DEPRECATED, SEE https://github.com/lunasec-io/Spring4Shell-POC
This repo is not indicative of the Spring4Shell vulnerability any longer. The initial though was that the RCE was achieved via a "Deserialization Injection" attack vector, but it has since been discovered to use a Struts-style "Class Loader Manipulation" attack vector instead.
This repo is a functioning POC and vulnerable app now that have more details: https://github.com/lunasec-io/Spring4Shell-POC
For more details, please see our blog post on Spring4Shell.
This repository contains a Spring Boot web application vulnerable to a possible RCE due to this commit.
More details will be posted in this Twitter thread as they are identified. For now though, this repo serves only to help others determine the exploitability and impact of this vulnerability.
It uses Log4j 2.14.1 (through spring-boot-starter-log4j2
2.6.1) and the JDK 12. (_Note: Apparently JDK versions 8 and below aren't vulnerable.)
Run and build it yourself (you don't need any Java-related tooling):
docker build . -t vulnerable-app
docker run -p 8080:8080 --name vulnerable-app --rm vulnerable-app
Note: This is highly inspired from the original LunaSec advisory. Run at your own risk, preferably in a VM in a sandbox environment.
Currently unknown!
We'll post up a more formal guide once we determine if there is a real exploit available for this issue. To stay informed, please follow us on Twitter or subscribe to our mailing list for updates.
$ curl -v 127.0.0.1:8080/post-body --data "$(echo foobar)"
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /post-body HTTP/1.1
> Host: 127.0.0.1:8088
> User-Agent: curl/7.82.0
> Accept: */*
> Content-Length: 2
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< Content-Type: text/plain;charset=UTF-8
< Content-Length: 26
< Date: Wed, 30 Mar 2022 09:46:04 GMT
<
* Connection #0 to host 127.0.0.1 left intact
Hello, foobar
https://www.lunasec.io/docs/blog/log4j-zero-day/ https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/
Thanks for these people for writing this basic vulnerable Spring app for Log4Shell. This repo is simply a fork of that with some slight tweaks. They did most of the work!