refactor: more plain detections

Neo23x0 · Dec 12, 2021 · f9deff3 · GITTHUBBD · Dec 15, 2021 · f9deff3
1 parent 9f9b1e5
commit f9deff3
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 7 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -10,7 +10,7 @@
             "request": "launch",
             "program": "${file}",
             "console": "integratedTerminal",
-            "args": ["-f", "tests/user.log.1"]
+            "args": ["-p", "tests"]
         }
     ]
 }
diff --git a/log4shell-detector.py b/log4shell-detector.py
@@ -22,8 +22,13 @@ class Log4ShellDetector(object):
     DETECTION_STRINGS = ['${jndi:ldap:', '${jndi:rmi:/', '${jndi:ldaps:/', '${jndi:dns:/']
     # These strings will be applied as they are
     PLAIN_STRINGS = {
-        " header with value of BadAttributeValueException: ": "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3991502",
-        "at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(": "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3991700",
+        "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3991502": [
+            " header with value of BadAttributeValueException: "
+        ],
+        "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3991700": [
+            "at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(", 
+            ".log4j.core.lookup.JndiLookup.lookup(JndiLookup"
+        ],
     }
 
     def __init__(self, maximum_distance, debug, quick):
@@ -44,9 +49,10 @@ def check_line(self, line):
         decoded_line = self.decode_line(line)
 
         # Plain Detection
-        for s in self.PLAIN_STRINGS:
-            if s in line or s in decoded_line:
-                return s
+        for ref, strings in self.PLAIN_STRINGS.items():
+            for s in strings:
+                if s in line or s in decoded_line:
+                    return s
 
         # Detection Pad based Detection
         # Preparation

diff --git a/tests/test-cases/test-java-exception.log b/tests/test-cases/test-java-exception.log
@@ -0,0 +1,14 @@
+http-nio-80-exec-13 WARN Error looking up JNDI resource [ldap://192.168.1.15:1337/e]. javax.naming.NamingException [Root exception is java.lang.ClassNotFoundException: org.apache.commons.beanutils.BeanComparator]; remaining name 'e'
+	at java.naming/com.sun.jndi.ldap.Obj.deserializeObject(Obj.java:531)
+	at java.naming/com.sun.jndi.ldap.Obj.decodeObject(Obj.java:237)
+	at java.naming/com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:1051)
+	at java.naming/com.sun.jndi.toolkit.ctx.ComponentContext.p_lookup(ComponentContext.java:542)
+	at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(PartialCompositeContext.java:177)
+	at java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:207)
+	at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:94)
+	at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409)
+	at org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:128)
+	at org.apache.logging.log4j.core.lookup.JndiLookup.lookup(JndiLookup.java:55)
+	at org.apache.logging.log4j.core.lookup.Interpolator.lookup(Interpolator.java:159)
+	at org.apache.logging.log4j.core.lookup.StrSubstitutor.resolveVariable(StrSubstitutor.java:1046)
+	...
diff --git a/tests/test_detection.py b/tests/test_detection.py
@@ -6,7 +6,7 @@
 def test_full_path():  
     l4sd = l4s.Log4ShellDetector(maximum_distance=20, debug=False, quick=False)
     detections = l4sd.scan_path("./tests")
-    assert detections == 7
+    assert detections == 8
 
 def test_url_encoded():  
     l4sd = l4s.Log4ShellDetector(maximum_distance=20, debug=False, quick=False)