-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated CVE-2021-44228 with most common vulnerable headers #3334
Conversation
Reference : https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell These headers are collected from above blog in Detecting the Vulnerability part
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added more headers
Hi, there is a problem with the usage of ${hostName}, should't that be {{Hostname}}? |
@ErwinGeirnaert |
I had used the same payload created by @ehsandeep only added the most common security headers. |
The JNDI exploit will download code and execute it, not the payload in the url |
I've changed it to {{Hostname}} and this results in an interaction to interactsh where the hostname that was scanned is added to the DNS request so you know which hosts are vulnerable |
@ErwinGeirnaert there are multiple ways to exploit this and pulling |
thanks @ehsandeep that is just crazy!!! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for fixing lint error i was busy with some other tasks
Hi @geeknik, All mentioned changes are made, and all checks have passed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
thank you for all the new header additions @Anon-Artist, we might hold this PR for some time due to a known issue in the nuclei engine - projectdiscovery/nuclei#1361 otherwise we will get multiple interactions for the same target. |
Sure @ehsandeep i will wait for to see the PR getting merged. |
@ehsandeep the current template for log4j has a hardcoded interactsh.com server in place. This will fail if we use a custom server.
the {interactsh-url} will work in regex field to make it fully compatible with any private intertactsh server? I guess not, { } are reserved/valid. SO must patch locally to match the private server in the meantime |
@dogasantos please see the discussion here - #3330 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Avoided duplication suggested by @xuchaoa
Hi @ehsandeep i had changed the regex in matchers and extractors used in the latest update v8.7.3 |
Another thing that could be changed with this template is adding the name of the header or position into the DNS request. This makes it easier to identify which header the vulnerability triggered in.
|
I recommend the additional adjustments that are present in the below version:
|
Sure i will do it and thanks for the detailed explanation 😀 |
- more injection points - a fixed regex to extract uppercase hostnames - standardized payloads - printed injection points Source - https://twitter.com/0xceba/status/1471664540542648322 Co-Authored-By: 0xceba <44234156+0xceba@users.noreply.github.com> Co-Authored-By: Abhiram V <61599526+Anon-Artist@users.noreply.github.com>
thank you @Anon-Artist @0xceba @meme-lord @xuchaoa for all the suggestions and changes, I've updated the PR based on the latest suggestions made by @0xceba, also @Anon-Artist as now we know which header caused the interaction, I believe we can merge this PR as well. |
Template / PR Information
The template is updated with most common headers which can be vulnerable to CVE-2021-44228 including X-Api-Version Header, X-Forwarded Headers etc..
These headers are collected from above blog in Detecting the Vulnerability part
Template Validation
I've validated this template locally?
Additional Details (leave it blank if not applicable)
Additional References: