CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source

https://github.com/manishkanyal/log4j-scanner

Associated Vulnerability

Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Description

A Log4j vulnerability scanner is used to identify the CVE-2021-44228 and CVE_2021_45046

Readme

# log4j-scanner
A Log4j vulnerability scanner is automated scanner to find log4j (CVE-2021-44228 and CVE_2021_45046) vulnerabilities in web applications.


# Features
1- It supports multiple URL to perform scan

2- It has payload that can bypass some WAF

3- It supports GET and POST request

4- It supports user payload and headers file

5- It fuzzes POST data parameter as well as JSON parameter

# Installing 

git clone https://github.com/manishkanyal/log4j-scanner.git

cd log4j-scanner

./log4jscan.py -h

# USAGE

Usage : ./log4jscan.py [options- URL/list_of_URL] [target_specification ] [options-custom_dns_callback_host] [id_of_custom_dns_callback_host]

optional arguments:
  -h, --help                      --->       show this help message and exit
  
  -u URL, --url URL               --->      Scan a single URL
  
  -l LIST, --list LIST            --->  Scan multiple URL from file
  
  -id CALLBACK_HOST,              --->  custom_dns_callback_host CALLBACK_HOST ---> Custom dns callback provider ID
                        
                         
  --test_cve_2021_45046            --->  Test with CVE 2021 45046 Payloads only. Using this option will not test with custom Payload  [Deafult: False]
                        
  -hf HEADER_FILE, --header_file  --->  HEADER_FILE  Path for Header file to fuzz [ Default : header.txt]
                        
  --request_type                  --->  REQUEST GET or POST type request [Default: GET]
                        
  --run_all_test                  --->    Run all possible test for LOG4j(all payloads , all requests) [Default: False]
  
  --include_wafbypass_payload     --->  To include firewall bypass payloads [Default: False]
                        
  --custom_payload_list           --->  CUSTOM_PAYLOAD Path for custom payload file.
                        

Example : ./log4jscan.py -u http://127.0.0.1:8080/ -id c9d9k5c2vtc00002me60grsw31ayyyyyb.interact.sh

# Scanning single url

./log4jscan.py -u http://127.0.0.1:8080 -id c9d9k5c2vtc00002me60grsw31ayyyyyb.interact.sh

# Scanning mulitple URL

./log4jscan.py -l URLS.txt -id c9d9k5c2vtc00002me60grsw31ayyyyyb.interact.sh

# Installing Requirements

pip3 install -r requirement.txt

File Snapshot


 [4.0K]  /data/pocs/e243f6b075c6fe60f064f90f37a0ebc449cad151
├── [ 943]  header
├── [ 17K]  headers-large
├── [ 11K]  log4jscan.py
├── [2.2K]  README.md
└── [  42]  requirement.txt

0 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!