From a595c1889059aa4a2773839cb73e135097f312cd Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Fri, 17 Nov 2023 14:18:58 +0530 Subject: [PATCH] Update Log4j Templates --- .../apache/apache-ofbiz-log4j-rce.yaml | 10 +++--- .../apache/apache-solr-log4j-rce.yaml | 12 ++++--- .../apache/log4j/jamf-pro-log4j-rce.yaml | 20 ++++++------ .../cisco-cloudcenter-suite-log4j-rce.yaml | 20 ++++++------ .../other/fortiportal-log4j-rce.yaml | 10 +++--- .../other/goanywhere-mft-log4j-rce.yaml | 31 ++++++++++--------- http/vulnerabilities/other/graylog-log4j.yaml | 20 ++++++------ .../other/jitsi-meet-log4j-rce.yaml | 10 +++--- .../other/logstash-log4j-rce.yaml | 10 +++--- .../vulnerabilities/other/metabase-log4j.yaml | 20 ++++++------ .../other/opennms-log4j-jndi-rce.yaml | 10 +++--- .../vulnerabilities/other/pega-log4j-rce.yaml | 14 +++++---- http/vulnerabilities/other/rundeck-log4j.yaml | 20 ++++++------ .../other/sonicwall-nsm-log4j-rce.yaml | 10 +++--- .../other/splunk-enterprise-log4j-rce.yaml | 10 +++--- .../other/unifi-network-log4j-rce.yaml | 14 +++++---- .../other/vmware-siterecovery-log4j-rce.yaml | 20 ++++++------ .../other/xenmobile-server-log4j.yaml | 20 ++++++------ .../springboot/springboot-log4j-rce.yaml | 10 +++--- .../vmware/vmware-hcx-log4j.yaml | 10 +++--- .../vmware/vmware-nsx-log4j.yaml | 20 ++++++------ .../vmware-operation-manager-log4j.yaml | 10 +++--- .../vmware/vrealize-operations-log4j-rce.yaml | 14 +++++---- 23 files changed, 196 insertions(+), 149 deletions(-) diff --git a/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml b/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml index 765fce21c0..4ea44c6a1e 100644 --- a/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml +++ b/http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml @@ -42,20 +42,22 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4a0a0047304502210088e1907aed2400c16dddc15cb7daf17a5c2903afab589a4ed9c73920960dd65002200e9d0783be00a60dd6478f1d96341a3f7c75be507e3918692a2c294c08dd9ec6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml b/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml index ed11d60278..c30647c587 100644 --- a/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml +++ b/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml @@ -48,27 +48,29 @@ http: - 'org.apache.solr' - type: word - part: interactsh_protocol + part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4b0a00483046022100cefef13addf96296fdd8fea08ffd169f67f438b1ef7870e260438d56eed72f3f022100cfd84a6197bcd25bf03a226b6d8b9cf54a21874462861ff819bbe18e65812ef3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml b/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml index 21e636fd6d..8a61b18eb4 100644 --- a/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml +++ b/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml @@ -39,33 +39,35 @@ http: matchers-condition: and matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - type: word part: body words: - "Jamf Pro Login" + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 490a0046304402205b2056f3a84d81394ed947272bb7bc9a6dc51d147245f45d8d2cba5b2e60036002206cffea329b822e38376403acb3ee666baa2a96c4276f08e31e67b2b2e0eb449c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml b/http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml index de5c80d17b..39d3b4af27 100644 --- a/http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml +++ b/http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml @@ -38,33 +38,35 @@ http: matchers-condition: and matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - type: word part: header words: - 'X-RateLimit-Limit-suite-gateway_suite-auth' + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 490a0046304402204e5c4bf14db31e83a180ee8011d815277cbd6fe7d5f1a35dfdfc752dd006ec4c02205300af3af61398fde0b2fcb756d91c5fad13f89e126d902194e1c93340e56355:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/fortiportal-log4j-rce.yaml