POC详情: ee49aa6334999c80ab800343a488e196dbba533b

来源
关联漏洞
标题: Spring Framework 代码注入漏洞 (CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
描述
POC firewall with rules designed to detect and block Spring4Shell vulnerability (CVE-2022-22965) exploit
介绍
<h1 align="center"> Project Spring4Shell (CVE-2022-22965 ) Blocker </h1>


## Firewall Server Handler - 
This project is a proof-of-concept (POC) firewall server designed to detect and block attacks exploiting the CVE-2022-22965 vulnerability, commonly known as Spring4Shell. The server inspects incoming HTTP requests and blocks any that match known malicious patterns associated with this vulnerability.

## Overview

The Firewall Server Handler is a simple Python-based HTTP server, built using the http.server library. It monitors incoming HTTP POST requests, looking for specific headers and payload patterns associated with the Spring4Shell vulnerability. If a request matches these patterns, it is blocked, and the server responds with a 403 Forbidden status.

## Requirements

- Python 3.x

## Setup and Usage

1. Clone the Repository
   ```bash
   git clone https://github.com/BlackBird63030/Block-Spring4Shell
   cd Block-Spring4Shell
   ```

2. Run the Server
   ```bash
   python frs.py
   ```
   By default, the server will run on localhost at port 8000.

3. Test the Firewall Rule
   - To test, you can send use the tnt.py script that simulates the attack by doig 5 connections.

## Blocking Rules

This POC uses two main rules to detect and block CVE-2022-22965 exploit attempts:

1. Rule 1: Blocking Payload Pattern
   - Detects requests containing the payload pattern class.module.classLoader.resources.context.parent.pipeline.first, which is used in Spring4Shell exploits to inject malicious Java code.

2. Rule 2: Blocking Suspicious Headers
   - Blocks requests with specific headers characteristic of Spring4Shell attack payloads:
     - suffix: %>//
     - C1: Runtime
     - C2: <%
     - DNT: 1
     - Content-Type: application/x-www-form-urlencoded

If either rule matches, the server responds with a 403 Forbidden status and returns a JSON message:
{"error": "Forbidden Access"}

If no conditions are met, the server responds with 200 OK and:
{"message": "Request received"}

## Code Structure

- ServerHandler: The main class handling HTTP requests.
  - block_request(): Sends a 403 response when a request is blocked.
  - rule_1(): Checks the payload for patterns associated with CVE-2022-22965.
  - rule_2(): Checks for specific headers known to be part of Spring4Shell exploits.
  - do_GET() and do_POST(): Process incoming GET and POST requests, applying the firewall rules.

## Example

To test the firewall, use the tnt.py script. It gonna send 5 POST requests to the firewall script
```bash
python tnt.py
```

The server will respond with:
{"error": "Forbidden Access"}

## Purpose

This POC is intended for educational and testing purposes to demonstrate a basic firewall rule that blocks specific attack vectors targeting the Spring4Shell vulnerability. It is not a substitute for a comprehensive firewall solution in production environments.

## License

MIT License
文件快照

[4.0K] /data/pocs/ee49aa6334999c80ab800343a488e196dbba533b ├── [2.3K] frs.py ├── [1.0K] LICENSE ├── [2.8K] README.md └── [1.8K] tnt.py 0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。