crash.software
Projects
Pull Requests
Issues
Builds
CVE-2022-22965
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY CVE-2022-22965 Commits ec14ea7e
🤬

  • fix test payload and support other HTTP methods

    As others in the Twitter thread referenced in the README have also
noted, the original test payload that uses
`class.module.classLoader.URLs` is prone to false negatives because not
every classloader implementation has a `getURLs()` method.

While several alternative test payloads have been suggested, this PR
uses `class.module.classLoader.definedPackages%5B0%5D=0` because the
`getDefinedPackages()` method was added to the ClassLoader API in JDK 9
(so it’s another strong signal of vulnerability, and less likely to
cause false positives) and the method is `final`, so custom classloader
implementations can not change its behavior in a way that would cause
false positives or negatives.

This PR also fixes a bug when no `CVE-2022-22965.uri` script argument
was provided and adds support for testing with other HTTP request
methods including POST. The `CVE-2022-22965.uri` argument is renamed to
`CVE-2022-22965.path` for clarity, and a new optional
`CVE-2022-22965.method` argument is added, which can be set to change
the HTTP request method from `GET` (the default) to another valid method
(e.g. `POST`, `PUT`, etc.).
  • Loading...
  • Milo Minderbinder committed 2 years ago
    ec14ea7e
    1 parent e608ad41
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    CVE-2022-22965.nse
    skipped 1 lines
    2 2  Spring Framework 5.2.x / 5.3.x CVE-2022-22965 Remote Code Execution Vulnerability
    3 3   
    4 4  This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE
    5  -uses a payload "/?class.module.classLoader.URLs%5B0%5D=0" through a GET request
     5 +uses a payload "/?class.module.classLoader.definedPackages%5B0%5D=0" through a GET request
    6 6  looking (400) code as response (NON INTRUSIVE)
    7 7   
    8 8  Inspired by:
    skipped 16 lines
    25 25  -H $'Host: <target>'
    26 26  -H $'User-Agent: alex666'
    27 27  -H $'Connection: close'
    28  -$'https://<target>/path/foo/?class.module.classLoader.DefaultAssertionStatus=nosense' | grep -i 400
     28 +$'https://<target>/path/foo/?class.module.classLoader.definedPackages%5B0%5D=0' | grep -i 400
    29 29   
    30 30  References:
    31 31  https://github.com/alt3kx/CVE-2022-22965
    skipped 6 lines
    38 38   
    39 39  ---
    40 40  -- @usage
    41  --- nmap -p <port> --script=./CVE-2022-22965.nse <target>
     41 +-- nmap -p <port> --script=./CVE-2022-22965.nse [--script-args 'CVE-2022-22965.path=<PATH>,CVE-2022-22965.method=<HTTP METHOD>'] <target>
     42 +-- @args CVE-2022-22965.path URI path to test; must be a valid path that accepts one or more parameters using data binding (default: <code>/</code>).
     43 +-- @args CVE-2022-22965.method HTTP request method to use (default: <code>GET</code>).
    42 44  --
    43 45  -- @examples:
    44 46  -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> -Pn
    45  --- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/..;/" -Pn
    46  --- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/" -Pn
    47  --- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/download/" -Pn --script-trace | more
    48  --- nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.uri="/examples/" -Pn -iL targets.txt
     47 +-- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args 'CVE-2022-22965.path="/path/to/test"' -Pn
     48 +-- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args 'CVE-2022-22965.path="/path/to/test",CVE-2022-22965.method=POST' -Pn
     49 +-- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.path="/path/foo/download/" -Pn --script-trace | more
     50 +-- nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.path="/examples/" -Pn -iL targets.txt
    49 51  --
    50 52  -- @output
    51 53  -- PORT STATE SERVICE
    skipped 30 lines
    82 84  --Payloads:
    83 85  --GET checker path2 = "/?class.module.classLoader.DefaultAssertionStatus=nosense"
    84 86  --GET checker path1 = "/?class.module.classLoader.URLs%5B0%5D=0"
    85  -local S4S_CHECKER_URI = "/?class.module.classLoader.URLs%5B0%5D=0"
     87 +local S4S_PAYLOAD = "class.module.classLoader.definedPackages%5B0%5D=0"
    86 88   
    87 89  action = function(host, port)
    88 90   
    skipped 16 lines
    105 107  
    106 108   local report = vulns.Report:new(SCRIPT_NAME, host, port)
    107 109   
    108  - uri = stdnse.get_script_args("CVE-2022-22965.uri") or S4S_CHECKER_URI
    109  - evil_uri = uri..S4S_CHECKER_URI
    110  - 
    111  - local options = {header={}}
    112  - 
    113  - options['header']['User-Agent'] = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0"
    114  - 
    115  - local response = http.get(host, port, evil_uri, { header = { ["Content-Type"] = "application/x-www-form-urlencoded"}})
     110 + local method = string.upper(stdnse.get_script_args("CVE-2022-22965.method") or "GET")
     111 + local path = stdnse.get_script_args("CVE-2022-22965.path") or "/"
     112 + local options = {header={["Content-Type"]="application/x-www-form-urlencoded"}}
     113 + if method == "GET" then
     114 + path = path .. "?" .. S4S_PAYLOAD
     115 + else
     116 + options["content"] = S4S_PAYLOAD
     117 + end
     118 + local response = http.generic_request(host, port, method, path, options)
    116 119   
    117 120   if response.status and response.body then
    118 121   
    skipped 30 lines
Please wait...
Page is in error, reload to recover