## https://sploitus.com/exploit?id=98FE8E0A-6BB2-5BF9-88DD-8BDC4A4085EF
# SpringBoot-Toolkit
An interactive penetration-testing tool designed to hunt for information disclosure, misconfigurations, and critical remote code execution (RCE) vulnerabilities in Spring Bootโbased applications. You can inspect individual targets step-by-step or simultaneously scan hundreds of hosts listed in TXT files. The tool can download and analyze actuator file leaks or use your ZoomEye/FOFA/Hunter API keys to enumerate potential Spring attack surfaces.
## Features
- **Versatile scanning engine:** Supports single URL scanning, URL list scanning, sensitive file hunting, and batch PoC execution.
- **Interactive exploit module:** Provides interactive command execution flows for recent and legacy vulnerabilities such as CVE-2022-22965 (Spring4Shell), CVE-2022-22963, CVE-2022-22947, CVE-2021-21234, and more.
- **Asynchronous directory brute-force:** Using the `-uf` parameter, you can scan hundreds of targets concurrently with an `asyncio + aiohttp`โbased engine and configurable concurrency settings.
- **External data enrichment:** Collect Spring-related assets using your ZoomEye, FOFA, and Hunter API keys and export results to `zoomout.txt`, `fofaout.txt`, and `hunterout.txt`.
- **Proxy and custom header support:** Useful for corporate environments requiring proxy routing, custom header/cookie injection, or session handling.
- **Structured output logs:** Each module writes findings to dedicated log files (e.g., `urlout.txt`, `output.txt`, `dumpout.txt`, `vulout.txt`) to streamline reporting.
## Directory Structure
```text
SpringBoot/
โโโ SpringBoot.py # Main CLI
โโโ inc/
โ โโโ console.py # Argument router
โ โโโ run.py # Directory and file scanning workflows
โ โโโ vul.py # Single-target exploit module (11+ PoCs)
โ โโโ poc.py # Batch PoC execution
โ โโโ zoom.py / fofa.py / hunter.py # External integrations
โ โโโ springcheck.py # Spring fingerprint validation
โ โโโ proxycheck.py # Proxy & header handling
โ โโโ output.py # Banner & usage output
โโโ Dir.txt # Directory brute-force wordlist
โโโ url.txt / header.txt / urlout.txt ... # Input/output helper files
โโโ requirements.txt
```
## Installation
1. Make sure you have Python 3.8+ installed.
2. Clone or download the repository.
3. Install dependencies:
```bash
pip install -r requirements.txt
```
4. (Optional) If using a proxy, specify it via `-p` in the format `ip:port`; the tool auto-tests connectivity.
## CLI Arguments
| Parameter | Description |
| ------------------ | ---------------------------------------------------------------------- |
| `-u / --url` | Information disclosure scan on a single target |
| `-uf / --urlfile` | Concurrent scan of targets from a TXT file |
| `-v / --vul` | Launch exploit console for a single target |
| `-vf / --vulfile` | Run selected PoCs on targets from a list |
| `-d / --dump` | Download sensitive actuator files (`heapdump`, `hystrix.stream`, etc.) |
| `-df / --dumpfile` | Sensitive file hunting across multiple targets |
| `-z / --zoomeye` | Enumerate Spring assets using ZoomEye API |
| `-f / --fofa` | Enumerate assets using FOFA API |
| `-y / --hunter` | Enumerate assets using Hunter API |
| `-p / --proxy` | HTTP/HTTPS proxy (`127.0.0.1:8080`) |
| `-t / --newheader` | Custom headers in JSON format (`header.txt`) |
| `-c / --cookie` | Cookie value used for all requests |
## Typical Use Cases
1. **Single URL information disclosure scan**
```bash
python SpringBoot.py -u https://target.com/
```
2. **Asynchronous scanning from URL list**
```bash
python SpringBoot.py -uf url.txt
```
* The tool interactively asks for delay and concurrency values.
3. **Single-target exploit console**
```bash
python SpringBoot.py -v https://target.com/
```
* From the menu, select CVE modules to run and execute commands interactively as needed.
4. **Sensitive actuator file downloader**
```bash
python SpringBoot.py -d https://target.com/
```
* Automatically tests endpoints like `heapdump`, `gateway/actuator/heapdump`, `hystrix.stream`.
5. **ZoomEye asset enumeration**
```bash
python SpringBoot.py -z YOUR_API_KEY
```
* The tool asks for desired asset count and search query (default: `app:"Spring Framework"`).
## Output Files
| File | Description |
| --------------------------------------------- | -------------------------------------------------- |
| `urlout.txt` | Detected sensitive endpoints from single URL scans |
| `output.txt` | Results of batch URL scans |
| `dumpout.txt` | Sensitive actuator file findings |
| `vulout.txt` | Endpoints and CVE tags from exploit/PoC modules |
| `zoomout.txt`, `fofaout.txt`, `hunterout.txt` | Asset enumeration results |
| `error.log` | Network errors / exceptions |
## Supported Exploit Modules
* **CVE-2022-22965 (Spring4Shell)** โ JSP webshell upload for interactive RCE
* **CVE-2022-22963** โ Blind RCE via Spring Cloud Function `routing-expression` header
* **CVE-2022-22947** โ Spring Cloud Gateway SpEL injection for RCE with output capture
* **CVE-2021-21234** โ Spring Boot actuator log/view directory traversal (`win.ini`, `/etc/passwd`)
* **SnakeYAML RCE**, **Eureka XStream RCE**, **Jolokia JNDI RCE**, **CVE-2018-1273**, and PoCs for 2023/2024/2025
* **JeeSpring 2023 file upload** โ Upload JSP shell under `static/uploadify`
Modules work for both single-target (`-v`) and batch PoC (`-vf`) flows; if no selection is made, all CVEs run sequentially.
## External Integrations
* **ZoomEye (`-z`)**: Provide your API key and asset limit; default query is `app:"Spring Framework"`.
* **FOFA (`-f`)**: Query sent in Base64; default value: `icon_hash="116323821" OR body="Whitelabel Error Page"`.
* **Hunter (`-y`)**: Qianxin Hunter API for Spring Whitelabel or custom queries.
These modules automatically inherit proxy and custom header settings.
## Advanced Tips
* **Custom header/cookie:** Define a JSON-based header set in `header.txt` for WAF bypass or session handling (`{"Authorization": "Bearer ...", "X-Forwarded-For": "..."}`).
* **Proxy validation:** When `-p` is used, the tool tests proxy connectivity via `https://www.baidu.com` before proceeding.
* **Delay & concurrency:** For batch scans (`-uf`), delay and concurrency values can be tuned to respect WAF/Rate Limit policies.
* **Input files:** Ensure `url.txt` and others use UTF-8 encoding with one host per line. If no scheme is present, the tool automatically prepends `http://`.
### Disclaimer
This project is provided for educational and authorized penetration-testing use only. By running the tool, you acknowledge that:
1. You have permission to test the specified targets,
2. You accept full responsibility for any outcome,
3. The developers cannot be held liable for any damage or misuse.
## License
This project is licensed under the MIT License. For more information, see the [LICENSE file](LICENSE).