Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/alt3kx/CVE-2022-22965
Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)
https://github.com/alt3kx/CVE-2022-22965
Last synced: 3 months ago
JSON representation
Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)
- Host: GitHub
- URL: https://github.com/alt3kx/CVE-2022-22965
- Owner: alt3kx
- License: gpl-3.0
- Created: 2022-04-07T00:08:16.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-04-07T23:00:29.000Z (over 2 years ago)
- Last Synced: 2024-05-20T12:35:45.930Z (6 months ago)
- Language: Lua
- Size: 26.4 KB
- Stars: 101
- Watchers: 4
- Forks: 18
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - alt3kx/CVE-2022-22965 - Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive) (Lua)
README
# CVE-2022-22965
Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)
This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE
uses a payload "/?class.module.classLoader.definedPackages%5B0%5D=0" through a GET request
looking (400) code as response (NON INTRUSIVE)
Inspired by:
@Twitter thread
https://twitter.com/RandoriAttack/status/1509298490106593283
@ZAP Scan Rule
https://www.zaproxy.org/blog/2022-04-04-spring4shell-detection-with-zap/
Manual inspection:
```python
# curl -i -s -k -X $'GET'
-H $'Host: '
-H $'User-Agent: alex666'
-H $'Connection: close'
$'https:///path/foo/?class.module.classLoader.URLs%5B0%5D=0' | grep -i 400
```
```python
# curl -i -s -k -X $'GET'
-H $'Host: '
-H $'User-Agent: alex666'
-H $'Connection: close'
$'https:///path/foo/?class.module.classLoader.DefaultAssertionStatus=nosense' | grep -i 400
```
@milo-minderbinder | fix and improvements
```python
# curl -i -s -k -X $'GET'
-H $'Host: '
-H $'User-Agent: alex666'
-H $'Connection: close'
$'https:///path/foo/?class.module.classLoader.definedPackages%5B0%5D=0' | grep -i 400
```
# References:
https://github.com/alt3kx/CVE-2022-22965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities
https://github.com/BobTheShoplifter/Spring4Shell-POC
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework
# Usage
```python
-- $ nmap -p --script=./CVE-2022-22965.nse [--script-args 'CVE-2022-22965.path=,CVE-2022-22965.method=']
-- @args CVE-2022-22965.path URI path to test; must be a valid path that accepts one or more parameters using data binding (default: /).
-- @args CVE-2022-22965.method HTTP request method to use (default: GET).
--
-- @examples:
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse -Pn
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args 'CVE-2022-22965.path="/path/to/test"' -Pn
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args 'CVE-2022-22965.path="/path/to/test",CVE-2022-22965.method=POST' -Pn
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.path="/path/foo/download/" -Pn --script-trace | more
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.path="/examples/" -Pn -iL targets.txt
--
```
# Output
```python
-- PORT STATE SERVICE
-- 443/tcp open https
-- | CVE-2022-22965:
-- | VULNERABLE:
-- | Spring Framework 5.2.x 5.3.x RCE
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2022-22965
-- | Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable
-- | to remote code execution (RCE) via data binding.
-- | Disclosure date: 2022-03-31
-- | References:
-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
```
## Payload 1: Spring Framework RCE found!
## Payload 2: Spring Framework RCE found!
## Payload 3: Spring Framework RCE found!
# Author
Alex Hernandez aka (@\_alt3kx\_)