Skip to content

Releases: f0ng/log4j2burpscanner

0.25.0

26 Apr 14:33
@f0ng f0ng
0.25.0
d4613b4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
0.25.0 Latest
Latest

0.25.0 update

2023-4-26

  1. fix bugs
  1. 修复bug,感谢A_Adam师傅反馈
Assets 5
Loading

0.24.0

20 Mar 13:03
@f0ng f0ng
0.24.0
3281fac
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
0.24.0

0.24.0 update

2023-3-20

  1. Adapt the selistener tool for intranet vulnerability detection
  1. 适配selistener工具进行内网漏洞探测
Assets 5
Loading

0.23.0-beta2

13 Mar 07:24
@f0ng f0ng
0.23.0-beta2
36003da
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
0.23.0-beta2

0.23.0-beta2 update

2023-3-13

  1. fix problem
  1. 优化选中内网ip时只发请求头含有%24payload的问题,增至和普通被动扫描一样多的请求
Assets 5
Loading

0.23

10 Mar 10:16
@f0ng f0ng
0.23.0
36003da
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
0.23

0.23.0 update

2023-3-10

  1. set normal payload as preferred
  2. add the vulnerability display of payload containing variables
  3. optimize the problem of not displaying vulnerability points
  1. 将正常payload设为首选,在内网ip中运行
  2. 增加payload含有变量的漏洞显示
  3. 优化漏洞点不显示问题
  4. 修复漏洞
Assets 5
Loading

0.22.0

14 Feb 05:23
@f0ng f0ng
0.22.0
42a475b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
0.22.0

0.22.0 更新

2023-2-14

fix problem #58

修复数据包中uri带有完整域名的问题,感谢@0xWi11 师傅反馈

Contributors

0xWi11
Assets 5
Loading

0.21.0

09 Dec 01:31
@f0ng f0ng
0.21.0
5e11ac1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
0.21.0

0.21.0 更新

2022-12-9

  1. 增加参数 prefixparam前缀可控,可输入如%84$,造成一些数据库组件解析错误,从而进行log4j2的报错触发

image

  1. 增加自定义header头获取响应结果请求(支持了dnslog.cn等,但是dnslog.cn有PHPSESSID默认过期时间,暂不推荐使用),举例如 privatednsResponseurl 框内填入以下字段:
HEADER
http://dnslog.cn/getrecords.php
Cookie:PHPSESSID=bmekedlvumo1e9onr6qsd1j2u6

image

  1. 修复dnsparam参数初始化问题,感谢微信群@啊哈师傅反馈
Assets 5
Loading

0.20.2

01 Dec 13:17
@f0ng f0ng
0.20.2
9a8b3fe
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
0.20.2

0.20.2更新

2022-12-1

  • 修复Restore/Loading latest params导致的usereplace[.]参数置空问题,感谢@G0rdita 师傅反馈

Contributors

G0rdita
Assets 5
Loading

0.20.1

22 Nov 10:33
@f0ng f0ng
0.20.1
7560d02
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
0.20.1

0.20.1更新

2022-11-22

  • 修复.替换参数的问题
  • 由于版本更新,需要重新加载参数,点击Restore/Loading latest params,进行查看,编辑完成点击Save configuration即可正常使用
Assets 5
Loading

0.20.0

22 Nov 08:24
@f0ng f0ng
0.20.0
7560d02
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
0.20.0

0.20.0更新

2022-11-22

  1. 增加参数suffixparam,后缀可控,可输入如${::-}/${::-}%20user。默认值为/%20user,如果没有/,默认设置为/%20user
  2. dns中查询的路径为全拼,不再为首字母拼(最长的记录为63字符,感觉不大可能有路径名超过63字符的,超过63字符的取前5位)
  3. 删除isusepointBypas参数,更改为自定义

image

Assets 5
Loading

0.19.2

18 Nov 07:32
@f0ng f0ng
0.19.2
2ff3a71
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
0.19.2

0.19.2

2022-11-18

  • add switch to replace . (use ${::-.})

  • add custom 'jndiparams:' parameters,add more 'jndi:' parameters to bypass waf (in send to log4j2 Scannerstatus)

-modify dnsldaprmi parameters supports modifying // to bypass waf

增加${::-.}替代.的开关

image

增加自定义jndiparams:参数,可以加入更多绕过waf的jndi:参数(send to log4j2 Scanner 状态下)

image

修改dnsldaprmi参数支持修改//达到bypass,两种情况

  • 如果dnsldaprmi参数包含/,那么插件就不加/,默认用户设置的是dns://这个参数的绕过

image

  • 如果没有/,那么插件就加//,默认用户设置的是dns:这个参数的绕过,如下:

image

由于增加自定义参数,所以需要对有旧版配置文件进行修改:
在配置文件末尾换行加
jndiparams=jndi:、j$%7b::-n%7ddi:、jn$%7benv::-%7ddi:、j$%7bsys:k5:-nD%7d$%7blower:i$%7bweb:k5:-:%7d%7d、${${::-j}${::-n}${::-d}${::-i}:

Assets 5
Loading