Spring4Shell is a remote code execution vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications through unsafe data binding behavior. In vulnerable deployments, attacker-controlled request parameters can traverse object properties exposed during binding and reach Java class metadata and class loader paths. On JDK 9 and later, this can be abused through the class.module.classLoader access path, bypassing earlier protections related to Class property exposure. Publicly documented exploitation chains targeted traditional WAR deployments on Apache Tomcat, where attackers manipulated Tomcat logging pipeline properties to write a JSP web shell into a web-accessible location. Affected versions include Spring Framework 5.3.0 through 5.3.17 and 5.2.0 through 5.2.19, with older unsupported versions potentially also affected. The issue was fixed in Spring Framework 5.3.18 and 5.2.20.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
30 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (22 hidden).
This repository is a small standalone C-based exploit for CVE-2022-22965 (Spring4Shell). It contains only three files: an MIT LICENSE, a minimal README claiming the CVE target, and a single source file main.c that implements the exploit logic and operator interface. The exploit is not a framework module; main.c is the sole entry point. Its structure is straightforward: a URL-encoding helper, a payload-delivery routine, an interactive RCE/webshell routine, banner/help/menu functions, and main(). The core exploitation occurs in sendThePayload(), which prompts the operator for a target URL and desired JSP filename, builds a malicious application/x-www-form-urlencoded POST body, and invokes curl via system() to send it to the target. The POST body uses the well-known Spring4Shell property path class.module.classLoader.resources.context.parent.pipeline.first.* to manipulate Tomcat logging/pipeline behavior and write a JSP file into webapps/ROOT. The injected JSP contains Java code that checks a password parameter and, if matched, executes an OS command supplied in the cmd parameter using Runtime.getRuntime().exec(...), returning command output in the HTTP response. After sending the exploit, the program waits briefly and then enters rce(), an interactive shell-like loop. For each operator command, it URL-encodes the command, requests <target>/<filename>.jsp?pwd=<password>&cmd=<encoded command> using curl, stores the response in /tmp/response.txt, and displays the cleaned output. This gives the operator remote command execution through the dropped webshell. Notable implementation details: the code hardcodes the JSP shell directory as webapps/ROOT and hardcodes an initial payload password string in the JSP-generation logic, while the follow-on rce() invocation passes a different password string ("ghost"), suggesting either a bug or inconsistency that may prevent successful shell interaction unless corrected. Despite that flaw, the repository clearly contains real exploit code rather than a detector or placeholder. Overall, this is an operational proof-of-concept web exploit that weaponizes Spring4Shell into JSP webshell deployment and interactive command execution against vulnerable Spring/Tomcat targets.
This repository is a real exploit-and-lab package for CVE-2022-22965 (Spring4Shell). It contains five standalone Python exploit scripts plus a minimal vulnerable Spring MVC WAR-style application used for testing. The exploit logic is consistent across variants: send crafted HTTP requests to a Spring MVC endpoint that performs data binding, abuse the property path class.module.classLoader.resources.context.parent.pipeline.first.* to reconfigure Tomcat's AccessLogValve, and force Tomcat to write attacker-controlled JSP content into a web-accessible directory such as webapps/ROOT. Repository structure: the exploits/ directory contains the offensive tooling, while springmvc5-helloworld-example/ contains a simple Java/Spring MVC application. The Java app exposes /vulnerable in HelloWorldController.handler(), which accepts a HelloWorld model object and is intentionally suitable for the binding traversal required by Spring4Shell. JSP views and basic model classes are included to make the sample app deployable as a vulnerable WAR-like application. Exploit capabilities by file: exploit1.py performs a POST-based shell drop and writes a password-protected JSP command shell; exploit2.py is another POST-based web-shell dropper that resets Tomcat log settings before and after exploitation to improve repeatability; exploit3.py is a simpler GET-based web-shell dropper; exploit4.py and exploit4b.py write a JSP reverse TCP shell payload, using GET and POST respectively. The reverse-shell payload is a Java/JSP implementation that selects /bin/sh on Unix-like systems or cmd.exe on Windows and connects back to attacker-supplied LHOST/LPORT. Operationally, this is more than a bare proof of concept because it includes working payloads for command execution and reverse shells, but it is still standalone tooling rather than a larger exploitation framework. No evidence suggests it is fake or merely a detector. The most fingerprintable target artifact is the /vulnerable endpoint in the included sample app, along with the predictable dropped shell locations such as /shell.jsp or a user-chosen JSP filename at the web root.
