whwlsfb / log4j2scan Goto Github PK

Log4j2 RCE Passive Scanner plugin for BurpSuite

License: Apache License 2.0

Java 100.00%

log4j2scan's Introduction

Log4j2Scan

This tool is only for learning, research and self-examination. It should not be used for illegal purposes. All risks arising from the use of this tool have nothing to do with me!

dnslog.cn is unable to access the interface from time to time due to the number of requests. If you are unable to scan, please try change dnslog platform from UI.

English | 简体中文

Log4j2 Remote Code Execution Vulnerability, Passive Scan Plugin for BurpSuite.

Support accurate hint vulnerability parameters, vulnerability location, support multi-dnslog platform extension, automatic ignore static files.

Vulnerability detection only supports the following types for now

Url
Cookie
Header
Body(x-www-form-urlencoded, json, xml, multipart)

Build

Maven and JDK 11.0 or later is recommended

$ mvn package

ChangeLog

2021/12/15

v0.9

add GoDnslog backend, thx for @54Pany .
add fuzz setting ui.
add poc setting ui.
add Body(json, xml, multipart) fuzz.
opt header guess-fuzz logic.

2021/12/14

v0.8.1

bypass dnslog.cn filter.

v0.8

add backend setting panel.
add RevSuit-DNS backend.

2021/12/13

v0.7

add RevSuit-RMI backend.
fix domain toLowerCase by server can't match issue.

2021/12/12

v0.6

add static-file ignore.
add mulit poc support.
add burpcollaborator dnslog backend,default use dnslog.cn.

2021/12/11

v0.5

add header fuzz.

v0.4

add rc1 patch bypass.

Screenshot

Acknowledgements

Some of the code in the plugin is borrowed from the following projects

https://github.com/pmiaowu/BurpShiroPassiveScan/

log4j2scan's People

Contributors

Stargazers

Watchers

Forkers

hanc00l admpri lyrhy t1ger7 src-kun cybereditz getcode2git wule108 test123test111 yyxxzz fdlucifer yuanjianqiang513 fanyibo2009 fbion patrickstarwow skommando soliontheroad houseoforange m00nt0 zfyy1x v0wkeep3r anqisec bl4cklabel88 dingxiao77 fengchenzxc lovelyjuice qianniaoge shuxiaa wooyun-evil lowliness9 sec-fork go-bi a1124510616 alilash-github lookout2020 nd230 thecryinggame sts0mrg0 30579096 ahlo666 fanxu55 simplehang amranth waydmy mr-xn root13920 1294qqcom fostane istoliving bearowang asura88 zhzyker 0000000100000000 test2504 ba1ma0 liutufang nu1l1 wuha0926 yilucode polling-repo-continua h1ck0r want2live233 5l1v3r1 ms-f001 c1371064 xichawai atomxw pm0kx no-github lonewolf1927 nanaao jkme bobipoppy geyo08 hello-sucess mssky9527 ipop niweixiaoshihaomeilll a099 xibotao kitgenius louisnie c0isini grow520 github-user-6 lcyluke estamelgg

log4j2scan's Issues

打包失败

public class Ceye implements IBackend {
    OkHttpClient client = new OkHttpClient().newBuilder().
            connectTimeout(3000, TimeUnit.SECONDS).
            callTimeout(3000, TimeUnit.SECONDS).build();
    String platformUrl = "http://api.ceye.io/";
    String rootDomain = "xxx.ceye.io";
    String token = "xxxx";

public Log4j2Scanner(final BurpExtender newParent) {
     this.parent = newParent;
     this.helper = newParent.helpers;
     this.pocs = new IPOC[]{new POC1(), new POC2(), new POC3(), new POC4(), new POC11()};
     this.backend = new Ceye("xxx.ceye.io", "xxxx");
     if (this.backend.getState()) {
         parent.stdout.println("Log4j2Scan loaded successfully!\r\n");
     } else {
         parent.stdout.println("Backend init failed!\r\n");
     }
 }

这样配置会导致打包失败，如果我直接在Log4j2Scanner中使用this.backend = new Ceye();可以打包，但收不到bp警告

优化建议

目前在安全测试过程中发现一些系统存在响应延迟的问题，有时会延迟几小时甚至几天，建议作者大大增加一个可选项，在发送payload的时候增加外带域名信息。

method GET must not have a request body.

扫靶场，一直报错这个

Dnslog init failed!

Hello!

I've added the .jar file to my Burp Extensions extender tab and I get this following error:

initDomain failed: www.dnslog.cn: No address associated with hostname

自定义添加poc

在测试过程中发现一些网站存在cdn或者waf会进行拦截请求，，但是目标是存在漏洞的，，需要手动添加bypass绕过poc进行测试，希望可以添加手动增加插件poc的功能这样测试起来会方便很多效率也会提高。

切换为ceye.io要改二个文件么

原来的说明是要改二个文件现在没说明了只说一个文件
纯白不太了解哈还有一个问题这个支持1.7.32的么

poc有点问题

${jndi%3aldap%3a//1639124684979z9ZTn./233266}

点后面没东西，可能是没有加载到dnslog的域名

大佬看到回一下感谢

这是咋用的就bp抓包就然后工具就自己扫了呗但是我看历史流量没有payload啊。。。我也不知到使用没，不太会用大佬可以教我一下吗还有群满了。。。想加

建议添加GoDnslog端口号的选项

国内的vps使用80端口必须备案域名才能访问，然而插件里面又没有提供更改端口号的选项，而是直接访问vps的80端口查询dns记录。所以如果自建的godnslog服务器在国内的话这个插件就用不了了。

