Giter Site home page Giter Site logo

aabysszg / springboot-scan Goto Github PK

View Code? Open in Web Editor NEW
1.3K 12.0 127.0 3.21 MB

针对SpringBoot的开源渗透框架,以及Spring相关高危漏洞利用工具

Home Page: https://blog.zgsec.cn/archives/129.html

License: MIT License

Python 100.00%
spring spring-boot spring-vulnerability springboot vul security security-tools cve-2018-1273 cve-2021-21234 cve-2022-22947 cve-2022-22963 cve-2022-22965 exploit exploits

springboot-scan's Issues

扫描报错

在扫描时发生错误,实际上应该存在这个目录,用其他扫描工具是正常的
111

缺少代理

可以把延迟、和代理开发以下么 我看 使用的requests包 应该可以实现 有时候会卡
image

error

requests.exceptions.ConnectionError: HTTPConnectionPool(host='spring-dev-vab.apps.grv.scbs.ch', port=80): Max retries exceeded with url: /actuator (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fc216eb1160>: Failed to establish a new connection: [Errno 111] Connection refused'))

I think you have to wait for 10 second if not response then you have to move other target

SpringBoot-Scan的一些建议

你好,作者!
我觉得这个脚本是不是可以添加一些爬虫功能 而不是只爆破字典中的内容 比如一些spring未授权环境下 访问/actuator/ 里面会有一些非字典中的内容如 /actuator/nacosconfig 、/actuator/nacosdiscovery等 这种情况下感觉加上爬虫爬取/actuator/会好一些

CVE_2022_22947漏报

师傅的漏洞检测逻辑是访问注册的hacktest路由,读取id命令的回显,但是这个只使用于linux系统,看师傅内置了payload2用于执行whoami,但是并没有针对windows漏洞检测逻辑,如果Spring Cloud Gateway部署在windows上,漏洞会误报。
而且师傅的逻辑是只要读取到id的回显时,才会删除注册的hacktest路由
if ('uid=' in str(re3.text)) and ('gid=' in str(re3.text)) and ('groups=' in str(re3.text)):
cprint(f'[+] [CVE-2022-22947] {url}', "red")
f2 = open("vulout.txt", "a")
f2.write("[+] [CVE-2022-22947] " + url + '\n')
f2.close()
re4 = requests.delete(url=url + "actuator/gateway/routes/hacktest", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
re5 = requests.post(url=url + "actuator/gateway/refresh", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
但是如果是windows平台,由于执行的是id命令,java.lang.ProcessBuilder.start会抛出异常,也就走不到删除路由的逻辑了,导致注册的路由持久性的留着了服务器上面,渗透结束后,需要手工清除,可以调整一下逻辑。官方补丁中是用SimpleEvaluationContext 替换 StandardEvaluationContext,限制了SPEL表达式的执行,并没有限制路由注册。

还有一个问题就是,SPEL表达式执行发生在/refresh刷新路由缓存逻辑的时候,后续所有正常的/refresh操作也会抛出异常,影响服务器正常功能以及其它扫描器对CVE_2022_22947漏洞的探测

安装库后,还是报错

Traceback (most recent call last):
File "E:\Tools\SpringBoot-Scan-main\SpringBoot-Scan.py", line 7, in
from inc import output, console, run ,proxycheck
File "E:\Tools\SpringBoot-Scan-main\inc\console.py", line 4, in
from inc import output,run,vul,springcheck
File "E:\ools\SpringBoot-Scan-main\inc\springcheck.py", line 4, in
from inc import output,run,vul,console
ImportError: cannot import name 'vul' from 'inc' (unknown location)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.