Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/scheibling/py-log4shellscanner
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Scanner for the Log4j vulnerability dubbed Log4Shell (CVE-2021-44228)
Readme
<h1 align="center">PY-Log4ShellScanner</h1>
<h4 align="center">A simple, one-file DNSLog server with HTTP endpoint for log retrieval</h4>

# Credit
Based on the Log4jScanner by fullhunt.io, modified with multithreading and custom DNS Callback server

# Features
- Support for lists of URLs
- Fuzzing for more than 60 HTTP request headers, with ability to add custom ones
- Fuzzing for HTTP POST Data parameters
- Fuzzing for JSON data parameters
- Multithreaded searches
- DNS Callback via self-hosted [scheibling/py-dnslogserver](https://github.com/scheibling/py-dnslogserver)
- WAF Bypass payloads

# Usage
## Preparations
```shell
pip3 install -r requirements.txt
```

## CLI
```shell
$ python3 py-log4shellscanner.py -h
[•] CVE-2021-44228 - Apache Log4j RCE Scanner
[•] Provided by https://github.com/scheibling
[•] Originally developed by FullHunt.io
[•] Version 1.0
usage: py-log4shellscanner.py [-h] -d DNSLOG_DOMAIN [-t TARGETS_FILE] [-i HEADERS_FILE] [-c CONCURRENT_REQUESTS] [--skip-waf-bypass] [-p PROXY_SERVER]

options:
  -h, --help            show this help message and exit
  -d DNSLOG_DOMAIN, --dnslog-domain DNSLOG_DOMAIN
                        The DNSLog domain to use for the requests
  -t TARGETS_FILE, --targets-file TARGETS_FILE
                        The hosts file to use for the requests (default: targets.txt)
  -i HEADERS_FILE, --headers HEADERS_FILE
                        The file containing the headers for the requests (Default: headers.txt)
  -c CONCURRENT_REQUESTS, --concurrent-requests CONCURRENT_REQUESTS
                        The number of concurrent requests to use (Default: 10)
  -p PROXY_SERVER, --proxy-server PROXY_SERVER
                        Proxy server to use for the scans
  --skip-waf-bypass     Skip the WAF bypass payloads

```

## Examples
```shell
# Run a scan against the hosts in targets.txt with default headers and waf bypass payloads (10 concurrent requests)
python3 py-log4shellscanner.py -d dnslog.example.com -t targets.txt -c 10

# Run a scan against the hosts in targets.txt with custom headers and without waf bypass payloads (10 concurrent requests)
python3 py-log4shellscanner.py -d dnslog.example.com -t targets.txt -i custom-headers.txt -c 10 --skip-waf-bypass

# Run a scan through a proxy server with custom headers, 20 concurrent requests and with waf bypass payloads
python3 py-log4shellscanner.py -d dnslog.example.com -t targets.txt -i headers-large.txt -c 20 -p proxy.example.com

```

# Legal Disclaimer
This project is made for testing purposes only. Usage of py-dnslogserver for attacking targets without prior mutual consent could be illegal.


# License
The project is licensed under MIT License.
File Snapshot

 [4.0K]  /data/pocs/1d377efab7ac3f54eac57696b44a70bebc1339b3
├── [  63]  example-targets.txt
├── [ 17K]  headers-large.txt
├── [ 951]  headers.txt
├── [1.1K]  LICENSE.txt
├── [ 10K]  py-log4shellscanner.py
├── [2.6K]  README.md
└── [  27]  requirements.txt

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →