Better Spring4Shell detection logic

[savio-doyensec]

Hello!

This PR implements better detection logic for the Spring4Shell (CVE-2022-22965) vulnerability.

Also added a testbed here: google/security-testbeds#121

(Original PR here closed due to conflicts)

Details

Previously, the detector checked the response of two HTTP requests to determine whether a target was vulnerable, but this lead to false positives.

The new implementation still uses the old logic as a preliminary check to find potentially vulnerable pages, on which the full exploit is then attempted. The exploit consists of changing the log configuration in order to drop a .jsp file in Tomcat's ROOT webapp directory.

The dropped .jsp has a randomized name and simply prints out a string generated using Tsunami's PayloadGenerator. There is also some extra code which make the script self-delete when visited with the delete=1 URL parameter.

After dropping the .jsp file, the log configuration is also set to point to /dev/null, in order to prevent more files to be accidentally created and left on the server.

[maoning]

@savio-doyensec could you rebase the branch again (there's still conflict), or could you add @tooryx and me to your org so that we have edit access to your branch?

[savio-doyensec]

Hey @maoning, it should be fixed now. I'll check with the team on Monday about adding you guys to the repo, but I think it's a good idea.