@@ -319,15 +319,15 @@ private Map<String, ScanItem> crazyFuzz(IHttpRequestResponse baseRequestResponse
319319 domainParamMap .put (tmpDomain , param );
320320 }
321321 tmpRawRequest = helper .buildHttpMessage (helper .analyzeRequest (tmpRawRequest ).getHeaders (), updateParams (rawBody , paramMap ));
322- IHttpRequestResponse tmpReq = parent . callbacks . makeHttpRequest (baseRequestResponse .getHttpService (), tmpRawRequest );
322+ IHttpRequestResponse tmpReq = sendRequest (baseRequestResponse .getHttpService (), tmpRawRequest );
323323 for (Map .Entry <String , String > domainHeader : domainHeaderMap .entrySet ()) {
324- domainMap .put (domainHeader .getValue (), new ScanItem (domainHeader .getKey (), tmpReq ));
324+ domainMap .put (domainHeader .getValue (), new ScanItem (domainHeader .getKey (), tmpReq , tmpRawRequest ));
325325 }
326326 for (Map .Entry <String , IParameter > domainParam : domainParamMap .entrySet ()) {
327- domainMap .put (domainParam .getKey (), new ScanItem (domainParam .getValue (), tmpReq ));
327+ domainMap .put (domainParam .getKey (), new ScanItem (domainParam .getValue (), tmpReq , tmpRawRequest ));
328328 }
329329 } catch (Exception ex ) {
330- parent . stdout . println ( ex );
330+ ex . printStackTrace ( parent . stderr );
331331 }
332332 }
333333
@@ -361,8 +361,8 @@ private Map<String, ScanItem> headerFuzz(IHttpRequestResponse baseRequestRespons
361361 header .Value = poc .generate (tmpDomain );
362362 tmpHeaders .set (i , header .toString ());
363363 byte [] tmpRawRequest = helper .buildHttpMessage (tmpHeaders , Arrays .copyOfRange (rawRequest , req .getBodyOffset (), rawRequest .length ));
364- IHttpRequestResponse tmpReq = parent . callbacks . makeHttpRequest (baseRequestResponse .getHttpService (), tmpRawRequest );
365- domainMap .put (tmpDomain , new ScanItem (header .Name , tmpReq ));
364+ IHttpRequestResponse tmpReq = sendRequest (baseRequestResponse .getHttpService (), tmpRawRequest );
365+ domainMap .put (tmpDomain , new ScanItem (header .Name , tmpReq , tmpRawRequest ));
366366 }
367367 }
368368 }
@@ -375,14 +375,14 @@ private Map<String, ScanItem> headerFuzz(IHttpRequestResponse baseRequestRespons
375375 domainHeaderMap .put (headerName , tmpDomain );
376376 }
377377 byte [] tmpRawRequest = helper .buildHttpMessage (tmpHeaders , Arrays .copyOfRange (rawRequest , req .getBodyOffset (), rawRequest .length ));
378- IHttpRequestResponse tmpReq = parent . callbacks . makeHttpRequest (baseRequestResponse .getHttpService (), tmpRawRequest );
378+ IHttpRequestResponse tmpReq = sendRequest (baseRequestResponse .getHttpService (), tmpRawRequest );
379379 for (Map .Entry <String , String > domainHeader : domainHeaderMap .entrySet ()) {
380- domainMap .put (domainHeader .getValue (), new ScanItem (domainHeader .getKey (), tmpReq ));
380+ domainMap .put (domainHeader .getValue (), new ScanItem (domainHeader .getKey (), tmpReq , tmpRawRequest ));
381381 }
382382 }
383383
384384 } catch (Exception ex ) {
385- parent . stdout . println ( ex );
385+ ex . printStackTrace ( parent . stderr );
386386 }
387387 return domainMap ;
388388 }
@@ -411,8 +411,8 @@ private Map<String, ScanItem> badJsonFuzz(IHttpRequestResponse baseRequestRespon
411411 Utils .GetRandomNumber (100 , Integer .MAX_VALUE ));
