Log4j2 intranet scan

Related tags

Security related resourceslog4j2-intranet-scan
Overview

Log4j2-intranet-scan

image-20211224164059264

⚠️ 免责声明

本项目仅面向合法授权的企业安全建设行为,在使用本项目进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权

如您在使用本项目的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任

在使用本项目前,请您务必审慎阅读、充分理解各条款内容,限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意

除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要使用本项目

您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束

1.Features(特性)

  • 该项目是一款无须借助dnslog且完全无害的JNDI反连检测工具,解析RMILDAP协议实现,可用于甲方内网自查

  • Support for lists of URLs.

  • Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools).

  • Fuzzing for HTTP POST Data parameters.

  • Fuzzing for JSON data parameters.

  • WAF Bypass payloads.

2.Installation(安装)

$ pip3 install -r requirements.txt

3.Usage(Jndi监听和记录)

win

JNDIScan-Windows.exe -p 8888

Linux

./JNDIScan-Linux -p 8888

Mac

./JNDIScan-Darwin -p 8888

image-20211224170134585

4.Usage(扫描)

需要配合jndi监听和记录工具使用,--server参数为 jndi监听的内网ip及端口

$ python3 log4j2-intranet-scan.py -h
usage: log4j2-intranet-scan.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [--request-type REQUEST_TYPE]
                               [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing]
                               [--wait-time WAIT_TIME] [--waf-bypass] [--test-CVE-2021-45046] [--server SERVER]
                               [--disable-http-redirects]

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Check a single URL. example('http://vultest.com/test.jsp')
  -p PROXY, --proxy PROXY
                        send requests through proxy
  -l USEDLIST, --list USEDLIST
                        Check a list of URLs.
  --request-type REQUEST_TYPE
                        Request Type: (get, post) - [Default: get].
  --headers-file HEADERS_FILE
                        Headers fuzzing list - [default: headers.txt].
  --run-all-tests       Run all available tests on each URL.
  --exclude-user-agent-fuzzing
                        Exclude User-Agent header from fuzzing - useful to bypass weak checks on User-Agents.
  --wait-time WAIT_TIME
                        Wait time after all URLs are processed (in seconds) - [Default: 5].
  --waf-bypass          Extend scans with WAF bypass payloads.
  --test-CVE-2021-45046
                        Test using payloads for CVE-2021-45046 (detection payloads).
  --server SERVER       ldap_server
  --disable-http-redirects
                        Disable HTTP redirects. Note: HTTP redirects are useful as it allows the payloads to have
                        higher chance of reaching vulnerable systems.

Scan a Single URL(GET)

$ python3 log4j2-intranet-scan.py --server "192.168.130.1:8888" -u https://vultest.com/login.jsp

Scan a Single URL using all Request Methods: GET, POST (url-encoded form), POST (JSON body)

$ python3 log4j2-intranet-scan.py --server "192.168.130.1:8888" -u https://vultest.com/login.jsp --run-all-tests

Discover WAF bypasses on the environment.

$ python3 log4j2-intranet-scan.py --server "192.168.130.1:8888" -u https://vultest.com/login.jsp --waf-bypass

Scan a list of URLs

$ python3  log4j2-intranet-scan.py --server "192.168.130.1:8888" -l urls.txt

5.Example(演示)

监听结果存储在当前文件夹下的result.html文件中,查看路径参数在批量扫描中可以定位到存在漏洞的uri,需要配合扫描生成的scanfile.txt中的随机路径参数使用

Single URL

image-20211224171847693

Urllist

image-20211224171753055

6.reference(参考/致谢)

站在巨人的肩膀上coding,该项目部分工具和代码来自以下两个项目

log4j-scan

JNDIScan

7.docker(靶场)

靶场环境来自雷石安全实验室

docker pull registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln
docker run -it -d -p 8080:8080 --name log4j_vuln_container registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln
docker exec -it log4j_vuln_container /bin/bash
/bin/bash /home/apache-tomcat-8.5.45/bin/startup.sh
You might also like...
Scan Site - Tools For Scanning Any Site and Get Site Information
Scan Site - Tools For Scanning Any Site and Get Site Information

Site Scanner Tools For Scanning Any Site and Get Site Information Example Require - pip install colorama - pip install requests How To Use Download Th

NumeX 5 Mar 19, 2022
Mass scan for .git repository and .env file exposure

Mass .Git repository and .Env file Scan by Scarmandef Scanner to find .env file and .git repository exposure on multiple hosts Because of the response

null 8 Jun 23, 2022
Let's you scan the entire internet in a couple of hours and identify all Minecraft servers on IPV4

Minecraft-Server-Scanner Let's you scan the entire internet in a couple of hours and identify all Minecraft servers on IPV4 Installation and running i

null 116 Jan 8, 2023
A Tool for subdomain scan with other tools

ReconTracer A Tool for subdomain scan with other tools ReconTracer Find subdomains by using another amazing sources!. Obs: In a close future recontrac

null 15 Dec 18, 2021
Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities

Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities Features 1 Scan one website 2 Scan multiple websites Insta

Anontemitayo 9 Dec 30, 2022
NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains
NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains

NexScanner NexScanner is a tool which helps you scan a website for sub-domains and also to find login pages in the website like the admin login panel

null 8 Sep 3, 2022
This is tools hacking for scan vuln in port web, happy using
This is tools hacking for scan vuln in port web, happy using

