• Stars
    star
    793
  • Rank 57,419 (Top 2 %)
  • Language
    Java
  • Created almost 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2021-44228 Log4j2 BurpSuite Scanner,Customize ceye.io api or other apis,including internal networks

JUST FOR TESTING,DON'T ATTACK ANYONE

JUST FOR TESTING,DON'T ATTACK ANYONE

JUST FOR TESTING,DON'T ATTACK ANYONE

交流群

image

二维码失效请加微信f-f0ng、备注log4j2burpscanner交流

关注主页公众号(only security),回复log4j2burpscanner获取下载地址】

FAQ Frequently Asked Questions

how to use? releases download the latest plugin

简体中文|English

default dnslog https://dns.xn--9tr.com/ github: DNSLog-Platform-Golang

0.25.0 update

2023-4-26

1.fix bugs

0.24.0 update

2023-3-20

  1. Adapt the selistener tool for intranet vulnerability detection

0.23.0 update

2023-3-10

  1. set normal payload as preferred
  2. add the vulnerability display of payload containing variables
  3. optimize the problem of not displaying vulnerability points

0.22.0 update

2023-2-14

  • fix problem

0.21.0 update

2022-12-9

  1. add prefixparam

image

0.20.0 update

2022-11-22

  1. add suffixparam
  2. change the path to full spelling
  3. delete isusepointBypas,change to custom param

image

0.19 update

2022-05-02

1.add polling dnslog query including active scanning and passive scanning image

0.18 update

2021-12-25

1.Send to log4j2 Scannerthe bypass payload of jndi: is used for testing. at now it includes the following three typesj${::-n}di:jn${env::-}di:j${sys:k5:-nD}${lower:i${web:k5:-:}}

0.17 update

2021-12-19

1.add passive switch log4j2 Passive Scanner,add log4j2 Scanner menu button Send to log4j2 Scanner

2.update payload param,add random character string,distinguish between the same site and the same path, optimization %20 problem

3.recognize multipart/form-data type、xml type

fix parameter issue for creating initial properties file

0.16 update

2021-12-15

1.change the UI page

2.add isip param(for the case that there is no domain name and only IP detection in the intranet) but this kind of test has no parameter point digital ID and no host

If there are no other good intranet dnslog tools to replace, you can link the tools of KpLi0rn https://github.com/KpLi0rn/Log4j2Scan

0.15 update

2021-12-14

1.add dnsldaprmi param (dns、ldap、rmi) default dns

2.add isContenttypeRefererOrigin param 、isAccept param

isContenttypeRefererOrigin param(whether test Content-Type、Referer、Origin)default off

isAccept param(whether test Accept-Language、Accept、Accept-Encoding)default off

3.add bypass jndi: ,but the effect is not good,use with caution

jndi: bypass methods https://twitter.com/ymzkei5/status/1469765165348704256

  • jn${env::-}di:
  • jn${date:}di${date:':'}
  • j${k8s:k5:-ND}i${sd:k5:-:}
  • j${main:\k5:-Nd}i${spring:k5:-:}
  • j${sys:k5:-nD}${lower:i${web:k5:-:}}
  • j${::-nD}i${::-:}
  • j${EnV:K5:-nD}i:
  • j${loWer:Nd}i${uPper::}

4.add log.xn--9tr.com to the white list

In addition, you need to click this button to obtain the latest configuration parameters

0.14 update

2021-12-13

1.add bypass rc1,add space to the payload

2.more accurate

3.add Intranet dnslog api,can customize the ceye.io api or other apis,including internal networks

Param 1:isprivatedns(whether to use private dns api)

Param 2:privatednslogurl(internal dnslog address)

Param 3:privatednslogurl(internal dnslog response address)

4.add controllable params to control the payload

Param 4:isuseUserAgenttokenXff(whether test User-agent、token、X-Forward-for、X-Client-IP) default on

Param 5:isuseXfflists(whether test xff lists,including others xff)default off

Param 6:isuseAllCookie(whether test all cookie)default on

Remember to click restore default button to get the latest dnslog params

0x01 More accurate

0x02 Add Intranet dnslog api,can customize the ceye.io api or other apis,including internal networks

Since I don't have an intranet dnslog address,here I use ceye.io to test

Just ensure the connectivity between intranet and Intranet dnslog address, intranet and dnslog response address

