/CVE-2022-22965-spring4shell

CVE-2022-22965 Spring4Shell research & PoC

Primary LanguagePython

CVE-2022-22965-spring4shell

CVE-2022-22965 Spring4Shell research & PoC for learning purposes

Blog post

A more detailed analysis and explanation of the vulnerability can be found on my blog post.

Comments on initial research

Based on the initial research I did on https://github.com/GuayoyoCyber/CVE-2022-22965 with these additions:

  • modifications on HelloWorld class and helloworld.jsp for a better understanding of the vulnerability
  • added Apache Tomcat 9.0.60 embed library dependency for debugging purposes

Compilation

sudo apt install maven
mvn clean package

Apache Tomcat 9.0.60 can be downloaded from https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.60/bin/apache-tomcat-9.0.60.zip

Smart Tomcat IntelliJ plugin can be used to speed up running and debugging: https://plugins.jetbrains.com/plugin/9492-smart-tomcat

Docker

sudo docker build -t spring4shell .

or

sudo docker build -t spring4shell -f Dockerfile2 .
sudo docker run -p 8082:8080 spring4shell

References