This repository is a small standalone Spring4Shell exploitation project containing 3 files: a README, a Python exploit script, and a JSP webshell. Its purpose is to demonstrate exploitation of CVE-2022-22965 in a lab/CTF setting built from Vulhub. The main exploit logic is in exploit.py, which sends an HTTP POST to the target root path with crafted Spring data-binding parameters under class.module.classLoader.resources.context.parent.pipeline.first.* to coerce Tomcat into writing a JSP file named tomcatwar.jsp into webapps/ROOT. The embedded JSP payload accepts a cmd parameter and executes arbitrary system commands via Runtime.getRuntime().exec, returning stdout in the HTTP response. After delivery, the script verifies success by requesting /tomcatwar.jsp?cmd=id and checking for uid= in the response. The README documents setup, manual curl exploitation, and a CTF objective of reading /tmp/flag.txt. Notable implementation detail: exploit.py attempts a fallback os.system curl invocation but does not import os, so that fallback path would fail if reached. Overall, this is a real operational PoC exploit for web-based remote code execution, not merely a detector.
This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.
This repository is a functional educational exploit set for Spring4Shell (CVE-2022-22965), not merely documentation. It contains multiple Python scripts plus JSP payloads that together automate exploitation of a vulnerable Spring-on-Tomcat target in a local Docker lab. Repository structure and purpose: - README.md: Describes the lab, affected versions, attack flow, and intended Docker target at localhost:8011. - run.py: Main orchestrator. It prompts for target settings, launches Stage 1 exploitation, triggers log flush, verifies the dropped JSP shell, deploys the Stage 2 shell, performs post-exploitation checks, and writes an HTML report. - stage1_dropper.py: Core exploit logic for CVE-2022-22965. It abuses Spring Data Binding to set Tomcat AccessLogValve properties so a JSP stager is written into the web root. - stage2_uploader.py: Uses the Stage 1 shell to execute curl on the target and fetch health_check.jsp from an attacker-controlled HTTP server, saving it into the Tomcat ROOT directory. - health_check.jsp: Second-stage authenticated JSP webshell that executes arbitrary OS commands and returns output in HTML. - Spring4Shell-POC/poc.py: Separate standalone PoC variant that drops tomcatwar.jsp and checks whether the target is vulnerable. Main exploit capabilities: 1. Remote exploitation over HTTP POST against a Spring endpoint. 2. Arbitrary JSP file write into Tomcat web root by manipulating AccessLogValve properties. 3. Remote command execution through the dropped JSP stager using cmd query parameters. 4. Second-stage webshell deployment via target-side curl from an attacker HTTP server. 5. Post-exploitation actions including whoami/id execution, environment variable dumping, and directory listing of sensitive config locations. 6. Automated reporting of attack progress in HTML. The exploit is operational rather than a simple PoC because it includes a complete multi-stage workflow and usable payloads, but it is not part of a larger exploitation framework. Hardcoded defaults and credentials indicate a lab-oriented implementation rather than a generalized weaponized tool.
Repository contains a single Python exploit script and a descriptive README for CVE-2022-22965 (Spring4Shell). The exploit (spring4shell.py) performs a network-based RCE by sending a crafted application/x-www-form-urlencoded POST to a user-supplied target URL, abusing Spring’s data binding to set Tomcat pipeline/AccessLogValve properties (pattern/suffix/directory/prefix/fileDateFormat). The injected pattern writes a JSP webshell that executes arbitrary OS commands when called with GET parameters pwd=j and cmd=<command>, returning command output in the HTTP response. After sending the POST, the script waits ~8 seconds, then probes for the webshell at (1) <target_url>/<shell_name>.jsp and (2) <scheme>://<netloc>/<shell_name>.jsp, and if found, provides an interactive loop to run commands. No external C2 infrastructure is embedded; all interaction is direct HTTP(S) to the target. The script disables TLS warnings and uses verify=False, indicating it will work against HTTPS targets with invalid certificates.