能否增加打成功的，数据包详情，有些有WAF，不知道是哪个poc

内网检测版本

之前基于大佬的0.7版本写了个内网扫描的，但是paramfuzz里面有些问题。问下这个0.9版本的RevSuitRMI是给内网用的么？
微信群进不去求拉vx:Coder19

自定义head头

我测试的是靶机，log4j2 漏洞的请求头的触发点环境，请求头 X-Api-Version字段

像这种需要发送到重放然后添加head的包是不是无法检测？

建议增加对 JNDIScan支持

https://github.com/EmYiQing/JNDIScan 该项目用于内网检测很好，而且对于第三方dnslog不稳定，容易被ban，考虑增加个tab选项

dnslog其他格式

你好，作者大哥，能不能再添加一个dnslog.cn方式类似dnslog接口
只需要自己填自己的一个 identifer 和url。不是写死的token。url的格式可以各种自定义，token只是url的一小部分而已。
 url可以是：
http://www.MDNS.com/repoonsetoken=xxxxxxxx
http://www.MDNS.com/xxxxxxxx/*.xxxMDNS.com


比如：
https://github.com/f0ng/log4j2burpscanner这个dns自定义的添加方式

比如
随机字符.aaaa.com
然后再 www.mydnslog.cn 里面匹配     随机字符.aaaa.com 是否存在

emmm，关于ceye的一点小问题

我在测试的时候发现，如果ceye上没有收到http类型请求，只接收到DNS请求的话，就无法在burp上反馈探测出log4j2的RCE，要锁定就会变得相当麻烦，是否可以增添一下对ceye的dns类型的type的支持呢？

感觉哪儿有问题啊，dashboard跟target那里都不变红

dnslogcn跟自己编译的ceye测试都能有请求，但是dashboard这里不提示有漏洞。

对参数没有fuzz吗？

看log日志记录发现没有对GET、POST参数进行fuzz，
是我的设置有问题吗？

希望可以自定义payload中的ip和端口

这样就能和这个工具在内网联动了https://github.com/EmYiQing/JNDIScan/

遇到会ceye上出现记录了，但是burp上一直没有显示，会有很长时间的延迟，有时候长有时候短

readme 写法调用错误

不是this.dnslog = new DnslogCN();

而是this.backend = new DnslogCN();

为什么我设置了revsuit rmi 但是探测仍然是使用的dnslog呢？

设置的revsuit rmi，并且应用了

从extender的输出来看仍然是使用 dnslog测试的

revsuit平台的 rmi log 也是没有记录的

java compile error for burp extension

There is an error when I try to compile java files to jar for add an extension for burp suite

JNDI: WAF Bypass

jndi:
jn${env::-}di:
jn${date:}di${date:':'}

j${k8s:k5:-ND}i${sd:k5:-:}
j${main:\k5:-Nd}i${spring:k5:-:}
j${sys:k5:-nD}${lower:i${web:k5:-:}}
j${::-nD}i${::-:}
j${EnV:K5:-nD}i:
j${loWer:Nd}i${uPper::}

I think its time to add more waf bypass since jndi: part most likely blocked by waf right now
https://twitter.com/ymzkei5/status/1469765165348704256

suggestion

建议一次性在数据包中添加所有的请求头字段，比如X-Originating-IP、Client-IP、X-Forwarded-For全部放到一个请求包中，不然对一个数据包，插件要发送上百个请求太慢了（或者在GUI界面允许用户选择是否这么做）

在内网不出网或没有域名的情况下，建议采用${jndi:dns://xxx.xxx.xxx.xxx:port/dnsFlag.XXX}的方式来检测

目前的RevSuitDNS及POC9是用${jndi:dns://xxx.dnsFlag.domain}/yyy}的方式，还是依赖域名；如果改成${jndi:dns://domain/dnsFlag.XXX}的方式domain指定为ip，用dnsFlag.XXX来作为检测，可以去除域名依赖，最终exp为${jndi:dns://1.2.3.4/dnsFlag.xxx/yyy}。我小改了一下，只需要修改三行代码。

作者可以看看是否可行

导入以后没有模块出现

是对JAVA版本有要求吗

bp版本21.10.3插件无法生效

load成功

访问tools本地环境

interactsh support pls

能否添加支持自建的interactsh平台？可提供测试环境

erro

Display when I import the plug-in
Backend init failed!

dnslog.cn/getdomain.php 返回404了

看正确的好像变成这样了
GET /getsubdomain.php?t=0.892059940138602 HTTP/1.1
Host: www.dnslog.cn
Pragma: no-cache
Cache-Control: no-cache

已不兼容burpsuite 2022.9.1

日志如下：

Log4j2Scan v0.12
Log4j2Scan loaded successfully!

Scanning: http://123.58.224.8:30596/hello?payload=111
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
Scan complete: http://123.58.224.8:30596/hello?payload=111 - No issue found.
Scanning: http://123.58.224.8:30596/
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
java.lang.IllegalArgumentException: method GET must not have a request body.
Scan complete: http://123.58.224.8:30596/ - No issue found.
Log4j2Scan loaded successfully!

Log4j2Scan loaded successfully!

Scanning: http://123.58.224.8:30596/hello?payload=111
Scan complete: http://123.58.224.8:30596/hello?payload=111 - No issue found.

已经无法正常发包，logger无发包记录。

Adding the option to switch to burp collaborator

Can you please add the feature to switch to bup collaborator in the extension itself?

这个错误是什么

burp.utils.ParamReplace@5cea84c9
burp.utils.ParamReplace@ed658a0
burp.utils.ParamReplace@23b61398
burp.utils.ParamReplace@52a161d
burp.utils.ParamReplace@dee16bd
burp.utils.ParamReplace@31c15cf8
burp.utils.ParamReplace@22f8a38b
burp.utils.ParamReplace@7737c33
很多有时又没有