- Support for lists of URLs.
- Fuzzing for more than 60 HTTP request headers.
- Fuzzing for HTTP POST Data parameters.
- Fuzzing for JSON data parameters.
- Supports DNS callback for vulnerability discovery and validation.
- WAF Bypass payloads.
There is a patch bypass on Log4J v2.15.0 that allows a full RCE. This log4shell script reliably detect CVE-2021-45046. If you're having difficulty discovering and scanning your infrastructure at scale or keeping up with the Log4J threat.
This script shall be used by security teams to scan their infrastructure for Log4J RCE, and also test for WAF bypasses that can result in achiving code execution on the organization's environment.
It supports DNS OOB callbacks out of the box, there is no need to setup a DNS callback server.
$ git clone https://github.com/r00thunter/Log4Shell.git
$ cd Log4shell
$ pip3 install -r requirements.txt
$ python3 log4shell.py -u <target url>
$ python3 log4shell.py -u <target url> --run-all-tests
$ python3 log4shell.py -u <target url> --waf-bypass
$ python3 log4shell.py -l url-list.txt