0x03 Add controllable params to control the payload

Fix problem: Due to the vulnerability of the sub domain name, the primary domain name will also report the vulnerability

0.13 update

1.add request headers

["X-Forwarded-For","X-Forwarded","Forwarded-For","Forwarded","X-Requested-With","X-Requested-With", "X-Forwarded-Host","X-remote-IP","X-remote-addr","True-Client-IP","X-Client-IP","Client-IP","X-Real-IP","Ali-CDN-Real-IP","Cdn-Src-Ip","Cdn-Real-Ip","CF-Connecting-IP","X-Cluster-Client-IP","WL-Proxy-Client-IP", "Proxy-Client-IP","Fastly-Client-Ip","True-Client-Ip","X-Originating-IP", "X-Host","X-Custom-IP-Authorization","X-original-host","If-Modified-Since"]

0.12 update

1.add recognizable format

body={"a":"1","b":"22222"}

body={"params":{"a":"1","b":"22222"}})

2.add ceye.io api(https://ceye.io),can customize the ceye API,click the button to save configuration,the Extender output page will be display the results such as "Save Success!".Remember to set isceye property to true,otherwise ceye will fail

3.more accurate(hostName + path) image

Fix problem: windows path problem

log4j2burpscanner

CVE-2021-44228,log4j2 RCE Burp Suite Passive Scanner,and u can customize the ceye.io api or other apis,including internal networks

image

image

Two SRC(Security Response Center) sites were tested image

After loading,a url will appear,access it to see the dnslog request,of course,the plugin has its own DNS check record,this is only for the convenience of subsequent viewing image

characteristics:

0x01 Cookie、XFF、UA payload

0x02 Domain name based uniqueness,add host to dnslog payload

Plug ins mainly identify seven forms:

1.get method,a=1&b=2&c=3

2.post method,a=1&b=2&c=3

3.post method,{“a”:”1”,”b”:”22222”}

4.post method,a=1&param={“a”:”1”,”b”:”22222”}

5.post method,{"params":{"a":"1","b":"22222"}}

6.post method,body={"a":"1","b":"22222"}

7.post method,body={"params":{"a":"1","b":"22222"}}

if u need to test in the repeater

open dashbord→Live passive crawl from Proxy and Repeater→tick repeater

open dashbord→Live audit from Proxy and Repeater→tick repeater image

image

Disclaimers

This tool is only for learning, research and self-examination. It should not be used for illegal purposes. All risks arising from the use of this tool have nothing to do with me!

f

More Repositories

1

captcha-killer-modified

captcha-killer的修改版,支持关键词识别base64编码的图片,添加免费ocr库,用于验证码爆破,适配新版Burpsuite
Java
1,373
star
2

autoDecoder

Burp插件,根据自定义来达到对数据包的处理(适用于加解密、爆破等),类似mitmproxy,不同点在于经过了burp中转,在自动加解密的基础上,不影响APP、网站加解密正常逻辑等。
Java
863
star
3

poc2jar

Java编写,Python作为辅助依赖的漏洞验证、利用工具,添加了进程查找模块、编码模块、命令模块、常见漏洞利用GUI模块、shiro rememberMe解密模块,加快测试效率
Java
696
star
4

JavaFileDict

Java应用的一些配置文件字典,来源于公开的字典与平时收集
286
star
5

autoDecoder-usages

autoDecoder的用法及案例,包含加解密方法、绕waf、替换参数等操作。
Python
183
star
6

selistener

用于解决判断出网情况的问题,以http、ldap、rmi以及socket形式批量监听端口,在web界面进行结果查看
Go
116
star
7

text4shellburpscanner

text4shell(CVE-2022-42889) BurpSuite Scanner
Java
20
star
8

ModifyNavigator

谷歌浏览器插件,自动修改电脑端浏览器的Navigator变成移动端Navigator
JavaScript
13
star
9

seeyon

Python
7
star
10

fastjsondnslog

Python
4
star
11

alfred-workflow

自用的一些alfred工作流
4
star
12

fileprocessing

file 处理
Python
4
star
13

JSLinkFinderDuplicateremoval

JSLinkFinder
Python
4
star
14

403bypass

Python
4
star
15

iptotext

Python
3
star
16

shiro_attack_https

Java
3
star
17

simpleplayer

simple android player
Java
2
star
18

f0ng

2
star
19

log4jscanner

log4j burp插件
Python
1
star
20

coremailleak

Python
1
star