b/http/vulnerabilities/other/fortiportal-log4j-rce.yaml index 85a5be78cf..4cb787e276 100644 --- a/http/vulnerabilities/other/fortiportal-log4j-rce.yaml +++ b/http/vulnerabilities/other/fortiportal-log4j-rce.yaml @@ -44,20 +44,22 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4a0a00473045022100f3bf84e360e227757634c742cea262479d81b68e34cb0a6fc2c0ec24ec32a38102206118cc674784801bdaba22eae08223d4d6265880e6fd24b6b33d2aea47bb634e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml b/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml index 6806ea7636..b7c6224582 100644 --- a/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml +++ b/http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml @@ -49,9 +49,25 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: + - type: kval + kval: + - interactsh_ip + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' + + - type: regex + part: interactsh_request + group: 1 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' + - type: regex name: view group: 1 @@ -60,17 +76,4 @@ http: internal: true part: body - - type: kval - kval: - - - - type: regex - group: 2 - regex: - part: interactsh_request - - - type: regex - group: 1 - regex: - part: interactsh_request # digest: 4a0a00473045022100c0b271fc9abb559b0aac7daec9c977613e81183ba5b56354df346b5b9006701702206f7f2d66fe682b56aa3fe398aa262259397c114cb41e143fb325e17231040629:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/graylog-log4j.yaml b/http/vulnerabilities/other/graylog-log4j.yaml index 896df9e57e..9ec083dab0 100644 --- a/http/vulnerabilities/other/graylog-log4j.yaml +++ b/http/vulnerabilities/other/graylog-log4j.yaml @@ -39,33 +39,35 @@ http: matchers-condition: and matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - type: word part: header words: - 'X-Graylog-Node-Id:' + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4b0a00483046022100bc847079e8da5f2a7f4ea2d4be0421293e57f3dbe1cd8af44eaa282cb60b6ef1022100e9b9eaba643077c568882059105f82f989fdc45a28c2f6bb7c84709b3fd9c552:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/jitsi-meet-log4j-rce.yaml b/http/vulnerabilities/other/jitsi-meet-log4j-rce.yaml index fbfc5579d4..ab1dc88359 100644 --- a/http/vulnerabilities/other/jitsi-meet-log4j-rce.yaml +++ b/http/vulnerabilities/other/jitsi-meet-log4j-rce.yaml @@ -40,20 +40,22 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4a0a0047304502210098f210f53e4408d2a68813534aed74fd0e242910073383c99617f3932df061b70220134c22181e4c693790aa1aa7d8c364636a139e132c2e25d502d130cc8a2c4e7c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/logstash-log4j-rce.yaml b/http/vulnerabilities/other/logstash-log4j-rce.yaml index 0efeafa827..7da9f7f4e9 100644 --- a/http/vulnerabilities/other/logstash-log4j-rce.yaml +++ b/http/vulnerabilities/other/logstash-log4j-rce.yaml @@ -40,20 +40,22 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 490a0046304402203e9e0b6d4ece591457ba02078338707b74275521dfc273279f984634d9a4a3a10220689830404907a9b6dd857b2ebec6494f14d3da6084c91c67d828dc16df2d85c8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/metabase-log4j.yaml b/http/vulnerabilities/other/metabase-log4j.yaml index acd8c316a4..53a9140480 100644 --- a/http/vulnerabilities/other/metabase-log4j.yaml +++ b/http/vulnerabilities/other/metabase-log4j.yaml @@ -30,33 +30,35 @@ http: matchers-condition: and matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - type: word part: body words: - 'Invalid GeoJSON file location:' + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4a0a00473045022100c50df0e7feaff80c973fcb2bcfa311b017820f983ad3312f411e8e5e34bef6c40220135efb71cb0f732eae3a01127d897e6db7681ad7328a5cfccb2309cc12016235:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml b/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml index 376558caee..24692e9a7f 100644 --- a/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml +++ b/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml @@ -44,20 +44,22 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4b0a00483046022100ad9e04f18f29293c12461bf90042fbdbb3368b564e5e8ad6cda96360a0c2eeff022100a755cb774e7dae7c5d497165f8adce0aea2fec0546e53f64f1f54c0b056112f7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/pega-log4j-rce.yaml b/http/vulnerabilities/other/pega-log4j-rce.yaml index 678d8ac4e8..be57f354e3 100644 --- a/http/vulnerabilities/other/pega-log4j-rce.yaml +++ b/http/vulnerabilities/other/pega-log4j-rce.yaml @@ -47,27 +47,29 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: kval + name: location + part: header_1 kval: - location internal: true - name: location - part: header_1 # digest: 490a0046304402205fb4eb66590eaa65eb66290ca57902ebe46b44ead624908b6448035475dafa2f02203bec250351443c84085c94cffc27ec22543f96af86e1d0956d51b5b56739b9cf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/rundeck-log4j.yaml b/http/vulnerabilities/other/rundeck-log4j.yaml index 555fe1683b..d9de555537 100644 --- a/http/vulnerabilities/other/rundeck-log4j.yaml +++ b/http/vulnerabilities/other/rundeck-log4j.yaml @@ -37,33 +37,35 @@ http: matchers-condition: and matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - type: word part: location words: - '{{BaseURL}}/user/error' + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 490a00463044022020defcd8f7f383804a17173a074cb4ebd11b9bc3c8d4930c5e8badb6f7cc321f0220357d28b5ebfd939931bbf7cd46d967502b4b413fd2baace17de76787303b3d25:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/sonicwall-nsm-log4j-rce.yaml b/http/vulnerabilities/other/sonicwall-nsm-log4j-rce.yaml index 9d7a1c3ba4..17a7551e37 100644 --- a/http/vulnerabilities/other/sonicwall-nsm-log4j-rce.yaml +++ b/http/vulnerabilities/other/sonicwall-nsm-log4j-rce.yaml @@ -47,20 +47,22 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4b0a00483046022100a470b037cca85730de63fecdfb39f865721fe525eb297fb501a4a9c5ecd98684022100d216e7b5ef37d3a0fba53af079905e2547ca2bce6258df2a8426fcf5d74aa776:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/splunk-enterprise-log4j-rce.yaml b/http/vulnerabilities/other/splunk-enterprise-log4j-rce.yaml index 95f566a6ba..98c0cc8e74 100644 --- a/http/vulnerabilities/other/splunk-enterprise-log4j-rce.yaml +++ b/http/vulnerabilities/other/splunk-enterprise-log4j-rce.yaml @@ -45,20 +45,22 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4a0a00473045022100d5db89b935a8fafc3db2fc56c38abf53d78f9c578e65ade1c9674979eef53a6d02201deb8a759efbe552d5bbc5b003084a79e3bc16d6fe0e516a5f34c5dce433d420:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/unifi-network-log4j-rce.yaml b/http/vulnerabilities/other/unifi-network-log4j-rce.yaml index c59590a28f..b6a7d7d607 100644 --- a/http/vulnerabilities/other/unifi-network-log4j-rce.yaml +++ b/http/vulnerabilities/other/unifi-network-log4j-rce.yaml @@ -39,27 +39,29 @@ http: matchers-condition: and matchers: - type: word - part: interactsh_protocol + part: interactsh_protocol # Confirms the DNS Interaction words: - - "dns" # Confirms the DNS Interaction + - "dns" - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4b0a00483046022100dda4748c06e68e7584bbf19667f467b1eb39fe975af429bd4ec5b64273394ce1022100ffa1472e3d87796883146b1439715a37bf1a0d8fe728cdf1d84bbe0c116fea52:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml b/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml index 9ff53a86c8..72628b8343 100644 --- a/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml +++ b/http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml @@ -31,33 +31,35 @@ http: matchers-condition: and matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - type: word part: body words: - 'Error - Site Recovery' + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4a0a004730450221008bbf8fea272104f5df9e10c518ea4df66beb781fed40dad4ade30aa2fdee511702200172b3cddff074a950e78583211d9931fa13e40040f2791e9e62b36a6df16f8d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/other/xenmobile-server-log4j.yaml b/http/vulnerabilities/other/xenmobile-server-log4j.yaml index 0fa6aa8288..725b846596 100644 --- a/http/vulnerabilities/other/xenmobile-server-log4j.yaml +++ b/http/vulnerabilities/other/xenmobile-server-log4j.yaml @@ -37,33 +37,35 @@ http: matchers-condition: and matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - type: word part: body words: - '

