During routine penetration testing, we often encounter microservices built with Spring Boot. This inspired the creation of an open-source penetration framework specifically for Spring Boot, primarily used for scanning sensitive information leakage endpoints and directly testing for high-risk vulnerabilities related to Spring. Thus, the tool SpringBoot-Scan (abbreviated as "SB-Scan") was developed.
Current tool version: V2.51-2024/05/19
I have also compiled a guide on Spring Boot penetration techniques on my personal blog. Feel free to check it out and exchange ideas: https://blog.zgsec.cn/archives/129.html
- Added support for 2023 JeeSpringCloud arbitrary file upload vulnerability
- Added support for CVE-2022-22947 (Spring Cloud Gateway SpEL RCE vulnerability)
- Added support for CVE-2022-22963 (Spring Cloud Function SpEL RCE vulnerability)
- Added support for CVE-2022-22965 (Spring Core RCE vulnerability)
- Added support for CVE-2021-21234 (arbitrary file read vulnerability)
- Added support for 2021 SnakeYAML_RCE vulnerability
- Added support for 2021 Eureka_Xstream deserialization vulnerability
- Added support for 2020 Jolokia misconfiguration leading to RCE vulnerability
- Added support for CVE-2018-1273 (Spring Data Commons RCE vulnerability)
- Added module to select single or multiple vulnerabilities for detection
- Interactive command execution for command execution vulnerabilities
- Added batch vulnerability verification module (finally here!)
Future updates will include more built-in modules for vulnerability exploitation (please consider giving it a star, coding is quite labor-intensive, haha).
- Thanks to
@Viking, added more content to theDir.txtsensitive endpoints dictionary - Thanks to
@Fkalis, usedaiohttpfor concurrent batch information leakage scanning, significantly speeding up the-ufparameter - Added support for multiple custom HTTP headers (request headers) during operations
- Added support for custom query statements when exporting asset mappings
- Added delay scanning during sensitive endpoint brute force to prevent being blocked due to fast scanning speed
- Added Hunter asset mapping export module, automatically interfacing with the API to export assets to
hunterout.txt - Added Fofa asset mapping export module, automatically interfacing with the API to export assets to
fofaout.txt - Added ZoomEye asset mapping export module, automatically interfacing with the API to export assets to
zoomout.txt - Filtering out some invalid echo pages during Spring endpoint brute force, improving work efficiency
- Optimized the endpoint brute force dictionary, added some bypass statements (feel free to submit any additions)
- Automatic fingerprint recognition for Spring
- Output errors to
error.login the vulnerability exploitation module - Support for using authenticated HTTP proxy nodes, automatically checking node status
- GUI version created by
@13exp - Verify proxy availability, support using HTTP/HTTPS proxy for all traffic
- Random User-Agent request headers
- Resolve SSL certificate issues (use
http://for self-signed certificates) - Intelligent target address recognition (e.g.,
example.com,http://example.com/, andhttp://example.comare all accepted without error)
- This tool enhances user experience by accepting
example.com,http://example.com/, andhttp://example.comwithout error. The program will automatically identify and process these formats. - SSL certificate issues have been resolved, allowing scans on Spring Boot frameworks using SSL certificates (use
http://for self-signed certificates). - For Spring projects deployed in subdirectories, simply provide the corresponding path to the tool (e.g., if
example.com/test/deploys a Spring project, passexample.com/test/as the parameter to the tool).
GUI version created by @13exp, available at: https://github.com/13exp/SpringBoot-Scan-GUI
Note: Both the main project vul.py and the GUI project contain vulnerability exploitation modules. It's normal for antivirus software to flag them. If you find the tool useful, consider giving it a star, haha!
pip install -r requirements.txt
If the installation is slow, you can use a domestic source:
pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple/
How to find Spring frameworks on the internet, ZoomEye syntax:
app:"Spring Framework"
Fofa syntax:
icon_hash="116323821" || body="Whitelabel Error Page"
Tool parameters:
# python3 SpringBoot-Scan.py
______ __ _______ __
/ \ | \ | \ | \
| $$$$$$\ ______ ______ \$$ _______ ______ | $$$$$$$\ ______ ______ _| $$_
| $$___\$$ / \ / \ | \| \ / \ | $$__/ $$ / \ / \| $$ \
\$$ \ | $$$$$$\| $$$$$$\| $$| $$$$$$$\| $$$$$$\| $$ $$| $$$$$$\| $$$$$$\\$$$$$$
_\$$$$$$\| $$ | $$| $$ \$$| $$| $$ | $$| $$ | $$| $$$$$$$\| $$ | $$| $$ | $$ | $$ __
| \__| $$| $$__/ $$| $$ | $$| $$ | $$| $$__| $$| $$__/ $$| $$__/ $$| $$__/ $$ | $$| \
\$$ $$| $$ $$| $$ | $$| $$ | $$ \$$ $$| $$ $$ \$$ $$ \$$ $$ \$$ $$
\$$$$$$ | $$$$$$$ \$$ \$$ \$$ \$$ _\$$$$$$$ \$$$$$$$ \$$$$$$ \$$$$$$ \$$$$
| $$ | \__| $$
| $$ \$$ $$
\$$ \$$$$$$
______
/ \ +-------------------------------------+
| $$$$$$\ _______ ______ _______ + Version: 2.51 +
| $$___\$$ / \| \ | \ + Author: 曾哥(@AabyssZG) +
\$$ \ | $$$$$$$ \$$$$$$\| $$$$$$$\ + Whoami: https://github.com/AabyssZG +
_\$$$$$$\| $$ / $$| $$ | $$ +-------------------------------------+
| \__| $$| $$_____| $$$$$$$| $$ | $$ + 多进程速度提升: Fkalis +
\$$ $$ \$$ \\$$ $$| $$ | $$ + Whoami: https://github.com/FFR66 +
\$$$$$$ \$$$$$$$ \$$$$$$$ \$$ \$$ +-------------------------------------+
Usage:
Scan a single URL for information leakage: python3 SpringBoot-Scan.py -u example.com
Read target TXT for batch information leakage scanning: python3 SpringBoot-Scan.py -uf url.txt
Exploit vulnerabilities in a single URL: python3 SpringBoot-Scan.py -v example.com
Read target TXT for batch vulnerability scanning: python3 SpringBoot-Scan.py -vf url.txt
Scan and download Spring Boot sensitive files: python3 SpringBoot-Scan.py -d example.com
Use HTTP proxy and perform connectivity tests: python3 SpringBoot-Scan.py -p <proxy IP:port>
Import custom HTTP headers from TXT file: python3 SpringBoot-Scan.py -t header.txt
Download data via ZoomEye API key: python3 SpringBoot-Scan.py -z <ZoomEye API-KEY>
Download data via Fofa API key: python3 SpringBoot-Scan.py -f <Fofa API-KEY>
Download data via Hunter API key: python3 SpringBoot-Scan.py -y <Hunter API-KEY>
This tool interfaces with the [ZoomEye API](https://www.
