| skipped 1 lines |
2 | 2 | | Spring Framework 5.2.x / 5.3.x CVE-2022-22965 Remote Code Execution Vulnerability |
3 | 3 | | |
4 | 4 | | This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE |
5 | | - | uses a payload "/?class.module.classLoader.URLs%5B0%5D=0" through a GET request |
| 5 | + | uses a payload "/?class.module.classLoader.definedPackages%5B0%5D=0" through a GET request |
6 | 6 | | looking (400) code as response (NON INTRUSIVE) |
7 | 7 | | |
8 | 8 | | Inspired by: |
| skipped 16 lines |
25 | 25 | | -H $'Host: <target>' |
26 | 26 | | -H $'User-Agent: alex666' |
27 | 27 | | -H $'Connection: close' |
28 | | - | $'https://<target>/path/foo/?class.module.classLoader.DefaultAssertionStatus=nosense' | grep -i 400 |
| 28 | + | $'https://<target>/path/foo/?class.module.classLoader.definedPackages%5B0%5D=0' | grep -i 400 |
29 | 29 | | |
30 | 30 | | References: |
31 | 31 | | https://github.com/alt3kx/CVE-2022-22965 |
| skipped 6 lines |
38 | 38 | | |
39 | 39 | | --- |
40 | 40 | | -- @usage |
41 | | - | -- nmap -p <port> --script=./CVE-2022-22965.nse <target> |
| 41 | + | -- nmap -p <port> --script=./CVE-2022-22965.nse [--script-args 'CVE-2022-22965.path=<PATH>,CVE-2022-22965.method=<HTTP METHOD>'] <target> |
| 42 | + | -- @args CVE-2022-22965.path URI path to test; must be a valid path that accepts one or more parameters using data binding (default: <code>/</code>). |
| 43 | + | -- @args CVE-2022-22965.method HTTP request method to use (default: <code>GET</code>). |
42 | 44 | | -- |
43 | 45 | | -- @examples: |
44 | 46 | | -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> -Pn |
45 | | - | -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/..;/" -Pn |
46 | | - | -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/" -Pn |
47 | | - | -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/download/" -Pn --script-trace | more |
48 | | - | -- nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.uri="/examples/" -Pn -iL targets.txt |
| 47 | + | -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args 'CVE-2022-22965.path="/path/to/test"' -Pn |
| 48 | + | -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args 'CVE-2022-22965.path="/path/to/test",CVE-2022-22965.method=POST' -Pn |
| 49 | + | -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.path="/path/foo/download/" -Pn --script-trace | more |
| 50 | + | -- nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.path="/examples/" -Pn -iL targets.txt |
49 | 51 | | -- |
50 | 52 | | -- @output |
51 | 53 | | -- PORT STATE SERVICE |
| skipped 30 lines |
82 | 84 | | --Payloads: |
83 | 85 | | --GET checker path2 = "/?class.module.classLoader.DefaultAssertionStatus=nosense" |
84 | 86 | | --GET checker path1 = "/?class.module.classLoader.URLs%5B0%5D=0" |
85 | | - | local S4S_CHECKER_URI = "/?class.module.classLoader.URLs%5B0%5D=0" |
| 87 | + | local S4S_PAYLOAD = "class.module.classLoader.definedPackages%5B0%5D=0" |
86 | 88 | | |
87 | 89 | | action = function(host, port) |
88 | 90 | | |
| skipped 16 lines |
105 | 107 | | |
106 | 108 | | local report = vulns.Report:new(SCRIPT_NAME, host, port) |
107 | 109 | | |
108 | | - | uri = stdnse.get_script_args("CVE-2022-22965.uri") or S4S_CHECKER_URI |
109 | | - | evil_uri = uri..S4S_CHECKER_URI |
110 | | - | |
111 | | - | local options = {header={}} |
112 | | - | |
113 | | - | options['header']['User-Agent'] = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0" |
114 | | - | |
115 | | - | local response = http.get(host, port, evil_uri, { header = { ["Content-Type"] = "application/x-www-form-urlencoded"}}) |
| 110 | + | local method = string.upper(stdnse.get_script_args("CVE-2022-22965.method") or "GET") |
| 111 | + | local path = stdnse.get_script_args("CVE-2022-22965.path") or "/" |
| 112 | + | local options = {header={["Content-Type"]="application/x-www-form-urlencoded"}} |
| 113 | + | if method == "GET" then |
| 114 | + | path = path .. "?" .. S4S_PAYLOAD |
| 115 | + | else |
| 116 | + | options["content"] = S4S_PAYLOAD |
| 117 | + | end |
| 118 | + | local response = http.generic_request(host, port, method, path, options) |
116 | 119 | | |
117 | 120 | | if response.status and response.body then |
118 | 121 | | |
| skipped 30 lines |