Xnuvers007 PortInjection this is tools hacking for scan vuln in port web, happy using view/show python 3.9 solo coder (tangerang) 19 y/o installation

XnuxersXploitXen 6 Dec 24, 2022
Um script simples de Port Scan + DNS by Hostname
Um script simples de Port Scan + DNS by Hostname

🖥 PortScan-DNS Esta é uma ferramenta simples de Port Scan + DNS by Hostname... 💻 | DNS Resolver / by Hostname: HOST IP EXTERNO IP INTERNO 💻 | Port

AlbâniaSecurity-RT 7 Dec 8, 2022
Scan your logs for CVE-2021-44228 related activity and report the attackers

jndiRep - CVE-2021-44228 Basically a bad grep on even worse drugs. search for malicious strings decode payloads print results to stdout or file report

js-on 2 Nov 24, 2022
Owner
k3rwin
k3rwin
GitHub Repository
A token logger for discord + steals Brave/Chrome passwords and usernames

Backdoor Machine - ❗ For educational purposes only ❗ A program made in python for stealing passwords and usernames from Google Chrome/Brave and tokenl

36 Jul 18, 2021
CVE-2022-21907 Vulnerability PoC

CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17, just some sm

Michele 16 Dec 18, 2022
CVE-2022-21907 - Windows HTTP协议栈远程代码执行漏洞 CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: Windows HTTP协议栈远程代码执行漏洞 creat

antx 365 Nov 30, 2022
In this program, I generate the strong password from existing password without class using python. The special thing in this program is that is generate very strong password from our existing password. It replaces some elements from password and put another elements in it.

Strong-password-Generator-from-existing-password-using-python In this program, I generate the strong password from existing password without class usi

Sachin Vinayak Dabhade 4 Sep 24, 2021
Hikvision 流媒体管理服务器敏感信息泄漏

Hikvisioninformation Hikvision 流媒体管理服务器敏感信息泄漏 Options optional arguments: -h, --help show this help message and exit -u url, --url url

Henry4E36 13 Nov 09, 2022
AnonStress-Stored-XSS-Exploit - An exploit and demonstration on how to exploit a Stored XSS vulnerability in anonstress

AnonStress Stored XSS Exploit An exploit and demonstration on how to exploit a S

صلى الله على محمد وآله 3 Jun 22, 2022
A bare-bones POC container runner in python

pybox A proof-of-concept bare-bones container written in 50 lines of python code. Provides namespace isolation and resource limit control Usage Insta

Anirudh Haritas Murali 5 Jun 03, 2021
Deobfuscate Log4Shell payloads with ease

Ox4Shell Deobfuscate Log4Shell payloads with ease. Description Since the release

Oxeye 137 Jan 02, 2023
Multi-Process Vulnerability Tool

Multi-Process Vulnerability Tool

Baris Dincer 1 Dec 22, 2021
Burp Extensions

Burp Extensions This is a collection of extensions to Burp Suite that I have written. getAllParams.py - Version 1.2 This is a python extension that ru

/XNL-h4ck3r 364 Dec 30, 2022
This repo is about steps to create a effective custom wordlist in a few clicks/

Custom Wordlist This repo is about steps to take in order to create a effective custom wordlist in a few clicks. this comes handing in pentesting enga

2 Oct 08, 2022
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

Teppei Fukuda 80 Nov 28, 2022
Password List Maker

Red-Key Red-Key Password List Maker Version 1.1.2 Created By FireKing255 -=Features=- Create Random Password List Create Password List Create Password

FireKing255 7 Dec 26, 2021
Source code for "A Two-Stream AMR-enhanced Model for Document-level Event Argument Extraction" @ NAACL 2022

TSAR Source code for NAACL 2022 paper: A Two-Stream AMR-enhanced Model for Document-level Event Argument Extraction. 🔥 Introduction We focus on extra

21 Sep 24, 2022
A Docker based LDAP RCE exploit demo for CVE-2021-44228 Log4Shell

log4j-poc An LDAP RCE exploit for CVE-2021-44228 Log4Shell Description This demo Tomcat 8 server has a vulnerable app deployed on it and is also vulne

60 Dec 10, 2022
Open source vulnerability DB and triage service.

OSV - Open Source Vulnerabilities OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source

Google 893 Jan 04, 2023
A fast tool to scan prototype pollution vulnerability

proto A fast tool to scan prototype pollution vulnerability Syntax python3 proto.py -l alive.txt Requirements Selenium Google Chrome Webdriver Note :

Muhammed Mahdi 4 Aug 31, 2021
Utility for Extracting all passwords from ConnectWise Automate

CWA Password Extractor Utility for Extracting all passwords from ConnectWise Automate (E.g. while migrating to a new system). Outputs a csv file with

Matthew Kyles 1 Dec 09, 2021
🍯 16 honeypots in a single pypi package (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres & MySQL)

Easy to setup customizable honeypots for monitoring network traffic, bots activities and username\password credentials. The current available honeypot

QeeqBox 259 Dec 31, 2022
Solución al reto BBVA Contigo, Hack BBVA 2021

Solution Solución propuesta para el reto BBVA Contigo del Hackathon BBVA 2021. Equipo Mexdapy. Integrantes: David Pedroza Segoviano Regina Priscila Ba

Gabriel Missael Barco 2 Dec 06, 2021