# :space_invader: CVE-2022-22965
This is a proof of concept of an exploit for [CVE-2022-22965 (spring4shell)](https://www.cve.org/CVERecord?id=CVE-2022-22965) vulnerability.
It is composed by:
* A vulnerable Springboot application;
* An exploit script written in python;
* A safe app for test that the exploit doesn't work;
* A dockerfile for running the vulnerable application and test the exploit;
* [:it:] [Mario Offertucci](https://github.com/mariomamo);
* [:it:] [Antonio Donnarumma](https://github.com/AnItalianMan).
# :gear: Prerequisites
* [Docker](https://www.docker.com/): It is used for running a tomcat container with the Springboot application;
* [Python](https://www.python.org/downloads/): It is used for running the exploit;
# :one: Running the Springboot application
Inside the project root folder there is a Dockerfile that creates a tomcat image and copies the ```vulnerable_app/target/spring4shell.war``` and ```safe_app/target/safeapp.war``` file inside ```/usr/local/tomcat/webapps``` folder, so you just have to build the image and start the container.
### Build the tomcat image
docker build -t cve_2022_22965 .
### Start the container
docker run -p 8080:8080 -d --name springshell cve_2022_22965
### Check if the application is responding
curl --location --request POST http://localhost:8080/spring4shell/vulnerability/exploit?name=Elliot%20Alderson
If you see this response
This is Elliot Alderson
Then the application is up and running.
# :two: Now you can run the exploit
python spring4shell.py http://localhost:8080/spring4shell/vulnerability/exploit
You can optionally specify the injected jsp file name but it is not mandatory.
python spring4shell.py http://localhost:8080/spring4shell/vulnerability/exploit -f exploit.jsp
If you don't specify a name a randome one will be generated.
You will see the following in the command shell
After the exploit you can send a command also via HTTP GET request
You have succesfully opened a shell on the victim machine! enjoy