log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

Related tags

Security related resourceslog4j2_dos_exploit
Overview

说明 about

author: 我超怕的

blog: https://www.cnblogs.com/iAmSoScArEd/

github: https://github.com/iAmSOScArEd/

date: 2021-12-20

log4j2 dos exploit

log4j2 dos 漏洞利用脚本

CVE-2021-45105 Exploit

CVE-2021-45105 利用脚本

利用方式 how to use

English:

Log4j2_dos.py -u <url> -m <method> -d <params> -H <header> -l <loop> -t <thread>

-u,--url    	 attack target
-m,--method    http method, only get and post. default is get.
-d,--data   	 get or post params, json format like:{\"username\":\"\"}
-H,--header    request header, json format like:{\"user-agent\":\"\"}
-l,--loop    	 payload loop times (or length),default 100.it is determine where is the params, example get param max length or post param max length or request header max length
-t,--thread    attack thread. default is 0, just request once.

usage:
Log4j2_dos.py -u http://url.com/ -d {\"username\":\"\"}
Log4j2_dos.py -u http://url.com/ -d {\"username\":\"\"} -l 500 -t 100
Log4j2_dos.py -u http://url.com/ -m post -d {\"username\":\"\"} -l 500
Log4j2_dos.py -u http://url.com/ -m post -H {\"user-agent\":\"\"} -l 500 -t 100
Log4j2_dos.py -u http://url.com/ -m post -d {\"username\":\"\"} -H {\"user-agent\":\"\"} -l 500

Output format:

[+] normal time:0.11111

[+] attack time:2.00000

if attack time -normal time>1 or something,it maybe exist vulnerability,can use -t param set attack thread.

中文:

 Log4j2_dos.py -u <url> -m <method> -d <params> -H <header> -l <loop> -t <thread>
 
-u,--url   		 攻击目标
-m,--method    默认为get,http方式,仅支持get和post
-d,--data   	 get或post请求参数,json格式,如:{\"username\":\"\"}
-H,--header    请求头, json格式, 如:{\"user-agent\":\"\"}
-l,--loop    	 默认为100,payload循环长度,根据参数在不同的位置,设置不同的数值,如请求头最大允许长度、get最大长度、post最大长度
-t,--thread    默认为0,表示仅请求一次,攻击线程.。

输出格式:

[+] normal time:0.11111

[+] attack time:2.00000

如果attack time延迟很大,说明漏洞存在,可以利用-t参数设置攻击线程

免责声明

请勿用于非法用途,仅供学习参考。 任何违法行为与本人无关。

蹩脚英语,没用翻译,将就看。

By:我超怕的

Owner
fqm
GitHub Repository
This a simple tool XSS Detection Suite for CTFs games

This a simple tool XSS Detection Suite for CTFs games

Mostafa 2 Nov 24, 2021
Separation of Mainlobes and Sidelobes in the Ultrasound Image Based on the Spatial Covariance (MIST) and Aperture-Domain Spectrum of Received Signals

Separation of Mainlobes and Sidelobes in the Ultrasound Image Based on the Spatial Covariance (MIST) and Aperture-Domain Spectrum of Received Signals

Rehman Ali 3 Jan 03, 2023
A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF or LFI.

BurpParamFlagger A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF

Allyson O'Malley 118 Nov 07, 2022
CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware.

CVE-2021-43936 CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware. This vulnerability w

Jeremiasz Pluta 8 Jul 05, 2022
The Modern Hash Identification System

🔗 Don't know what type of hash it is? Name That Hash will name that hash type! 🤖 Identify MD5, SHA256 and 3000+ other hashes ☄ Comes with a neat web app 🔥

1.2k Dec 28, 2022
Anti-Nuke capabilities, powerful moderation features, auto punishments, captcha-verification and more.

Server-Security-Discord-Bot Anti-Nuke capabilities, powerful moderation features, auto punishments, captcha-verification and more. Installation Instal

20 Apr 07, 2022
Set the draft security HTTP header Permissions-Policy (previously Feature-Policy) on your Django app.

django-permissions-policy Set the draft security HTTP header Permissions-Policy (previously Feature-Policy) on your Django app. Requirements Python 3.

Adam Johnson 76 Nov 30, 2022
Worm/Trojan/Ransomware/apt/Rootkit/Virus Database

Pestilence - The Malware Database [] Screenshot Pestilence is a project created to make the possibility of malware analysis open and available to the

*ERR0R* 47 Dec 21, 2022
CC CAMERA HACKING TOOL

CAM-HACK CC CAMERA HACKING TOOL Installation On Termux $ apt update

Aryan 10 Sep 25, 2022
Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries.

Log4Shell RCE Exploit fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP

258 Jan 02, 2023
Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

DOME - A subdomain enumeration tool Check the Spanish Version Dome is a fast and reliable python script that makes active and/or passive scan to obtai

Vadi 329 Jan 01, 2023
web指纹识别工具

前言 一直苦于没有用的顺手的web指纹识别工具,学习前辈s7ckTeam的Glass和broken5的WebAliveScan优秀开源程序开发的轻量型web指纹工具。

EASY 966 Dec 26, 2022
A tool to extract the IdP cert from vCenter backups and log in as Administrator

vCenter SAML Login Tool A tool to extract the Identity Provider (IdP) cert from vCenter backups and log in as Administrator Background Commonly, durin

Horizon 3 AI Inc 343 Dec 31, 2022
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Víctor García 187 Jan 03, 2023
This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.

Scrambler App This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data. It leverages encryption tools such as

Mystic 2 Aug 31, 2022
Python lib to automate basic QFT calculations like Wick-contractions.

QFTools Python lib to automate basic QFT calculations like Wick-contractions. Features Wick contractions for real scalar fields Wick contractions for

2 Aug 21, 2022
Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.

Fuzz introspector Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potenti

Open Source Security Foundation (OpenSSF) 221 Jan 01, 2023
Trainspotting - Python Dependency Injector based on interface binding

Choose dependency injection Friendly with MyPy Supports lazy injections Supports

avito.tech 3 Jan 26, 2022
SonicWALL SSL-VPN Web Server Vulnerable Exploit

SonicWALL SSL-VPN Web Server Vulnerable Exploit

44 Nov 15, 2022
Anti Supercookie - Confusing the ISP & Escaping the Supercookie

Confusing the ISP & Escaping the Supercookie

Baris Dincer 2 Nov 22, 2022