Repository contains a single Python exploit script and a descriptive README for CVE-2022-22965 (Spring4Shell). The exploit (spring4shell.py) performs a network-based RCE attack by sending an HTTP POST with specially crafted Spring data-binding parameters that target Tomcat internals (class.module.classLoader.resources.context.parent.pipeline.first.*). The parameters set a JSP payload as the logging/pipeline pattern and configure prefix/suffix/directory so Tomcat writes a webshell file into webapps/ROOT with a chosen name (default: tomcatwar.jsp). After a short delay, the script probes the expected webshell URL and, on success, provides an interactive loop that executes arbitrary commands via GET parameters (pwd=j, cmd=<command>). No hardcoded C2 infrastructure is present; all targeting is user-supplied via -u/--url. Structure: README.md (background, affected versions/conditions, mitigation) and spring4shell.py (entry point with argparse, exploit() to plant shell, interactive_shell() to run commands).
This repository is a Spring4Shell (CVE-2022-22965) research/PoC lab that stands up a deliberately vulnerable Spring Boot 2.6.5 (Spring Framework 5.3.17) application packaged as a WAR for Tomcat. The core vulnerable surface is a single Spring MVC controller endpoint POST /vulnerability/greeting that accepts a POJO (Greeting) without explicit binder restrictions, enabling malicious parameter paths like class.module.classLoader.* in vulnerable environments (JDK 9+). Repository structure: - pom.xml: Maven build for a WAR; spring-boot-starter-tomcat is provided-scope to encourage external Tomcat deployment (required for the classic AccessLogValve webshell-write technique). - src/main/java/com/nextcorp/Spring4ShellApplication.java: Spring Boot entry point with SpringBootServletInitializer for WAR deployment. - src/main/java/com/nextcorp/VulnController.java: Defines the vulnerable POST mapping and the Greeting POJO used for DataBinding. - src/main/resources/application.properties: Sets server.port=8080 and enables DEBUG logging for Spring web. - src/main/resources/static/index.html: A dashboard UI that can “ping” the vulnerable endpoint with a benign POST; it does not deliver the exploit payload. - README.md and TESTING.md: Documentation explaining the vulnerability mechanics and providing Burp Suite payloads. TESTING.md includes (1) a probe request to check if class.* binding is allowed and (2) an exploit request that reconfigures Tomcat’s AccessLogValve (pipeline.first.*) to write a JSP webshell (shell.jsp) into webapps/ROOT, then (3) a verification GET to execute commands via cmd parameter. Overall purpose: provide a controlled environment to reproduce and understand Spring4Shell’s DataBinder-based property traversal and the Tomcat AccessLogValve-based JSP webshell drop leading to RCE. The repo itself does not include an automated exploit script; exploitation is performed manually using the documented HTTP requests (Burp/curl).
This repository contains a single C language exploit (CVE-2022-22965.c) targeting the Spring4Shell (CVE-2022-22965) vulnerability in the Spring Framework. The exploit is interactive and guides the user through providing a target URL and desired webshell filename. It crafts a malicious HTTP POST request to the target, exploiting the vulnerability to write a JSP webshell into the Tomcat webapps/ROOT directory. Once the webshell is deployed, the exploit provides an interactive shell interface, allowing the user to send arbitrary system commands to the target via HTTP requests to the webshell. The code uses 'curl' for HTTP requests and stores responses in a temporary file. The repository also includes a LICENSE file (MIT) and a placeholder README.md. The exploit is operational, providing a working attack chain from vulnerability exploitation to post-exploitation command execution.
This repository contains a Python exploit script (CVE-2022-22965.py) and a README.md for CVE-2022-22965, also known as Spring4Shell. The exploit targets vulnerable Spring Framework applications running on JDK 9+ and Apache Tomcat, deployed as WAR packages. The script abuses class loader log configuration to write a JSP webshell to the server, enabling remote command execution via HTTP requests. The README provides usage instructions, affected versions, and an example of successful exploitation, including the URL to access the uploaded shell. The repository is operational, providing a working exploit and not just a proof of concept.
