| 1 | 1 | | # CVE-2022-22965 |
| 2 | 2 | | Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive) |
| 3 | 3 | | |
| | 4 | + | This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE |
| | 5 | + | uses a payload "/?class.module.classLoader.URLs%5B0%5D=0" through a GET request |
| | 6 | + | looking (400) code as response (NON INTRUSIVE) |
| | 7 | + | |
| | 8 | + | Inspired by: |
| | 9 | + | |
| | 10 | + | @Twitter thread</br> |
| | 11 | + | https://twitter.com/RandoriAttack/status/1509298490106593283 |
| | 12 | + | |
| | 13 | + | @ZAP Scan Rule</br> |
| | 14 | + | https://www.zaproxy.org/blog/2022-04-04-spring4shell-detection-with-zap/ |
| | 15 | + | |
| | 16 | + | Manual inspection: |
| | 17 | + | ```python |
| | 18 | + | # curl -i -s -k -X $'GET' |
| | 19 | + | -H $'Host: <target>' |
| | 20 | + | -H $'User-Agent: alex666' |
| | 21 | + | -H $'Connection: close' |
| | 22 | + | $'https://<target>/path/foo/?class.module.classLoader.URLs%5B0%5D=0' | grep -i 400 |
| | 23 | + | ``` |
| | 24 | + | ```python |
| | 25 | + | # curl -i -s -k -X $'GET' |
| | 26 | + | -H $'Host: <target>' |
| | 27 | + | -H $'User-Agent: alex666' |
| | 28 | + | -H $'Connection: close' |
| | 29 | + | $'https://<target>/path/foo/?class.module.classLoader.DefaultAssertionStatus=nosense' | grep -i 400 |
| | 30 | + | ``` |
| | 31 | + | # References: |
| | 32 | + | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965</br> |
| | 33 | + | https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities</br> |
| | 34 | + | https://github.com/BobTheShoplifter/Spring4Shell-POC</br> |
| | 35 | + | https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement</br> |
| | 36 | + | https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework</br> |
| | 37 | + | |
| | 38 | + | # Usage |
| | 39 | + | ```python |
| | 40 | + | -- $ nmap -p <port> --script=./CVE-2022-22965.nse <target> |
| | 41 | + | -- |
| | 42 | + | -- @examples: |
| | 43 | + | -- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> -Pn |
| | 44 | + | -- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/..;/" -Pn |
| | 45 | + | -- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/" -Pn |
| | 46 | + | -- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/download/" -Pn --script-trace | more |
| | 47 | + | -- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.uri="/examples/" -Pn -iL targets.txt |
| | 48 | + | -- |
| | 49 | + | ``` |
| | 50 | + | # Output |
| | 51 | + | ```python |
| | 52 | + | -- PORT STATE SERVICE |
| | 53 | + | -- 443/tcp open https |
| | 54 | + | -- | CVE-2022-22965: |
| | 55 | + | -- | VULNERABLE: |
| | 56 | + | -- | Spring Framework 5.2.x 5.3.x RCE |
| | 57 | + | -- | State: VULNERABLE (Exploitable) |
| | 58 | + | -- | IDs: CVE:CVE-2022-22965 |
| | 59 | + | -- | Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable |
| | 60 | + | -- | to remote code execution (RCE) via data binding. |
| | 61 | + | -- | Disclosure date: 2022-03-31 |
| | 62 | + | -- | References: |
| | 63 | + | -- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965 |
| | 64 | + | |
| | 65 | + | ``` |
| | 66 | + | ## Payload 1: Spring Framework RCE found! |
| | 67 | + | <img src="https://user-images.githubusercontent.com/3140111/162096857-8b29e020-4f8e-448d-8694-7cd7b2e0cfcf.png" width="800"> |
| | 68 | + | |
| | 69 | + | ## Payload 2: Spring Framework RCE found! |
| | 70 | + | <img src="https://user-images.githubusercontent.com/3140111/162097169-2ad3efac-935a-4caa-8ea4-5068d2ae1c15.png" width="800"> |
| | 71 | + | |
| | 72 | + | # Author |
| | 73 | + | Alex Hernandez aka <em><a href="https://twitter.com/_alt3kx_" rel="nofollow">(@\_alt3kx\_)</a></em> |
| | 74 | + | |
| | 75 | + | |
| | 76 | + | |
