Log4j Scanner是美国网络安全和基础设施安全局 (CISA)发布的 Log4j漏洞开源扫描程序。该程序可识别log4j 远程代码执行漏洞 (CVE-2021-44228 & CVE-2021-45046) 的 Web 服务。
log4-scanner – Log4j 漏洞扫描框架。
dns – Python 中的简单 DNS 服务器（UDP 和 TCP）。
ldap – 包含有用的代码来测试 lookup() 调用。
可对 60 多个 HTTP 请求标头展开模糊测试。
可对 HTTP POST 数据参数开展模糊测试。
可对 JSON 数据参数开展模糊测试。
支持用于漏洞发现和验证的 DNS 回调。
A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts
- Support for lists of URLs.
- Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools).
- Fuzzing for HTTP POST Data parameters.
- Fuzzing for JSON data parameters.
- Supports DNS callback for vulnerability discovery and validation.
- WAF Bypass payloads.
There is a patch bypass on Log4J v2.15.0 that allows a full RCE. FullHunt added community support for log4j-scan to reliably detect CVE-2021-45046. If you're having difficulty discovering and scanning your infrastructure at scale or keeping up with the Log4J threat, please get in touch at (firstname.lastname@example.org).
We have been researching the Log4J RCE (CVE-2021-44228) since it was released, and we worked in preventing this vulnerability with our customers. We are open-sourcing an open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability. This shall be used by security teams to scan their infrastructure for Log4J RCE, and also test for WAF bypasses that can result in achiving code execution on the organization's environment.
It supports DNS OOB callbacks out of the box, there is no need to setup a DNS callback server.
$ python3 log4j-scan.py -h [•] CVE-2021-44228 - Apache Log4j RCE Scanner [•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform. [•] Secure your External Attack Surface with FullHunt.io. usage: log4j-scan.py [-h] [-u URL] [-l USEDLIST] [--request-type REQUEST_TYPE] [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing] [--wait-time WAIT_TIME] [--waf-bypass] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST] optional arguments: -h, --help show this help message and exit -u URL, --url URL Check a single URL. -p PROXY, --proxy PROXY Send requests through proxy. proxy should be specified in the format supported by requests (http[s]://<proxy-ip>:<proxy-port>) -l USEDLIST, --list USEDLIST Check a list of URLs. --request-type REQUEST_TYPE Request Type: (get, post) - [Default: get]. --headers-file HEADERS_FILE Headers fuzzing list - [default: headers.txt]. --run-all-tests Run all available tests on each URL. --exclude-user-agent-fuzzing Exclude User-Agent header from fuzzing - useful to bypass weak checks on User-Agents. --wait-time WAIT_TIME Wait time after all URLs are processed (in seconds) - [Default: 5]. --waf-bypass Extend scans with WAF bypass payloads. --test-CVE-2021-45046 Test using payloads for CVE-2021-45046 (detection payloads). --dns-callback-provider DNS_CALLBACK_PROVIDER DNS Callback provider (Options: interact.sh) - [Default: interact.sh] --custom-ip-callback-host CUSTOM_IP_CALLBACK_HOST Option to specify IP address and Port instead of DNS Callback --custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST Custom DNS Callback Host. --disable-http-redirects Disable HTTP redirects. Note: HTTP redirects are useful as it allows the payloads to have higher chance of reaching vulnerable systems.
Scan a Single URL
$ python3 log4j-scan.py -u https://log4j.lab.secbot.local
Scan a Single URL using all Request Methods: GET, POST (url-encoded form), POST (JSON body)
$ python3 log4j-scan.py -u https://log4j.lab.secbot.local --run-all-tests
Discover WAF bypasses on the environment.
$ python3 log4j-scan.py -u https://log4j.lab.secbot.local --waf-bypass
Scan a list of URLs
$ python3 log4j-scan.py -l urls.txt
$ pip3 install -r requirements.txt
FullHunt is the next-generation attack surface management platform. FullHunt enables companies to discover all of their attack surfaces, monitor them for exposure, and continuously scan them for the latest security vulnerabilities. All, in a single platform, and more.
FullHunt provides an enterprise platform for organizations. The FullHunt Enterprise Platform provides extended scanning and capabilities for customers. FullHunt Enterprise platform allows organizations to closely monitor their external attack surface, and get detailed alerts about every single change that happens. Organizations around the world use the FullHunt Enterprise Platform to solve their continuous security and external attack surface security challenges.