Vulnerability scanner for Spring4Shell (CVE-2022-22965)


go-scan-spring

Vulnerability scanner to find Spring4Shell (CVE-2022-22965) vulnerabilities

For more information: https://www.fracturelabs.com/posts/effective-spring4shell-scanning-exploitation/

@fracturelabs @brkr19


Build

[~/opt] $ git clone https://github.com/fracturelabs/go-scan-spring.git
[~/opt] $ cd go-scan-spring

Usage

Help

[~/opt/go-scan-spring] $ go run main.go help scan

Run a scan against target URLs looking for vulnerable services

Usage:
  go-scan-spring scan [flags]

Flags:
  -f, --file string         Target URL filename (- for stdin)
      --follow-redirect     Follow redirects
  -h, --help                help for scan
      --http-get            Test using HTTP GET requests (must set =false to disable) (default true)
      --http-post           Test using HTTP POST requests (must set =false to disable) (default true)
      --identifier string   Unique scan identifier (used as a password and an exploit filename) (default "go-scan-spring")
  -x, --proxy string        Upstream proxy
      --run-baseline        Run a baseline test to see if endpoint is up
      --run-exploit         Run an exploit to retrieve the owner of the Tomcat process
      --run-safe            Run a safe test to see if endpoint is vulnerable
  -s, --sleep int           Time to sleep between exploit steps. This is needed to allow time for deployment. (default 10)
  -t, --threads int         Number of threads (default 5)

Global Flags:
      --debug   enable debug logging

Basic safe scan

[~/opt/go-scan-spring] $ go run main.go scan --run-safe -f urls.txt

Basic safe exploit

Use your own unique identifier parameter!

# Using HTTP GETs and POSTs
[~/opt/go-scan-spring] $ echo http://localhost:8080/spring4shell_victim/vulnerable | go run main.go scan -f - --identifier 550bafe0-0c6c-4f3e-a46b-0901c28e690b --run-exploit

# Using only HTTP GETs
[~/opt/go-scan-spring] $ echo http://localhost:8080/spring4shell_victim/vulnerable | go run main.go scan -f - --identifier 550bafe0-0c6c-4f3e-a46b-0901c28e690b --run-exploit --http-post=false

# Using only HTTP POSTs
[~/opt/go-scan-spring] $ echo http://localhost:8080/spring4shell_victim/vulnerable | go run main.go scan -f - --identifier 550bafe0-0c6c-4f3e-a46b-0901c28e690b --run-exploit --http-get=false

Verification

You can verify the script works properly by testing against an intentionally vulnerable system, such as spring4shell_victim

[~] $ curl --output - 'http://localhost:8080/go-scan-spring/550bafe0-0c6c-4f3e-a46b-0901c28e690b-AD.jsp?pwd=550bafe0-0c6c-4f3e-a46b-0901c28e690b'

Credits

  • The entire structure and several functions were borrowed heavily from the wonderful GoWitness project from SensePost.
  • The safe check implemented in this was inspired by The Randori Attack Team and Zach Grace
  • Whoever created the first PoC - stuff is moving too fast to properly attribute this right now!
Owner
Fracture Labs
Fracture Labs
https://github.com/fracturelabs/go-scan-spring
Similar Resources

A basic port scanner written in go

go-port-scanner A ultra basic port scanner written in go, written for the advanced Go course in Platzi. Compilation Just as any go program go build ma

Oct 21, 2021

Port scanner written in Go

The result will be similar to that: Result of function ScanPort (scan specific port): 1024 Port result: {tcp/1024 Closed} Result of function InitialS

Oct 6, 2021

Subdomain scanner, asynchronous dns packets, use pcap to scan 1600,000 subdomains in 1 second

ksubdomain是一款基于无状态的子域名爆破工具,类似无状态端口扫描,支持在Windows/Linux/Mac上进行快速的DNS爆破,在Mac和Windows上理论最大发包速度在30w/s,linux上为160w/s。 hacking8信息流的src资产收集 https://i.hacking8

Dec 31, 2022

High-performance port scanner.

go-portScan 高性能端口扫描器 High-performance port scanner. Feature Syn stateless scan Syn Automatic ARP detection on the Intranet Scanning for large address

Dec 9, 2022

A document scanner that creates a graph of the analogy between documents.