This repository is a Proof-of-Concept (PoC) environment for the Spring4Shell (CVE-2022-22965) vulnerability, targeting Spring Framework Core (via Spring Boot 2.6.5) on Java 11+ and Tomcat. The structure includes Java source files for a minimal vulnerable web application, configuration files, and documentation. The main exploit vector is the /vulnerability/greeting HTTP POST endpoint, which binds request parameters to a POJO using Spring's DataBinder. By sending crafted parameters (e.g., class.module.classLoader...), an attacker can manipulate Tomcat's AccessLogValve to write a JSP webshell (shell.jsp) to the web root. The PoC demonstrates both the vulnerability probe and the full RCE chain, including webshell upload and command execution. The exploit requires deployment as a WAR on an external Tomcat server (not embedded). The repository is well-documented, with step-by-step testing instructions and mitigation advice.
This repository contains a C-language exploit for CVE-2022-22965 (Spring4Shell), a critical remote code execution vulnerability in the Spring Framework when deployed on Apache Tomcat with JDK 9+. The repository consists of three files: a LICENSE, a detailed README.md, and the main exploit code in main.c. The exploit is interactive and guides the user through entering a target URL and desired webshell filename. It crafts a malicious POST request to the target, exploiting Spring's class loader manipulation to write a JSP webshell to the Tomcat webapps/ROOT directory. The webshell is then accessed via HTTP, allowing the attacker to execute arbitrary system commands by sending requests to the deployed JSP file with a password-protected 'cmd' parameter. The exploit provides an interactive shell-like interface for command execution. The code is operational and not just a proof-of-concept, as it automates both exploitation and post-exploitation (webshell interaction). The main attack vector is network-based, targeting HTTP(S) endpoints of vulnerable Spring applications. The repository is standalone and not part of a larger framework.
This repository is a Python-based automated exploitation framework targeting the Spring4Shell vulnerability (CVE-2022-22965) in the Spring Framework. The main entry point is 'ghoststrike.py', which takes user-supplied arguments for the target URL, attacker's IP (LHOST), and port (LPORT). It sets up a netcat listener on the attacker's machine and invokes the Spring4Shell exploit module ('modules/spring4shell.py'). The exploit attempts to trigger remote code execution on the target by sending a specially crafted HTTP POST request with headers designed to exploit the vulnerability, resulting in a reverse shell connection back to the attacker. The 'payloads/generate_webshell.py' script can generate a Java-based webshell payload for more advanced exploitation, encoding a Java reverse shell class as base64. The repository is modular and designed for future expansion to other exploits. No hardcoded endpoints are present; all targets and callback addresses are user-supplied at runtime. The exploit is operational and provides a working reverse shell if the target is vulnerable.
This repository is a proof-of-concept (PoC) for CVE-2022-22965 (Spring4Shell), demonstrating remote code execution on a vulnerable Spring Boot application running on Tomcat. The structure includes Docker and Maven files to build both a vulnerable and a patched version of the application, with the vulnerable version using Spring Boot 2.6.3 (Spring Framework 5.3.15) and the patched version using Spring Boot 2.6.6 (Spring Framework 5.3.18). The main exploit logic is in 'exploit.py', a Python script that abuses the Spring4Shell vulnerability by manipulating Tomcat's logging configuration via HTTP POST requests to the /helloworld/greeting endpoint. This results in a JSP web shell (shell.jsp) being written to the server, which can then be accessed to execute arbitrary system commands via the 'cmd' parameter. The repository includes all necessary files to build and run the demo environments using Docker Compose, and provides clear instructions in the README. The exploit is operational, providing a working web shell if the target is vulnerable, and is not just a detection script.
This repository provides a proof-of-concept (POC) exploit for the Spring4Shell vulnerability (CVE-2022-22965), targeting vulnerable Java applications running the Spring Framework. The repository contains two main exploit scripts: 'spring4shell.py' (Python) and 'spring4shell.sh' (Bash). Both scripts exploit the vulnerability by sending a specially crafted HTTP POST request to the target, which results in the upload of a JSP webshell to the server's webapps directory. The webshell allows remote command execution via HTTP requests, protected by a password parameter. The Python script allows customization of the shell filename, password, and directory, while the Bash script uses hardcoded values and demonstrates usage with curl and browser access. The exploit requires the target to be accessible over the network and running a vulnerable configuration. No detection scripts are present; both scripts are operational exploits that provide remote code execution capabilities.
