling-form-submission/). It has nothing exceptional to offer.
2. Python3 + requests library
1. Clone the repository
2. Build and run the container: `docker build . -t spring4shell && docker run -p 8080:8080 spring4shell`
3. App should now be available at http://localhost:8080/helloworld/greeting
4. Run the exploit.py script:
`python exploit.py --url "http://localhost:8080/helloworld/greeting"`
5. Visit the created webshell! Modify the `cmd` GET parameter for your commands. (`http://localhost:8080/shell.jsp` by default)
Document is added explaining full exploit detail.