Share
## https://sploitus.com/exploit?id=98FE8E0A-6BB2-5BF9-88DD-8BDC4A4085EF
# SpringBoot-Toolkit

An interactive penetration-testing tool designed to hunt for information disclosure, misconfigurations, and critical remote code execution (RCE) vulnerabilities in Spring Bootโ€“based applications. You can inspect individual targets step-by-step or simultaneously scan hundreds of hosts listed in TXT files. The tool can download and analyze actuator file leaks or use your ZoomEye/FOFA/Hunter API keys to enumerate potential Spring attack surfaces.

## Features
- **Versatile scanning engine:** Supports single URL scanning, URL list scanning, sensitive file hunting, and batch PoC execution.
- **Interactive exploit module:** Provides interactive command execution flows for recent and legacy vulnerabilities such as CVE-2022-22965 (Spring4Shell), CVE-2022-22963, CVE-2022-22947, CVE-2021-21234, and more.
- **Asynchronous directory brute-force:** Using the `-uf` parameter, you can scan hundreds of targets concurrently with an `asyncio + aiohttp`โ€“based engine and configurable concurrency settings.
- **External data enrichment:** Collect Spring-related assets using your ZoomEye, FOFA, and Hunter API keys and export results to `zoomout.txt`, `fofaout.txt`, and `hunterout.txt`.
- **Proxy and custom header support:** Useful for corporate environments requiring proxy routing, custom header/cookie injection, or session handling.
- **Structured output logs:** Each module writes findings to dedicated log files (e.g., `urlout.txt`, `output.txt`, `dumpout.txt`, `vulout.txt`) to streamline reporting.

## Directory Structure

```text
SpringBoot/
โ”œโ”€โ”€ SpringBoot.py         # Main CLI
โ”œโ”€โ”€ inc/
โ”‚   โ”œโ”€โ”€ console.py             # Argument router
โ”‚   โ”œโ”€โ”€ run.py                 # Directory and file scanning workflows
โ”‚   โ”œโ”€โ”€ vul.py                 # Single-target exploit module (11+ PoCs)
โ”‚   โ”œโ”€โ”€ poc.py                 # Batch PoC execution
โ”‚   โ”œโ”€โ”€ zoom.py / fofa.py / hunter.py  # External integrations
โ”‚   โ”œโ”€โ”€ springcheck.py         # Spring fingerprint validation
โ”‚   โ”œโ”€โ”€ proxycheck.py          # Proxy & header handling
โ”‚   โ””โ”€โ”€ output.py              # Banner & usage output
โ”œโ”€โ”€ Dir.txt                    # Directory brute-force wordlist
โ”œโ”€โ”€ url.txt / header.txt / urlout.txt ...  # Input/output helper files
โ””โ”€โ”€ requirements.txt
```

## Installation

1. Make sure you have Python 3.8+ installed.
2. Clone or download the repository.
3. Install dependencies:

   ```bash
   pip install -r requirements.txt
   ```
4. (Optional) If using a proxy, specify it via `-p` in the format `ip:port`; the tool auto-tests connectivity.


## CLI Arguments

| Parameter          | Description                                                            |
| ------------------ | ---------------------------------------------------------------------- |
| `-u / --url`       | Information disclosure scan on a single target                         |
| `-uf / --urlfile`  | Concurrent scan of targets from a TXT file                             |
| `-v / --vul`       | Launch exploit console for a single target                             |
| `-vf / --vulfile`  | Run selected PoCs on targets from a list                               |
| `-d / --dump`      | Download sensitive actuator files (`heapdump`, `hystrix.stream`, etc.) |
| `-df / --dumpfile` | Sensitive file hunting across multiple targets                         |
| `-z / --zoomeye`   | Enumerate Spring assets using ZoomEye API                              |
| `-f / --fofa`      | Enumerate assets using FOFA API                                        |
| `-y / --hunter`    | Enumerate assets using Hunter API                                      |
| `-p / --proxy`     | HTTP/HTTPS proxy (`127.0.0.1:8080`)                                    |
| `-t / --newheader` | Custom headers in JSON format (`header.txt`)                           |
| `-c / --cookie`    | Cookie value used for all requests                                     |