This repository provides a Python exploit script targeting the Spring Framework remote code execution vulnerability CVE-2022-22965 (also known as Spring4Shell). The main exploit file, 'SpringFramework_CVE-2022-22965_RCE.py', sends a crafted HTTP POST request to a vulnerable Spring application, exploiting classLoader manipulation to write a JSP webshell ('Shell.jsp') to the server's webapps/ROOT directory. Once the webshell is deployed, the script accesses it via HTTP GET requests, allowing the attacker to execute arbitrary system commands on the target server. The README.md provides usage instructions, including example commands and a Docker environment for testing. The exploit is operational, providing a working payload (webshell) and command execution capability, but is not part of a larger framework. The only code file is in Python, and the attack vector is network-based, requiring HTTP access to the vulnerable application.
This repository contains a Python GUI exploit tool targeting CVE-2022-22965 (Spring4Shell), a critical remote code execution vulnerability in the Spring Framework. The main file, 'spring-core-rce.py', provides a Tkinter-based interface where the user can input a target URL and a system command. Upon execution, the tool sends a specially crafted HTTP POST request to the target, exploiting the vulnerability to write a JSP webshell ('temper.jsp') into the webapps/ROOT directory of the server. The tool then accesses this webshell via an HTTP GET request, passing the command to be executed. The result is displayed in the GUI. The exploit is operational and provides remote command execution capabilities. The README is minimal and mostly informational, with no additional code. No hardcoded IPs or domains are present; the user supplies the target URL. The exploit is not part of a framework and is a standalone proof-of-concept with a functional payload.
This repository is a Go-based exploit tool targeting the Spring4Shell vulnerability (CVE-2022-22965) in the Spring Core framework. The main exploit logic resides in 'main.go', which provides command-line options to show vulnerability information, verify if a target is vulnerable, and exploit the vulnerability to achieve remote code execution. The tool accepts targets via command-line arguments, files, or standard input, and supports concurrent execution using goroutines. The README provides usage examples, including how to verify and exploit a target, and notes that the default file upload path is 'webapps/ROOT/'. The exploit works by sending crafted HTTP requests to manipulate the class loader and upload a web shell or execute arbitrary code. The repository is structured with standard Go project files and CI/CD configuration, with 'main.go' as the sole code file implementing the exploit logic. The tool is operational and can be used to test or exploit vulnerable Spring Core instances running on JDK 9.0 or above.
This repository is a Python-based exploit tool targeting the Spring4Shell vulnerability (CVE-2022-22965) in the Spring Framework. The main script, 'spring_rce.py', automates the exploitation process against multiple targets listed in a file (e.g., 'test.txt'). It verifies which endpoints are alive, then attempts to exploit them by uploading a password-protected JSP webshell to the server's webapps/ROOT directory. The tool randomizes the shell name and password for each attempt, and if successful, prints the shell URL and password. The exploit is designed for batch operation, using a thread pool to process multiple targets efficiently. The payload is compatible with Behinder 3.0 Beta9 for post-exploitation control. The repository includes a README with usage instructions, a requirements.txt for dependencies, and a sample target list. No detection-only scripts are present; the code is a functional exploit with operational payload delivery.
This repository contains a Python exploit script (exp.py) and a README.md for CVE-2022-22965, a critical remote code execution vulnerability in the Spring Framework (Spring4Shell). The exploit targets applications running on JDK 9+ with a vulnerable Spring Core version and a Tomcat backend. The script works by abusing class loader log configuration to write a JSP web shell to the target's web directory. Once deployed, the shell allows arbitrary command execution via HTTP requests (e.g., http://target/shell.jsp?cmd=whoami). The README provides background, setup instructions (including a Docker-based vulnerable environment), and mitigation advice. The exploit is operational, providing a working web shell payload, and is not part of a larger framework. The main entry point is exp.py, which takes the target URL and optional file/directory arguments for shell placement.
