1 | 1 | | # CVE-2022-22965 |
2 | 2 | | Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive) |
3 | 3 | | |
| 4 | + | This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE |
| 5 | + | uses a payload "/?class.module.classLoader.URLs%5B0%5D=0" through a GET request |
| 6 | + | looking (400) code as response (NON INTRUSIVE) |
| 7 | + | |
| 8 | + | Inspired by: |
| 9 | + | |
| 10 | + | @Twitter thread</br> |
| 11 | + | https://twitter.com/RandoriAttack/status/1509298490106593283 |
| 12 | + | |
| 13 | + | @ZAP Scan Rule</br> |
| 14 | + | https://www.zaproxy.org/blog/2022-04-04-spring4shell-detection-with-zap/ |
| 15 | + | |
| 16 | + | Manual inspection: |
| 17 | + | ```python |
| 18 | + | # curl -i -s -k -X $'GET' |
| 19 | + | -H $'Host: <target>' |
| 20 | + | -H $'User-Agent: alex666' |
| 21 | + | -H $'Connection: close' |
| 22 | + | $'https://<target>/path/foo/?class.module.classLoader.URLs%5B0%5D=0' | grep -i 400 |
| 23 | + | ``` |
| 24 | + | ```python |
| 25 | + | # curl -i -s -k -X $'GET' |
| 26 | + | -H $'Host: <target>' |
| 27 | + | -H $'User-Agent: alex666' |
| 28 | + | -H $'Connection: close' |
| 29 | + | $'https://<target>/path/foo/?class.module.classLoader.DefaultAssertionStatus=nosense' | grep -i 400 |
| 30 | + | ``` |
| 31 | + | # References: |
| 32 | + | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965</br> |
| 33 | + | https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities</br> |
| 34 | + | https://github.com/BobTheShoplifter/Spring4Shell-POC</br> |
| 35 | + | https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement</br> |
| 36 | + | https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework</br> |
| 37 | + | |
| 38 | + | # Usage |
| 39 | + | ```python |
| 40 | + | -- $ nmap -p <port> --script=./CVE-2022-22965.nse <target> |
| 41 | + | -- |
| 42 | + | -- @examples: |
| 43 | + | -- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> -Pn |
| 44 | + | -- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/..;/" -Pn |
| 45 | + | -- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/" -Pn |
| 46 | + | -- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/download/" -Pn --script-trace | more |
| 47 | + | -- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.uri="/examples/" -Pn -iL targets.txt |
| 48 | + | -- |
| 49 | + | ``` |
| 50 | + | # Output |
| 51 | + | ```python |
| 52 | + | -- PORT STATE SERVICE |
| 53 | + | -- 443/tcp open https |
| 54 | + | -- | CVE-2022-22965: |
| 55 | + | -- | VULNERABLE: |
| 56 | + | -- | Spring Framework 5.2.x 5.3.x RCE |
| 57 | + | -- | State: VULNERABLE (Exploitable) |
| 58 | + | -- | IDs: CVE:CVE-2022-22965 |
| 59 | + | -- | Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable |
| 60 | + | -- | to remote code execution (RCE) via data binding. |
| 61 | + | -- | Disclosure date: 2022-03-31 |
| 62 | + | -- | References: |
| 63 | + | -- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965 |
| 64 | + | |
| 65 | + | ``` |
| 66 | + | ## Payload 1: Spring Framework RCE found! |
| 67 | + | <img src="https://user-images.githubusercontent.com/3140111/162096857-8b29e020-4f8e-448d-8694-7cd7b2e0cfcf.png" width="800"> |
| 68 | + | |
| 69 | + | ## Payload 2: Spring Framework RCE found! |
| 70 | + | <img src="https://user-images.githubusercontent.com/3140111/162097169-2ad3efac-935a-4caa-8ea4-5068d2ae1c15.png" width="800"> |
| 71 | + | |
| 72 | + | # Author |
| 73 | + | Alex Hernandez aka <em><a href="https://twitter.com/_alt3kx_" rel="nofollow">(@\_alt3kx\_)</a></em> |
| 74 | + | |
| 75 | + | |
| 76 | + | |