My fruitful heist attempt with fofa
Fofa api requires membership. I don’t want to enroll.
You first test on your vulnerable machine/app, develop scanner, exploiter and listener, then mass exploit to millions.
All recorded here: hack_all_the_thing/tests/get_log4j_vuln
shodan query for log4j2 (or anything)
To generate password dictionary without oom: itertools.product(chrs, repeat=r)
search log4j2 in browser after login
info page of my first target (login first!)
Bing-upms the system used by my first target