This repository provides a full proof-of-concept (PoC) exploit for the Spring4Shell vulnerability (CVE-2022-22965), targeting vulnerable Spring Core applications running on Tomcat 9.0.59. The repository includes a simple Java Spring Boot web application (source in src/main/java), a Dockerfile to build and run the vulnerable environment, and a Python script (exploit.py) that automates exploitation. The exploit works by abusing the vulnerable application's ability to modify Tomcat's logging configuration via HTTP POST requests, causing Tomcat to write a malicious JSP web shell to the webapps directory. The attacker can then access this shell via HTTP and execute arbitrary commands using the 'cmd' parameter. Key endpoints include the application's greeting form at /helloworld/greeting (used for exploitation) and the resulting web shell at /shell.jsp. The exploit is operational and provides a working web shell if the target is vulnerable and configured as expected. The repository is well-structured, with clear separation between the vulnerable application, exploit code, and supporting files.
This repository is a Proof-of-Concept (PoC) exploit for CVE-2022-22965 (Spring4Shell), targeting vulnerable Spring Boot applications running on Tomcat. The repository provides a complete Dockerized environment to deploy a vulnerable application (Spring Boot 2.6.5, Tomcat 9.0.60, Java 11). The exploit leverages a crafted HTTP request to the '/demo/itsecurityco' endpoint to manipulate Tomcat's internal valve configuration, enabling the writing of arbitrary files to the webapps directory. A second HTTP request to '/demo/x' with a custom header containing JSP code writes a web shell (shell.jsp) to the server. Attackers can then interact with this shell via HTTP requests (e.g., '/shell.jsp?1337=id') to execute arbitrary system commands. The Java source code in the repository is minimal and serves to expose the vulnerable code path. The README provides detailed exploitation steps and references to the vulnerable and patched versions of the Spring Framework. No detection scripts or fake code are present; the repository is a functional PoC exploit.
This repository contains a Python-based exploit for CVE-2022-22965 (Spring4Shell), a critical remote code execution vulnerability in the Spring Framework when deployed on Apache Tomcat. The exploit (exploit.py) sends a specially crafted HTTP POST request to the target server, leveraging classLoader manipulation to write a password-protected JSP webshell to the webapps directory (default: ROOT) of the Tomcat server. The webshell allows remote command execution via HTTP requests, protected by a user-supplied password. The README provides background on the vulnerability, exploitation conditions, and usage instructions. The exploit is operational, requiring the attacker to specify the target URL and optionally the shell filename, password, and upload directory. The main attack vector is network-based, targeting HTTP endpoints on vulnerable Java web servers. The repository is structured with a single exploit script and a README, and does not include detection scripts or fake content.
This repository contains a Python exploit script (exploit.py) targeting the Spring4Shell vulnerability (CVE-2022-22965) in the Spring Framework. The exploit works by sending a specially crafted POST request to a vulnerable server, manipulating class loader properties to write a JSP webshell into the webapps directory of the target (typically running on Apache Tomcat). The script allows the user to specify the target URL, the desired filename for the webshell, a password to protect the shell, and the directory for upload (defaulting to ROOT). If successful, the attacker can access the webshell via HTTP and execute arbitrary system commands by providing the correct password and command parameters. The repository also includes a README with basic usage instructions and a GPLv3 license. The main exploit logic is contained in exploit.py, which is the only code file in the repository.
This repository provides a working proof-of-concept (POC) exploit for the Spring4Shell vulnerability (CVE-2022-22965), targeting Java web applications running on Apache Tomcat with a vulnerable version of the Spring Framework. The main exploit logic is implemented in 'poc.py', a Python script that sends a crafted POST request to a specified URL, exploiting the vulnerability to write a JSP webshell ('tomcatwar.jsp') to the server's web root. Once deployed, the webshell allows remote attackers to execute arbitrary commands via HTTP requests. The repository also includes a Dockerized vulnerable application ('vulnerable-tomcat/') for testing, which is a Spring Boot application packaged as a WAR and deployed on Tomcat. The exploit is operational and demonstrates real-world impact by providing remote code execution capabilities. The main attack vector is network-based, requiring access to the vulnerable web application endpoint. The repository is well-structured, with clear separation between exploit code, vulnerable application, and supporting files.