zoomeye.org/doc), allowing you to batch download Spring asset mapping data using the API key:
python3 SpringBoot-Scan.py -z <ZoomEye API-KEY>
Note: This module now supports custom syntax for asset mapping export; the results will be exported to zoomout.txt after the asset mapping is complete, and you can use other parameters for operations.
This tool interfaces with the Fofa API, allowing you to batch download Spring asset mapping data using the API key:
python3 SpringBoot-Scan.py -f <Fofa API-KEY>
Note: This module now supports custom syntax for asset mapping export; the results will be exported to fofaout.txt after the asset mapping is complete, and you can use other parameters for operations.
This tool interfaces with the Hunter API, allowing you to batch download Spring asset mapping data using the API key:
python3 SpringBoot-Scan.py -y <Hunter API-KEY>
Note: This module now supports custom syntax for asset mapping export; the results will be exported to hunterout.txt after the asset mapping is complete, and you can use other parameters for operations.
python3 SpringBoot-Scan.py -p <proxy IP:port>
python3 SpringBoot-Scan.py -p <HTTP auth username:HTTP auth password@proxy IP:port>
For example, to scan a single URL for information leakage using a proxy:
python3 SpringBoot-Scan.py -u example.com -p <proxy IP:port>
python3 SpringBoot-Scan.py -p <HTTP auth username:HTTP auth password@proxy IP:port>
Similarly, other parameters (-u / -uf / -v / -vf / -d) can be used with a proxy.
python3 SpringBoot-Scan.py -t header.txt
To use this custom HTTP header feature, modify the contents of header.txt accordingly. This feature supports the (-u / -uf / -v / -d) parameters. Batch vulnerability scanning does not have a clear need for this feature, so it was not included.
Dir.txt is a built-in Spring endpoint brute force dictionary. It contains most sensitive information leakage endpoints related to Spring Boot.
If there are any omissions, feel free to contact me.
python3 SpringBoot-Scan.py -u example.com
Added delay scanning option; if you do not want delay scanning, enter 0 and press Enter.
Note: Successful results will be exported to urlout.txt in the same directory.
python3 SpringBoot-Scan.py -uf url.txt
Added delay scanning option; if you do not want delay scanning, enter 0 and press Enter. Thanks to @Fkalis, added concurrent scanning option, with a default concurrency of 10.
Note: Due to version updates, the parameter for reading TXT and scanning has been changed to uf from version 2.21 onwards. Successful results will be exported to output.txt in the same directory.
python3 SpringBoot-Scan.py -v example.com
Implemented RCE vulnerability and command customization feature (don't use it for bad purposes).
More built-in modules for vulnerability exploitation will be added in the future, so stay tuned!
python3 SpringBoot-Scan.py -vf url.txt
You can freely select vulnerabilities from the vulnerability library for batch verification. Successful results will be exported to vulout.txt.
python3 SpringBoot-Scan.py -d example.com
Note: Scanned sensitive files will be automatically downloaded to the script's running directory, with a progress bar showing real-time download progress.
Currently, the built-in sensitive file directories include:
actuator/heapdump
gateway/actuator/heapdump
heapdump
heapdump.json
hystrix.stream
artemis-portal/artemis/heapdump
If you know of other sensitive file directories, please submit an issue. Thank you!
- By downloading, installing, using, or modifying this tool and related code, you indicate your trust in this tool.
- We are not responsible for any form of loss or damage caused to you or others while using this tool.
- You are responsible for any illegal activities conducted while using this tool. We are not liable for any legal or joint responsibilities.
- Please read and fully understand the terms, especially those that exempt or limit liability, and choose to accept or not accept them.
- Unless you have read and accepted all terms of this agreement, you do not have the right to download, install, or use this tool.
- Your download, installation, and use of this tool constitute your agreement to the terms of this agreement.