Social Analogizer The idea is that this program scans documents for keyword that correspond to other documents. Starting point is that a user has a pr

Dec 20, 2021

A high-performance concurrent scanner written by go, which can be used for survival detection, tcp port detection, and web service detection.

A high-performance concurrent scanner written by go, which can be used for survival detection, tcp port detection, and web service detection.

aScan A high-performance concurrent scanner written by go, which can be used for survival detection, tcp port detection, and web service detection. Fu

Aug 15, 2022

Snugger is a light weight but fast network recon scanner that is written from pure golang

Snugger is a light weight but fast network recon scanner that is written from pure golang

Snugger is a light weight but fast network recon scanner that is written from pure golang. with this scann you can ARP your network, port scan hosts and host lists, as well as scan for BSSId

May 19, 2022

A quick and dirty concurrent Golang-based port scanner

go-scan-ports A quick and dirty concurrent Golang-based port scanner, this will scan ports 1 through 1024 Usage: Requires 1 command line argument of U

Jan 6, 2022

Openstack Invalid HTTPS Cert Scanner

Openstack Invalid HTTPS Cert Scanner Scans all OpenStack API endpoints in a given catalog and warns about legacy HTTPS certificates that do not list t

Jan 18, 2022
Related tags
Network go-scan-spring
Generate vulnerability data from Github API

gen-vulnerability-data-from-api Generate vulnerability data from Github API Usage Run go build && ./gen-vulnerability-data-from-api <Github Username>

Nov 10, 2021
netscanner - TCP/UDP scanner to find open or closed ports

netscanner netscanner - TCP/UDP scanner to find open or closed ports installation you have to run this command to install the program $ go get github.

Dec 19, 2022
:vulcan_salute: Fast, modern, easy-to-use network scanner

sx is the command-line network scanner designed to follow the UNIX philosophy. The goal of this project is to create the fastest network scanner with

Jan 2, 2023
A simple port scanner written in go

Scan27 A simple port scanner written in go Features: V1 it Scans the given Ip or Host name for open ports Usage ./scan27 Enter IP address or Host name

Jul 23, 2022
Yet another TCP Port Scanner, but lightning faster.

Fast TCP Port Scanner A highly concurrent TCP port scanner. Run Tests with Code Coverage (Linux) go test -cover Compile (Linux) go build -v -o fglps R

Jul 23, 2022
sonarbyte is a simple and fast subdomain scanner written in go to extract subdomain from Rapid7's DNS Database using omnisint's api.
 sonarbyte is a simple and fast subdomain scanner written in go to extract subdomain from Rapid7's DNS Database using omnisint's api.

sonarbyte Description Sonarbyte is a simple and fast subdomain scanner written in go to extract subdomains from Rapid7's DNS Database using omnisint's

Jul 27, 2022
port close check scanner. detects open ports, sends alert with slack.

aite9 (port close check scanner) サーバのポートが空いてないことを確認するポートスキャナー たくさんのサーバを管理していると設定ミスで内部利用ポートが外部に公開されてしまっている可能性があり、それに早く気付くためのチェックツールです。 サーバのリストを標準入力で渡すと

Feb 3, 2022
TCP Port Scanner in GO lang

Port-Scanner-GO Simple TCP port scanner in golang. Installation & Build You have to have GO version 1.13 run: go build port-scanner-go.go Run single

Jun 6, 2022
Port Scanner & Banner Identify From TianXiang
 Port Scanner & Banner Identify From TianXiang

TXPortMap Port Scanner & Banner Identify From TianXiang ./TxPortMap -h 新增加彩色文字输出格式 对http/https协议进行title以及报文长度打印,获取title失败打印报文前20字节 新增日志文件以及扫描结果文件 T

Jan 5, 2023
A port scanner written in go

GoScanner A poor mans port scanner written in go Why? To help learn go Try and build something "somewhat" functional from the command line ?? To not s

Sep 15, 2021