Log4jScanner

Log4jScanner is a Log4j Related CVEs Scanner, Designed to Help Penetration Testers to Perform Black Box Testing on given subdomains.

Disclaimer

💻 This project was created only for good purposes and personal use.

THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. YOU MAY USE THIS SOFTWARE AT YOUR OWN RISK. THE USE IS COMPLETE RESPONSIBILITY OF THE END-USER. THE DEVELOPERS ASSUME NO LIABILITY AND ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS PROGRAM.

Features

• Fast & MultiThreaded
• Scan for Log4j RCE (CVE-2021-44228, CVE-2021-45046)
• Over 30 Obfuscated Log4j Payload
• Mainly Designed for Mass Scale Bug Bounty
• Available Scan Type: Basic Scan & Full Scan
  • In Basic Scan, Only 1 Basic Log4Shell Payload is used for testing web app
  • In Full Scan, All Available Log4Shell Payloads are used
• Log4jScanner Fuzz all the potential endpoints such as
  • HTTP Headers
  • GET Based Parameter + Without Malicious Headers
  • POST Based Paramter with JSON Body + Without Malicious Headers
  • POST Based Paramater with Post Parameters + Without Malicious Headers
  • GET Based Parameter + With Malicious Headers
  • POST Based Paramter with JSON Body + With Malicious Headers
  • POST Based Paramater with Post Parameters + With Malicious Headers
• Log4jScanner Also tries to Fuzz Possible POST Parameters such as:
  • Feel FREE to Add/Remove any POST Parameter

["username", "user", "email", "email_address", "password", "id", "action", "page", "q", "submit", "token", "data", "order", "lang", "search", "redirect", "country", "hidden"]

Prerequisite

• Python 3.X

Installation

• Install Python3 on your system, As Python comes preinstalled in Linux & MacOS, Simply run this pip command
• This Python Module is OS Independent, & thus you can easily install it using this pip command

$ python3 -m pip install Log4jScanner

OR

$ pip3 install Log4jScanner

Usage

• Type log4jscanner -h for help menu

• Only --url-list or --url are mandatory parameter/flags.
• You can also import this module in your code

from log4jscanner import Log4jScanner

# test = Log4jScanner.Log4jScanner(file_containing_urls, url_list, ThreadNumber, timeout, custom_dns_callback_host, dns_callback_provider, disable_redirect, exclude_user_agent_fuzzing, basic_scan, file_containing_headers)
# Available Headers file path: db/headers-large.txt, db/headers-minimal.txt, db/headers.txt
# Or you can Given Full Path of File Containing HTTP Request Headers
test = Log4jScanner.Log4jScanner("", ["https://google.com"], 30, 30, "", "interact.sh", False, False, False, "db/headers.txt")
vuln_url_list = test.start()

for url in vuln_url_list:
    print(url)

Usage Example

# Basic Recon (Passive Subdomain Enumeration)
$ subfinder -d bugcrowd.com -nC -silent -o subdomains.txt && cat subdomains.txt | httpx -nc -silent > httpx_subdomains.txt

$ log4jscanner -m httpx_subdomains.txt 

Screenshots:

Help Menu

Single URL - Basic Scan

Link:

• Documentation
• PyPI

License

This project is licensed under the GNU License (see the LICENSE file for details).