## Typical Use Cases

1. **Single URL information disclosure scan**

   ```bash
   python SpringBoot.py -u https://target.com/
   ```
2. **Asynchronous scanning from URL list**

   ```bash
   python SpringBoot.py -uf url.txt
   ```

   * The tool interactively asks for delay and concurrency values.
3. **Single-target exploit console**

   ```bash
   python SpringBoot.py -v https://target.com/
   ```

   * From the menu, select CVE modules to run and execute commands interactively as needed.
4. **Sensitive actuator file downloader**

   ```bash
   python SpringBoot.py -d https://target.com/
   ```

   * Automatically tests endpoints like `heapdump`, `gateway/actuator/heapdump`, `hystrix.stream`.
5. **ZoomEye asset enumeration**

   ```bash
   python SpringBoot.py -z YOUR_API_KEY
   ```

   * The tool asks for desired asset count and search query (default: `app:"Spring Framework"`).


## Output Files

| File                                          | Description                                        |
| --------------------------------------------- | -------------------------------------------------- |
| `urlout.txt`                                  | Detected sensitive endpoints from single URL scans |
| `output.txt`                                  | Results of batch URL scans                         |
| `dumpout.txt`                                 | Sensitive actuator file findings                   |
| `vulout.txt`                                  | Endpoints and CVE tags from exploit/PoC modules    |
| `zoomout.txt`, `fofaout.txt`, `hunterout.txt` | Asset enumeration results                          |
| `error.log`                                   | Network errors / exceptions                        |

## Supported Exploit Modules

* **CVE-2022-22965 (Spring4Shell)** โ€“ JSP webshell upload for interactive RCE
* **CVE-2022-22963** โ€“ Blind RCE via Spring Cloud Function `routing-expression` header
* **CVE-2022-22947** โ€“ Spring Cloud Gateway SpEL injection for RCE with output capture
* **CVE-2021-21234** โ€“ Spring Boot actuator log/view directory traversal (`win.ini`, `/etc/passwd`)
* **SnakeYAML RCE**, **Eureka XStream RCE**, **Jolokia JNDI RCE**, **CVE-2018-1273**, and PoCs for 2023/2024/2025
* **JeeSpring 2023 file upload** โ€“ Upload JSP shell under `static/uploadify`

Modules work for both single-target (`-v`) and batch PoC (`-vf`) flows; if no selection is made, all CVEs run sequentially.

## External Integrations

* **ZoomEye (`-z`)**: Provide your API key and asset limit; default query is `app:"Spring Framework"`.
* **FOFA (`-f`)**: Query sent in Base64; default value: `icon_hash="116323821" OR body="Whitelabel Error Page"`.
* **Hunter (`-y`)**: Qianxin Hunter API for Spring Whitelabel or custom queries.

These modules automatically inherit proxy and custom header settings.

## Advanced Tips

* **Custom header/cookie:** Define a JSON-based header set in `header.txt` for WAF bypass or session handling (`{"Authorization": "Bearer ...", "X-Forwarded-For": "..."}`).
* **Proxy validation:** When `-p` is used, the tool tests proxy connectivity via `https://www.baidu.com` before proceeding.
* **Delay & concurrency:** For batch scans (`-uf`), delay and concurrency values can be tuned to respect WAF/Rate Limit policies.
* **Input files:** Ensure `url.txt` and others use UTF-8 encoding with one host per line. If no scheme is present, the tool automatically prepends `http://`.

### Disclaimer

This project is provided for educational and authorized penetration-testing use only. By running the tool, you acknowledge that:

1. You have permission to test the specified targets,
2. You accept full responsibility for any outcome,
3. The developers cannot be held liable for any damage or misuse.

## License

This project is licensed under the MIT License. For more information, see the [LICENSE file](LICENSE).