Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)
CVE-2022-22965
Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)
This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE uses a payload "/?class.module.classLoader.definedPackages%5B0%5D=0" through a GET request looking (400) code as response (NON INTRUSIVE)
Inspired by:
@Twitter thread
https://twitter.com/RandoriAttack/status/1509298490106593283
@ZAP Scan Rule
https://www.zaproxy.org/blog/2022-04-04-spring4shell-detection-with-zap/
Manual inspection:
curl -i -s -k -X $'GET'
-H $'Host:
-H $'User-Agent: alex666'
-H $'Connection: close'
$'https://
curl -i -s -k -X $'GET'
-H $'Host:
-H $'User-Agent: alex666'
-H $'Connection: close'
$'https://
@milo-minderbinder | fix and improvements
curl -i -s -k -X $'GET'
-H $'Host:
-H $'User-Agent: alex666'
-H $'Connection: close'
$'https://
References:
https://github.com/alt3kx/CVE-2022-22965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities
https://github.com/BobTheShoplifter/Spring4Shell-POC
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework
Usage
-- $ nmap -p
-- @args CVE-2022-22965.path URI path to test; must be a valid path that accepts one or more parameters using data binding (default: /).
-- @args CVE-2022-22965.method HTTP request method to use (default: GET).
-- @examples:
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse