This gist gather a list of log4shell payloads seen on my twitter feeds.
💨 I will update it every time I see new payloads.
The goal is to allows testing detection regexes defined in protection systems.
Dominique RIGHETTO righettod
👨💻
righettod
/ Argon2idWithAEADCiphererCombination.java
Created
November 24, 2025 05:42
Example of combination of an Argon2id derivated key with an AEAD cipherer.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package eu.righettod.sdb; | |
| import com.google.crypto.tink.Aead; | |
| import com.google.crypto.tink.InsecureSecretKeyAccess; | |
| import com.google.crypto.tink.KeysetHandle; | |
| import com.google.crypto.tink.aead.AeadConfig; | |
| import com.google.crypto.tink.aead.AesGcmKey; | |
| import com.google.crypto.tink.aead.AesGcmParameters; | |
| import com.google.crypto.tink.util.SecretBytes; | |
| import org.bouncycastle.crypto.generators.Argon2BytesGenerator; |
righettod
/ display-cwe.py
Last active
November 16, 2025 15:21
Script to search against the XML reference file for CWE records using either a CWE ID or a term.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import os | |
| import re | |
| from termcolor import colored | |
| from lxml import etree | |
| from lxml.etree import XMLParser | |
| from pathlib import Path | |
| """ | |
| Script to search for CWE records using either a CWE ID or a term. |
righettod
/ scan-code-with-semgrep.sh
Last active
March 21, 2025 09:44
Scan a code base with semgrep from scratch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Assume that PYTHON3 and GIT are installed | |
| # and available for the user execution the script | |
| # https://semgrep.dev/docs/cli-reference | |
| PYENV_HOME="/tmp/pyenv" | |
| SEMGREP_RULES_HOME="/tmp/semgrep-rules" | |
| SEMGREP_RULES_FOLDER="python" | |
| SEMGREP_FINDINGS_FILE="semgrep-findings.json" | |
| function initialize(){ |
righettod
/ clear-sensitive-info-from-clipboard.html
Last active
May 29, 2024 13:09
POC to remove a "sensitive" information from the clipboard after a short period of time.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <!-- | |
| POC to remove a "sensitive" information from the clipboard after a short period of time. | |
| It is used, as an hardening measure, for a legit feature to copy the info into the clipboard. | |
| Here the info taken is an IBAN for the example. | |
| https://developer.mozilla.org/en-US/docs/Web/API/Clipboard | |
| --> |
righettod
/ find-javaee-jws-methods-without-authz.sh
Created
July 28, 2023 08:49
Script to identify classes defining JavaEE JWS web accessible methods without an authorization annotation on them.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "Folder:" | |
| pwd | |
| for line in $(grep -rFc "@WebMethod" * | grep -v ":0") | |
| do | |
| services_count=$(echo $line | cut -d':' -f2) | |
| java_class_file=$(echo $line | cut -d':' -f1) | |
| auth_annot_count=$(grep -rFc "@RolesAllowed" $java_class_file) | |
| if [ "$services_count" != "$auth_annot_count" ] | |
| then |
righettod
/ SecurityUtils.java
Last active
May 24, 2024 16:32
Provides different utilities methods to apply processing from a security perspective.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package eu.righettod.snippet; | |
| import org.apache.pdfbox.Loader; | |
| import org.apache.pdfbox.pdmodel.PDDocument; | |
| import org.apache.pdfbox.pdmodel.PDDocumentCatalog; | |
| import org.apache.pdfbox.pdmodel.PDDocumentInformation; | |
| import org.apache.pdfbox.pdmodel.PDDocumentNameDictionary; | |
| import org.apache.pdfbox.pdmodel.common.PDMetadata; | |
| import org.apache.pdfbox.pdmodel.interactive.action.*; | |
| import org.apache.pdfbox.pdmodel.interactive.annotation.AnnotationFilter; |
righettod
/ portswigger-webacademy-status-check.ps1
Last active
September 2, 2022 16:48
Quick PowerShell functions to identify any courses or labs missed from the Portswigger WebAcademy courses.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Test-WebAcademy-Labs-Status($sessionCookieValue){ | |
| $storageFile="$env:USERPROFILE\.webacademy-labs-status" | |
| $session = New-Object Microsoft.PowerShell.Commands.WebRequestSession | |
| $cookie = New-Object System.Net.Cookie | |
| $cookie.Name = "SessionId" | |
| $cookie.Value = $sessionCookieValue | |
| $cookie.Domain = ".portswigger.net" | |
| $session.Cookies.Add($cookie); | |
| Write-Host "[i] Status storage file: $storageFile" -ForegroundColor Cyan | |
| Write-Host "[+] Retrieving labs status from PortSwigger labs web page..." -ForegroundColor Yellow |
righettod
/ CVE-2022-21449.yaml
Last active
December 18, 2023 06:50
Nuclei template to detect exposure to CVE-2022-21449 by the JWT validation API in place.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: CVE-2022-21449 | |
| info: | |
| name: CVE-2022-21449 test exposure | |
| description: The JDK 15-18 have a vulnerability in validation of ECDSA signature so this template detect exposure to CVE-2022-21449 by the JWT validation API in place. | |
| author: righettod | |
| severity: info | |
| tags: cve,2022,java | |
| reference: https://neilmadden.blog/2022/04/19/psychic-signatures-in-java |
righettod
/ log4shell-payloads.md
Last active
December 18, 2023 06:41
List of log4shell payloads seen on my twitter feeds
righettod
/ identify-log4j-class-location.sh
Last active
January 17, 2022 12:01
Script to identify Log4J affected class for CVE-2021-44228 in a collection of ear/war/jar files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ######################################################################################################### | |
| # Script to identify Log4J affected class for CVE-2021-44228 in a collection of EAR/WAR/JAR files | |
| # Based on this script: | |
| # https://github.com/righettod/toolbox-pentest-web/blob/master/scripts/identify-class-location.sh | |
| ######################################################################################################### | |
| if [ "$#" -lt 1 ]; then | |
| script_name=$(basename "$0") | |
| echo "Usage:" | |
| echo " $script_name [BASE_SEARCH_FOLDER]" |
NewerOlder