Share
## https://sploitus.com/exploit?id=B158F1AE-13DF-5F49-88D5-73B5B6183926
# CVE-2022-22965
Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)

This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE 
uses a payload "/?class.module.classLoader.definedPackages%5B0%5D=0" through a GET request
looking (400) code as response (NON INTRUSIVE)

Inspired by:

@Twitter thread</br>
https://twitter.com/RandoriAttack/status/1509298490106593283

@ZAP Scan Rule</br>
https://www.zaproxy.org/blog/2022-04-04-spring4shell-detection-with-zap/

Manual inspection: 
```python
# curl -i -s -k -X $'GET' 
-H $'Host: <target>' 
-H $'User-Agent: alex666'  
-H $'Connection: close' 
$'https://<target>/path/foo/?class.module.classLoader.URLs%5B0%5D=0' | grep -i 400
```
```python
# curl -i -s -k -X $'GET' 
-H $'Host: <target>' 
-H $'User-Agent: alex666'  
-H $'Connection: close' 
$'https://<target>/path/foo/?class.module.classLoader.DefaultAssertionStatus=nosense' | grep -i 400
```
<em><a href="https://github.com/milo-minderbinder"> @milo-minderbinder</a></em> | fix and improvements
```python
# curl -i -s -k -X $'GET' 
-H $'Host: <target>' 
-H $'User-Agent: alex666'  
-H $'Connection: close' 
$'https://<target>/path/foo/?class.module.classLoader.definedPackages%5B0%5D=0' | grep -i 400
```
# References:
https://github.com/alt3kx/CVE-2022-22965</br>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965</br>
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities</br>
https://github.com/BobTheShoplifter/Spring4Shell-POC</br>
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement</br>
https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework</br>

# Usage
```python
-- $ nmap -p <port> --script=./CVE-2022-22965.nse [--script-args 'CVE-2022-22965.path=<PATH>,CVE-2022-22965.method=<HTTP METHOD>'] <target>
-- @args CVE-2022-22965.path URI path to test; must be a valid path that accepts one or more parameters using data binding (default: <code>/</code>).
-- @args CVE-2022-22965.method HTTP request method to use (default: <code>GET</code>).
-- 
-- @examples:
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> -Pn
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args 'CVE-2022-22965.path="/path/to/test"' -Pn
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args 'CVE-2022-22965.path="/path/to/test",CVE-2022-22965.method=POST' -Pn
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.path="/path/foo/download/" -Pn --script-trace | more
-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.path="/examples/" -Pn -iL targets.txt
-- 
```
# Output
```python
-- PORT    STATE SERVICE
-- 443/tcp open  https
-- | CVE-2022-22965: 
-- |   VULNERABLE:
-- |   Spring Framework 5.2.x 5.3.x RCE
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:CVE-2022-22965
-- |       Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable 
-- |       to remote code execution (RCE) via data binding.
-- |     Disclosure date: 2022-03-31
-- |     References:
-- |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965

```
## Payload 1: Spring Framework RCE found! 
<img src="https://user-images.githubusercontent.com/3140111/162096857-8b29e020-4f8e-448d-8694-7cd7b2e0cfcf.png" width="800"> 

## Payload 2: Spring Framework RCE found! 
<img src="https://user-images.githubusercontent.com/3140111/162097169-2ad3efac-935a-4caa-8ea4-5068d2ae1c15.png" width="800">

## Payload 3: Spring Framework RCE found! 
<img src="https://user-images.githubusercontent.com/3140111/162332755-6f1992a6-27d4-4e71-bbad-52815d046759.png" width="800">

# Author
Alex Hernandez aka <em><a href="https://twitter.com/_alt3kx_" rel="nofollow">(@\_alt3kx\_)</a></em>