This repository provides an operational exploit for CVE-2022-22965 (Spring4Shell), targeting vulnerable Java applications running on Tomcat with the Spring Framework. The main exploit script, 'exp.py', is a Python tool that allows the user to: - Test for the vulnerability by writing a test JSP file to the target server and checking for a known string in the response. - Deploy a JSP webshell (Behinder shell) for persistent remote code execution. - Customize the directory and filename for the webshell. - Use a proxy for requests. The exploit works by sending crafted HTTP POST requests to a user-supplied URL, exploiting the Spring Core RCE vulnerability to write a JSP file to the server's webroot. The script supports both detection (non-intrusive) and full exploitation (webshell deployment). The README provides detailed usage instructions, example commands, and environment setup guidance, including Docker-based vulnerable environments for testing. The repository also references related projects and resources for further information.
This repository is a proof-of-concept (PoC) exploit for CVE-2022-22965 (Spring4Shell), demonstrating remote code execution (RCE) on a vulnerable Spring application running on Tomcat with Java 9+. The structure includes a minimal Spring Boot web application with a form endpoint (/greeting), Docker and build files, and an exploit script (exploits/run.sh). The exploit works by sending a specially crafted POST request to the /greeting endpoint, abusing Spring's data binding to manipulate Tomcat's AccessLogValve and write a JSP webshell (rce.jsp) to the webapps directory. The attacker can then access the webshell via HTTP to execute arbitrary code. The repository includes detailed instructions and alternative exploitation methods, and is intended for educational and testing purposes. The main exploit capability is arbitrary file write leading to RCE via a webshell. The endpoints and file paths used in the exploit are clearly documented in the README and exploit script.
This repository is a proof-of-concept exploit for the Spring4Shell vulnerability (CVE-2022-22965), which affects certain versions of the Spring Framework running on JDK 9+ in a Tomcat environment. The repository contains both a vulnerable Java web application (using Spring Boot) and a Python exploit script (exploit.py). The Java application exposes a '/greeting' endpoint, which is used by the exploit to trigger the vulnerability. The exploit.py script sends specially crafted POST requests to the target endpoint, abusing class loader properties to write a JSP webshell (cmd.jsp) to the webapps/ROOT directory of the Tomcat server. Once the webshell is uploaded, the attacker can execute arbitrary system commands by sending HTTP requests to the webshell with the 'cmd' parameter. The repository also includes Docker and Maven configuration files to facilitate building and running the vulnerable application. The main exploit capability is remote code execution via a network-accessible endpoint, resulting in a persistent webshell on the target server.
This repository provides a Python exploit script (spring-core-rce.py) targeting the Spring Framework Core Remote Code Execution vulnerability (CVE-2022-22965, also known as Spring4Shell). The exploit allows both non-destructive vulnerability checking and full exploitation by writing a JSP webshell to the target server. The webshell is password-protected (password: 'k3rwin') and allows remote command execution via HTTP requests, supporting both Linux and Windows targets. The script can operate on a single URL or in batch mode using a file of URLs. The README provides detailed usage instructions, example commands, and references to both local and online vulnerable environments. The main attack vector is network-based, exploiting HTTP endpoints on vulnerable Spring applications. The payload is a JSP webshell written to the target's webapps/ROOT directory. The repository consists of three files: the main exploit script (Python), a requirements.txt for dependencies, and a README with usage and background information.
This repository contains a working proof-of-concept exploit for CVE-2022-22965 (Spring Core RCE, also known as Spring4Shell). The exploit is implemented in Python (exp.py) and targets vulnerable Spring Framework applications running on JDK 9+ (commonly in Tomcat environments). The exploit works by sending a specially crafted HTTP POST request to the target, abusing classLoader properties to write a JSP webshell (tomcatwar.jsp) to the web root directory. Once deployed, the webshell can be accessed via HTTP and allows arbitrary command execution by passing the correct parameters (pwd=j&cmd=...). The README provides detailed usage instructions, including how to set up a vulnerable Docker environment for testing, and demonstrates exploitation steps. The repository is operational and provides a real, working exploit with a functional payload (webshell).
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A previously disclosed remote code execution vulnerability in Spring mentioned only as historical background.
A remote code execution vulnerability in Spring Framework referenced only as historical background.
A Spring Core remote code execution vulnerability mentioned as historical context and comparison for likely attacker interest in Spring flaws.
A critical Spring remote code execution vulnerability mentioned as historical context in Spring's security history.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.