412412 IParameter fakeParam = helper .buildParameter ("Bad-json Fuzz" , exp , IParameter .PARAM_JSON );
413413 byte [] newRequest = helper .buildHttpMessage (tmpHeaders , finalPaylad .getBytes (StandardCharsets .UTF_8 ));
414- IHttpRequestResponse tmpReq = parent . callbacks . makeHttpRequest (baseRequestResponse .getHttpService (), newRequest );
415- domainMap .put (tmpDomain , new ScanItem (fakeParam , tmpReq ));
414+ IHttpRequestResponse tmpReq = sendRequest (baseRequestResponse .getHttpService (), newRequest );
415+ domainMap .put (tmpDomain , new ScanItem (fakeParam , tmpReq , newRequest ));
416416 }
417417 }
418418 return domainMap ;
@@ -475,8 +475,8 @@ private Map<String, ScanItem> paramsFuzz(IHttpRequestResponse baseRequestRespons
475475 byte [] newBody = Utils .Replace (body , new int []{param .getValueStart () - req .getBodyOffset (), param .getValueEnd () - req .getBodyOffset ()}, exp .getBytes (StandardCharsets .UTF_8 ));
476476 tmpRawRequest = helper .buildHttpMessage (req .getHeaders (), newBody );
477477 }
478- IHttpRequestResponse tmpReq = parent . callbacks . makeHttpRequest (baseRequestResponse .getHttpService (), tmpRawRequest );
479- domainMap .put (tmpDomain , new ScanItem (param , tmpReq ));
478+ IHttpRequestResponse tmpReq = sendRequest (baseRequestResponse .getHttpService (), tmpRawRequest );
479+ domainMap .put (tmpDomain , new ScanItem (param , tmpReq , tmpRawRequest ));
480480 } catch (Exception ex ) {
481481 parent .stdout .println (ex );
482482 }
@@ -511,14 +511,30 @@ private List<IScanIssue> finalCheck(IHttpRequestResponse baseRequestResponse, IR
511511 }
512512
513513 private Log4j2Issue getIssue (IHttpRequestResponse baseRequestResponse , IRequestInfo req , ScanItem item ) {
514+ List <IHttpRequestResponse > requestResponses = new ArrayList <>();
515+ requestResponses .add (baseRequestResponse );
516+ String desp = String .format ("Vulnerable param is \" %s\" in %s." , item .IsHeader ? item .HeaderName : item .Param .getName (), item .IsHeader ? "Header" : getTypeName (item .Param .getType ()));
517+ if (item .TmpRequest != null ) {
518+ requestResponses .add (item .TmpRequest );
519+ } else {
520+ desp += "<br/><br/>RawRequest:<br/><br/><pre>" + new String (item .RawRequest ) + "</pre>" ;
521+ }
514522 return new Log4j2Issue (baseRequestResponse .getHttpService (),
515523 req .getUrl (),
516- new IHttpRequestResponse []{ baseRequestResponse , item . TmpRequest } ,
524+ requestResponses . toArray ( new IHttpRequestResponse [0 ]) ,
517525 "Log4j2 RCE Detected" ,
518- String . format ( "Vulnerable param is \" %s \" in %s." , item . IsHeader ? item . HeaderName : item . Param . getName (), item . IsHeader ? "Header" : getTypeName ( item . Param . getType ())) ,
526+ desp ,
519527 "High" );
520528 }
521529
530+ private IHttpRequestResponse sendRequest (IHttpService httpService , byte [] rawRequest ) {
531+ if (Config .getBoolean (Config .ENABLE_EX_REQUEST , true )) {
532+ HttpUtils .RawRequest (httpService , rawRequest , parent .helpers .analyzeRequest (httpService , rawRequest ));
533+ return null ;
534+ }
535+ return parent .callbacks .makeHttpRequest (httpService , rawRequest );
536+ }
537+
522538 private String getTypeName (int typeId ) {
523539 switch (typeId ) {
524540 case IParameter .PARAM_URL :
0 commit comments