Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Spring4Shell: The zero-day RCE in the Spring Framework explained
Brian Vermeer - SynkPosted 3 Years Ago- Spring4Shell is a vulnerability in the spring framework that is similar to Log4Shell. This article explains why this new vulnerability occurs.
- When a controller is used to map a request (
@PostMapping("/myroute")) it will attempt to transform the object into a Plain Old Java Object (POJO). - Spring uses serialization under the hood to map these values to a Java object. As a result, it is possible to set other values, including properties of a class.
- By exploiting the use of serialization on arbitrary objects, Java classes can be loaded to execute arbitrary Java. In particular, the authors write a simple .jsp file to to output HACKED.
- Of course, if this can be done, then a complete reverse shell can be added as well. The original proof of concept uses Tomcat but there are likely other ways to abuse this. According to JFrog, the exploit uses Tomcat to use
AccessLogValueto write to an arbitrary file with content. - Overall, crazy & bad vulnerability with awesome stuff going on. The bug seemed fake at first but it really is the second-coming of Log4Shell!
