### Log4j2 Burp Scanner `dnsldaprmi` Parameter Bypass Examples Source: https://github.com/f0ng/log4j2burpscanner/blob/main/FAQ-zh-CN.md Examples of string values to use for the `dnsldaprmi` parameter to achieve various DNS bypasses or specific formatting. ```Generic dns: dns${::-:} dns:// dns${::-:}/${::-}/ ``` -------------------------------- ### Log4j2 Burp Scanner `jndiparams` Parameter Bypass Examples Source: https://github.com/f0ng/log4j2burpscanner/blob/main/FAQ-zh-CN.md Examples of string values to use for the `jndiparams` parameter to achieve various JNDI bypasses or specific formatting. ```Generic jndi: j$%7b::-n%7ddi: ``` -------------------------------- ### Log4j2 Burp Scanner Plugin Configuration Parameters Source: https://github.com/f0ng/log4j2burpscanner/blob/main/FAQ-zh-CN.md Detailed explanation of the configuration parameters available in the Log4j2 Burp Scanner plugin, categorized into modules like 'dnslog configuration'. This section describes each parameter's purpose and type. ```APIDOC dnslog configuration: log4j2 Passive Scanner: Description: Passive scanning switch. Checked enables passive scanning, unchecked disables it. Type: Boolean isuseceye: Description: Whether to use the ceye.io platform. Type: Boolean ceyetoken: Description: User token for ceye.io. Type: String ceyednslog: Description: User record domain for ceye.io. Type: String isuseprivatedns: Description: Whether to use a custom DNSLog. Type: Boolean isip: Description: Indicates if the custom DNSLog is an IP address (mainly for intranet IP monitoring). Type: Boolean privatednslogurl: Description: Custom DNSLog record domain. Type: String privatednsResponseurl: Description: Address to view responses for the custom DNSLog record domain. Refer to the detailed custom DNSLog configuration guide. Type: String Save configuration: Description: Button to save the current configuration. Type: Action Restore/Loading latest params: Description: Button to restore default parameters. Type: Action Test dnslog delay: Description: Button to test the delay with the DNSLog server. Type: Action use`[${::-.}]`replace`.`: Description: Use parameter replacement for '.' (e.g., `[${::-.}]`). Default is a bypass; use '.' if no bypass is desired. Type: String ``` -------------------------------- ### Log4j2 JNDI Bypass Payloads Source: https://github.com/f0ng/log4j2burpscanner/blob/main/README.md Examples of JNDI bypass payloads used for testing Log4j2 vulnerabilities, demonstrating various obfuscation techniques to evade detection. ```Log4j2 Payload j${::-n}di: ``` ```Log4j2 Payload jn${env::-}di: ``` ```Log4j2 Payload j${sys:k5:-nD}${lower:i${web:k5:-:}} ``` -------------------------------- ### Compile Log4j2 Burp Scanner Plugin from Source Source: https://github.com/f0ng/log4j2burpscanner/blob/main/FAQ.md Instructions to compile the Log4j2 Burp Scanner plugin from its source code. This process uses Maven to build the project, generating a JAR file that can then be loaded into Burp Suite. ```Shell mvn package ``` -------------------------------- ### Configure JNDI Parameters for Active Log4j2 Scanning Source: https://github.com/f0ng/log4j2burpscanner/blob/main/FAQ-zh-CN.md This parameter is used for active scanning and allows for JNDI bypass techniques, with each parameter separated by a newline. ```APIDOC custom params2: - 0x01 jndiparams: JNDI parameters used during active scanning, supports bypass techniques like `j${::-n}di:`, separated by newlines ``` -------------------------------- ### Configure Custom Parameters for Log4j2 Burp Scanner Source: https://github.com/f0ng/log4j2burpscanner/blob/main/FAQ-zh-CN.md This section details the custom parameters available for configuring the Log4j2 Burp Scanner, including options for JNDI bypass, DNS/LDAP/RMI settings, whitelists, and various header/cookie testing flags. ```APIDOC custom params: - 0x01 jndiparam: The JNDI parameter to pass, can use bypass techniques like `j${::-n}di:` - 0x02 dnsldaprmi: Optional, specifies DNS, LDAP, RMI parameters - 0x03 white lists: Whitelist configuration, supports wildcards (e.g., `*.gov.cn`, `*.edu.cn`) or domain suffixes (e.g., `qq.com`) - 0x04 headers lists: Custom request header parameter names - 0x05 test UserAgentTokenXff: Flag to test User-Agent, token (including JWT keywords), and common XFF header parameters - 0x06 test Xfflists: Flag to test all XFF header parameters - 0x07 test Cookie: Flag to test all Cookie parameters - 0x08 test RefererOrigin: Flag to test Referer and Origin parameters - 0x09 test Contenttype: Flag to test Content-Type parameter - 0x010 test Accept: Flag to test Accept and similar parameters ``` -------------------------------- ### Log4j2 Scanner Supported JSON Body Formats Source: https://github.com/f0ng/log4j2burpscanner/blob/main/README.md Examples of JSON body structures that the Log4j2 Burp Suite scanner is configured to recognize and inject payloads into. This allows for testing vulnerabilities within nested JSON parameters. ```JSON body={"a":"1","b":"22222"} body={"params":{"a":"1","b":"22222"}} ``` -------------------------------- ### Supported HTTP Request Body Formats for Log4j2 Scanning Source: https://github.com/f0ng/log4j2burpscanner/blob/main/README.md The Log4j2 Burp Scanner plugin identifies and processes Log4j2 vulnerabilities across various HTTP request body structures, including GET and POST methods with different parameter and JSON payload configurations. ```APIDOC Plug ins mainly identify seven forms: 1.get method, a=1&b=2&c=3 2.post method, a=1&b=2&c=3 3.post method, {"a":"1","b":"22222"} 4.post method, a=1¶m={"a":"1","b":"22222"} 5.post method, {"params":{"a":"1","b":"22222"}} 6.post method, body={"a":"1","b":"22222"} 7.post method, body={"params":{"a":"1","b":"22222"}} ``` -------------------------------- ### Log4j2 Burp Scanner Configuration Parameters Source: https://github.com/f0ng/log4j2burpscanner/blob/main/README.md Detailed documentation for various configurable parameters in the Log4j2 Burp Suite scanner, allowing users to customize testing behavior, including DNS/LDAP/RMI options, header testing, and private DNS API integration. ```APIDOC - dnsldaprmi: Specifies the JNDI protocol to use (dns, ldap, rmi). Default is 'dns'. - isContenttypeRefererOrigin: Boolean flag to test Content-Type, Referer, and Origin headers. Default is 'off'. - isAccept: Boolean flag to test Accept-Language, Accept, and Accept-Encoding headers. Default is 'off'. - isprivatedns: Boolean flag to enable the use of a private DNS API. - privatednslogurl: The URL for the internal DNS log API. - privatednslogresponseurl: The URL for the internal DNS log response API. (Interpreted from context, original text had 'privatednslogurl' twice) - isuseUserAgenttokenXff: Boolean flag to test User-Agent, token, X-Forwarded-For, and X-Client-IP headers. Default is 'on'. - isuseXfflists: Boolean flag to test X-Forwarded-For lists, including other XFF variations. Default is 'off'. - isuseAllCookie: Boolean flag to test all cookies. Default is 'on'. - isceye: Boolean property that must be set to 'true' for ceye.io API integration to function correctly. ``` -------------------------------- ### HTTP Request Headers for Log4j2 Scanner Testing Source: https://github.com/f0ng/log4j2burpscanner/blob/main/README.md A comprehensive list of HTTP request headers that the Log4j2 Burp Suite scanner injects payloads into to identify potential vulnerabilities. This includes various X-Forwarded-For, client IP, and host-related headers. ```APIDOC - X-Forwarded-For - X-Forwarded - Forwarded-For - Forwarded - X-Requested-With - X-Forwarded-Host - X-remote-IP - X-remote-addr - True-Client-IP - X-Client-IP - Client-IP - X-Real-IP - Ali-CDN-Real-IP - Cdn-Src-Ip - Cdn-Real-Ip - CF-Connecting-IP - X-Cluster-Client-IP - WL-Proxy-Client-IP - Proxy-Client-IP - Fastly-Client-Ip - True-Client-Ip - X-Originating-IP - X-Host - X-Custom-IP-Authorization - X-original-host - If-Modified-Since ``` -------------------------------- ### Log4j2 JNDI Bypass Payloads Source: https://github.com/f0ng/log4j2burpscanner/blob/main/README.md A collection of JNDI bypass techniques used to evade detection for Log4j2 vulnerabilities. These methods modify the 'jndi:' prefix to bypass filters, as referenced from a Twitter post. ```Payload jn${env::-}di: jn${date:}di${date:':'} j${k8s:k5:-ND}i${sd:k5:-:} j${main:\k5:-Nd}i${spring:k5:-:} j${sys:k5:-nD}${lower:i${web:k5:-:}} j${::-nD}i${::-:} j${EnV:K5:-nD}i: j${loWer:Nd}i${uPper::} ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.