500 Server Internal Error' + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4a0a004730450221008a9b07a828bc56088ded57baae1caae463d98c877693ef95048f0b483e9f4cad0220597d8f8b37a7d25ab041d4505c036cfeeb7b9921da2076dcf0aa51a47d58ac8a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/springboot/springboot-log4j-rce.yaml b/http/vulnerabilities/springboot/springboot-log4j-rce.yaml index 29b2e68b39..ad33928f7a 100644 --- a/http/vulnerabilities/springboot/springboot-log4j-rce.yaml +++ b/http/vulnerabilities/springboot/springboot-log4j-rce.yaml @@ -40,20 +40,22 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4b0a00483046022100cf65a3bd6606dbae8acee59a4593ce5d4d2c4a20d9ac599ed08f1e0dc8ac62c7022100f40f0c5a092b3b17a94ce3332b71bcff3ef2a295b965b9178c5d9d734a5647fa:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml b/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml index aef57bb281..7e04161515 100644 --- a/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml +++ b/http/vulnerabilities/vmware/vmware-hcx-log4j.yaml @@ -49,20 +49,22 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 490a00463044022044471791ad8e6d7840a5c6ba37c4014e5411d54fc7f425c068fb8e2bd6528ec00220776bb29e5970f8d2bab09d1e0620e15a54bf874a163f59bc8ee84ac30c1d7404:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml b/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml index 66a8a7b8b0..b692c58df7 100644 --- a/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml +++ b/http/vulnerabilities/vmware/vmware-nsx-log4j.yaml @@ -37,33 +37,35 @@ http: matchers-condition: and matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - type: word part: location words: - '/login.jsp?login_error=1' + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4b0a004830460221008d7d00dc839c7689c21aeb46ee294a97ca65414a521ad162bfcc6c0dd2901d4c022100f96346b109721448fc5ee67a3469c0a2a913bcd494fdd6a7d097750e5ba64278:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml b/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml index a4f91a9975..d0b74a5448 100644 --- a/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml +++ b/http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml @@ -53,20 +53,22 @@ http: - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4a0a00473045022100b1709d01ecdd28e0e2d79db30c476827e2ca88759cbc4606e25c4689a88ddc12022058fea90249f0175d7d2b12a31c6996e65722248e77d7ab92e99a42eed7f3c04f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml b/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml index 2d52c76422..53aeccf8a4 100644 --- a/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml +++ b/http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml @@ -40,27 +40,29 @@ http: matchers-condition: and matchers: - type: word - part: interactsh_protocol + part: interactsh_protocol # Confirms the DNS Interaction words: - - "dns" # Confirms the DNS Interaction + - "dns" - type: regex part: interactsh_request regex: - + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - + - interactsh_ip - type: regex + part: interactsh_request group: 2 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex + part: interactsh_request group: 1 regex: - part: interactsh_request + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4a0a00473045022100955fc9cfb6a98cd3b34e6c9ebf1ba97a8e63456f8a030c1663f582913dfe0add02204043b64f7f09bcf8dee2b78f90dad14e8e0ae3aaeecd6cee9e7f8d79944e1b60:922c64590222798bb761d5b6d8e72950 \ No newline at end of file