Skip to content
/ SpringBoot-Exploit-Toolkit Public

SpringBoot Attack Surface Scanner – An interactive penetration testing tool that automatically discovers information leaks, actuator leaks, and modern CVE exploits in Spring-based applications through asynchronous scanning + FOFA/ZoomEye/Hunter integrations.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Karararam/SpringBoot-Exploit-Toolkit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

75 Commits
.github
.github
 
 
inc
inc
 
 
.gitignore
.gitignore
 
 
Dir.txt
Dir.txt
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SpringBoot
SpringBoot
 
 
SpringBoot.py
SpringBoot.py
 
 
header.txt
header.txt
 
 
requirements.txt
requirements.txt
 
 
url.txt
url.txt
 
 

Repository files navigation

SpringBoot-Toolkit

An interactive penetration-testing tool designed to hunt for information disclosure, misconfigurations, and critical remote code execution (RCE) vulnerabilities in Spring Boot–based applications. You can inspect individual targets step-by-step or simultaneously scan hundreds of hosts listed in TXT files. The tool can download and analyze actuator file leaks or use your ZoomEye/FOFA/Hunter API keys to enumerate potential Spring attack surfaces.

Features

  • Versatile scanning engine: Supports single URL scanning, URL list scanning, sensitive file hunting, and batch PoC execution.
  • Interactive exploit module: Provides interactive command execution flows for recent and legacy vulnerabilities such as CVE-2022-22965 (Spring4Shell), CVE-2022-22963, CVE-2022-22947, CVE-2021-21234, and more.
  • Asynchronous directory brute-force: Using the -uf parameter, you can scan hundreds of targets concurrently with an asyncio + aiohttp–based engine and configurable concurrency settings.
  • External data enrichment: Collect Spring-related assets using your ZoomEye, FOFA, and Hunter API keys and export results to zoomout.txt, fofaout.txt, and hunterout.txt.
  • Proxy and custom header support: Useful for corporate environments requiring proxy routing, custom header/cookie injection, or session handling.
  • Structured output logs: Each module writes findings to dedicated log files (e.g., urlout.txt, output.txt, dumpout.txt, vulout.txt) to streamline reporting.

Directory Structure

SpringBoot/
├── SpringBoot.py         # Main CLI
├── inc/
│   ├── console.py             # Argument router
│   ├── run.py                 # Directory and file scanning workflows
│   ├── vul.py                 # Single-target exploit module (11+ PoCs)
│   ├── poc.py                 # Batch PoC execution
│   ├── zoom.py / fofa.py / hunter.py  # External integrations
│   ├── springcheck.py         # Spring fingerprint validation
│   ├── proxycheck.py          # Proxy & header handling
│   └── output.py              # Banner & usage output
├── Dir.txt                    # Directory brute-force wordlist
├── url.txt / header.txt / urlout.txt ...  # Input/output helper files
└── requirements.txt

Installation

  1. Make sure you have Python 3.8+ installed.

  2. Clone or download the repository.

  3. Install dependencies:

    pip install -r requirements.txt

  4. (Optional) If using a proxy, specify it via -p in the format ip:port; the tool auto-tests connectivity.

CLI Arguments

Parameter Description
-u / --url Information disclosure scan on a single target
-uf / --urlfile Concurrent scan of targets from a TXT file
-v / --vul Launch exploit console for a single target
-vf / --vulfile Run selected PoCs on targets from a list
-d / --dump Download sensitive actuator files (heapdump, hystrix.stream, etc.)
-df / --dumpfile Sensitive file hunting across multiple targets
-z / --zoomeye Enumerate Spring assets using ZoomEye API
-f / --fofa Enumerate assets using FOFA API
-y / --hunter Enumerate assets using Hunter API
-p / --proxy HTTP/HTTPS proxy (127.0.0.1:8080)
-t / --newheader Custom headers in JSON format (header.txt)
-c / --cookie Cookie value used for all requests

Typical Use Cases

  1. Single URL information disclosure scan

    python SpringBoot.py -u https://target.com/

  2. Asynchronous scanning from URL list

    python SpringBoot.py -uf url.txt
    • The tool interactively asks for delay and concurrency values.

  3. Single-target exploit console

    python SpringBoot.py -v https://target.com/
    • From the menu, select CVE modules to run and execute commands interactively as needed.

  4. Sensitive actuator file downloader

    python SpringBoot.py -d https://target.com/
    • Automatically tests endpoints like heapdump, gateway/actuator/heapdump, hystrix.stream.

  5. ZoomEye asset enumeration

    python SpringBoot.py -z YOUR_API_KEY
    • The tool asks for desired asset count and search query (default: app:"Spring Framework").

Output Files

File Description
urlout.txt Detected sensitive endpoints from single URL scans
output.txt Results of batch URL scans
dumpout.txt Sensitive actuator file findings
vulout.txt Endpoints and CVE tags from exploit/PoC modules
zoomout.txt, fofaout.txt, hunterout.txt Asset enumeration results
error.log Network errors / exceptions

Supported Exploit Modules

  • CVE-2022-22965 (Spring4Shell) – JSP webshell upload for interactive RCE
  • CVE-2022-22963 – Blind RCE via Spring Cloud Function routing-expression header
  • CVE-2022-22947 – Spring Cloud Gateway SpEL injection for RCE with output capture
  • CVE-2021-21234 – Spring Boot actuator log/view directory traversal (win.ini, /etc/passwd)
  • SnakeYAML RCE, Eureka XStream RCE, Jolokia JNDI RCE, CVE-2018-1273, and PoCs for 2023/2024/2025
  • JeeSpring 2023 file upload – Upload JSP shell under static/uploadify

Modules work for both single-target (-v) and batch PoC (-vf) flows; if no selection is made, all CVEs run sequentially.

External Integrations

  • ZoomEye (-z): Provide your API key and asset limit; default query is app:"Spring Framework".
  • FOFA (-f): Query sent in Base64; default value: icon_hash="116323821" OR body="Whitelabel Error Page".
  • Hunter (-y): Qianxin Hunter API for Spring Whitelabel or custom queries.

These modules automatically inherit proxy and custom header settings.

Advanced Tips

  • Custom header/cookie: Define a JSON-based header set in header.txt for WAF bypass or session handling ({"Authorization": "Bearer ...", "X-Forwarded-For": "..."}).
  • Proxy validation: When -p is used, the tool tests proxy connectivity via https://www.baidu.com before proceeding.
  • Delay & concurrency: For batch scans (-uf), delay and concurrency values can be tuned to respect WAF/Rate Limit policies.
  • Input files: Ensure url.txt and others use UTF-8 encoding with one host per line. If no scheme is present, the tool automatically prepends http://.

Disclaimer

This project is provided for educational and authorized penetration-testing use only. By running the tool, you acknowledge that:

  1. You have permission to test the specified targets,
  2. You accept full responsibility for any outcome,
  3. The developers cannot be held liable for any damage or misuse.

License

This project is licensed under the MIT License. For more information, see the LICENSE file.

About

SpringBoot Attack Surface Scanner – An interactive penetration testing tool that automatically discovers information leaks, actuator leaks, and modern CVE exploits in Spring-based applications through asynchronous scanning + FOFA/ZoomEye/Hunter integrations.

Topics

spring-security penetration-testing asyncio springboot bugbounty cve hunter offensive-security security-scanner vulnerability-assessment actuator zoomeye reconnaissance springboot-security fofa heapdump cve-2022-22947 spring4shell cve-2022-22963 cve-2022-22965

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

SQLKnife Latest
Dec 6, 2025

Sponsor this project

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages