021
EXH-0212022Fictional reconstruction
class.module.classLoader
March 2022. A bad commit from 2010 meets Spring MVC on Tomcat 9 + JDK 9+. Query parameters become write primitives under the right classpath layout.
Type
Modern / Cloud
Difficulty
Advanced
Era
2020s
Time
9 min
Briefing
Spring Shell in this museum is read-only text. Real exploits bind Tomcat listeners, you are documenting artefacts.
Your role
AppSec engineer validating WAF logs the week CVE-2022-22965 went CVSS 9.8.
Objective
Identify the tell-tale query-parameter gadgetry in an access log without running a PoC.
Terminal environment
- user
- appsec
- host
- tomcat-sandbox
- cwd
- /tomcat/spring4shell-lab
- steps
- 3
Enter the terminalAbout 9 minutesSafe simulation
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.