779789571 / log4j2burpscanner

CVE-2021-44228 log4j2 RCE Burp Suite Passive Scanner,can customize the ceye.io api or other apis,including internal networks

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

JUST FOR TESTING,DON'T ATTACK ANYONE

FAQ Frequently Asked Questions

how to use? releases download the latest plugin

简体中文|English

default dnslog DNSLog-Platform-Golang、 ldap、rmi platform Log4j2Scan

0.16 update

2021-12-15

1.change the UI page

2.add isip param(for the case that there is no domain name and only IP detection in the intranet) but this kind of test has no parameter point digital ID and no host

If there are no other good intranet dnslog tools to replace, you can link the tools of KpLi0rn https://github.com/KpLi0rn/Log4j2Scan

0.15 update

2021-12-14

1.add dnsldaprmi param (dns、ldap、rmi) default dns

2.add isContenttypeRefererOrigin param 、isAccept param

isContenttypeRefererOrigin param(whether test Content-Type、Referer、Origin)default off

isAccept param(whether test Accept-Language、Accept、Accept-Encoding)default off

3.add bypass jndi: ,but the effect is not good,use with caution

jndi: bypass methods https://twitter.com/ymzkei5/status/1469765165348704256

  • jn${env::-}di:
  • jn${date:}di${date:':'}
  • j${k8s:k5:-ND}i${sd:k5:-:}
  • j${main:\k5:-Nd}i${spring:k5:-:}
  • j${sys:k5:-nD}${lower:i${web:k5:-:}}
  • j${::-nD}i${::-:}
  • j${EnV:K5:-nD}i:
  • j${loWer:Nd}i${uPper::}

4.add log.xn--9tr.com to the white list

In addition, you need to click this button to obtain the latest configuration parameters

0.14 update

2021-12-13

1.add bypass rc1,add space to the payload

2.more accurate

3.add Intranet dnslog api,can customize the ceye.io api or other apis,including internal networks

Param 1:isprivatedns(whether to use private dns api)

Param 2:privatednslogurl(internal dnslog address)

Param 3:privatednslogurl(internal dnslog response address)

4.add controllable params to control the payload

Param 4:isuseUserAgenttokenXff(whether test User-agent、token、X-Forward-for、X-Client-IP) default on

Param 5:isuseXfflists(whether test xff lists,including others xff)default off

Param 6:isuseAllCookie(whether test all cookie)default on

Remember to click restore default button to get the latest dnslog params

0x01 More accurate

0x02 Add Intranet dnslog api,can customize the ceye.io api or other apis,including internal networks

Since I don't have an intranet dnslog address,here I use ceye.io to test

Just ensure the connectivity between intranet and Intranet dnslog address, intranet and dnslog response address

0x03 Add controllable params to control the payload

Fix problem: Due to the vulnerability of the sub domain name, the primary domain name will also report the vulnerability

0.13 update

1.add request headers

["X-Forwarded-For","X-Forwarded","Forwarded-For","Forwarded","X-Requested-With","X-Requested-With", "X-Forwarded-Host","X-remote-IP","X-remote-addr","True-Client-IP","X-Client-IP","Client-IP","X-Real-IP","Ali-CDN-Real-IP","Cdn-Src-Ip","Cdn-Real-Ip","CF-Connecting-IP","X-Cluster-Client-IP","WL-Proxy-Client-IP", "Proxy-Client-IP","Fastly-Client-Ip","True-Client-Ip","X-Originating-IP", "X-Host","X-Custom-IP-Authorization","X-original-host","If-Modified-Since"]

0.12 update

1.add recognizable format

body={"a":"1","b":"22222"}

body={"params":{"a":"1","b":"22222"}})

2.add ceye.io api(https://ceye.io),can customize the ceye API,click the button to save configuration,the Extender output page will be display the results such as "Save Success!".Remember to set isceye property to true,otherwise ceye will fail

3.more accurate(hostName + path) image

Fix problem: windows path problem

log4j2burpscanner

CVE-2021-44228,log4j2 RCE Burp Suite Passive Scanner,and u can customize the ceye.io api or other apis,including internal networks

image

image

Two SRC(Security Response Center) sites were tested image

After loading,a url will appear,access it to see the dnslog request,of course,the plugin has its own DNS check record,this is only for the convenience of subsequent viewing image

characteristics:

0x01 Cookie、XFF、UA payload

0x02 Domain name based uniqueness,add host to dnslog payload

Plug ins mainly identify seven forms:

1.get method,a=1&b=2&c=3

2.post method,a=1&b=2&c=3

3.post method,{“a”:”1”,”b”:”22222”}

4.post method,a=1&param={“a”:”1”,”b”:”22222”}

5.post method,{"params":{"a":"1","b":"22222"}}

6.post method,body={"a":"1","b":"22222"}

7.post method,body={"params":{"a":"1","b":"22222"}}

if u need to test in the repeater

open dashbord→Live passive crawl from Proxy and Repeater→tick repeater

open dashbord→Live audit from Proxy and Repeater→tick repeater image

image

Disclaimers

This tool is only for learning, research and self-examination. It should not be used for illegal purposes. All risks arising from the use of this tool have nothing to do with me!

About

CVE-2021-44228 log4j2 RCE Burp Suite Passive Scanner,can customize the ceye.io api or other apis,including internal networks


Languages

Language:Java 100.0%