Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log4shell doesn't truncate w/ Accept-Language header in JA4h.py #121

Open
BraveLittleRoaster opened this issue May 27, 2024 · 0 comments
Open

Log4shell doesn't truncate w/ Accept-Language header in JA4h.py #121

BraveLittleRoaster opened this issue May 27, 2024 · 0 comments
Assignees
@noeltimothy

Comments

@BraveLittleRoaster
Copy link

Hello. I'm unemployed so I have nothing better to do except mess around with nuclei to create evasions for JA4+, similar to what you can do with -tlsi that I pointed out here

... When I noticed this:

image

The offending nuclei template is ./2021/CVE-2021-44228.yaml

Steps to reproduce, create a packet capture and then run nuclei -t ~/nuclei-templates/cves/http/2021/CVE-2021-44228.yaml against a target to generate the Accept-Language header.

Seems like an easy fix here. I have attached a pcap of that CVE here. It just seems bad overall to have a Log4shell payload appear anywhere where something upstream from ja4h.py could parse it. A minor change would be to force it to truncate to [:4] regardless of what payload is there, since I believe that is the intended purpose:

def http_language(lang):
    lang = lang.replace('-','').replace(';',',').lower().split(',')[0]
    return f"{lang[:4]}{'0'*(4-len(lang))}"

Something like that maybe?

👇 Packet cap for you.
CVE-2021-44228_http.zip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@noeltimothy noeltimothy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BraveLittleRoaster @noeltimothy