Exploiting Log4J Vulnerability With Fofa Api: A Comprehensive Guide

Log4j
vulnerability
exploit
Fofa API
searching
querying techniques
resources
This article discusses the exploitation of the Log4j vulnerability using Fofa API, offering resources for effective search and query techniques.
Published

November 29, 2022


My fruitful heist attempt with fofa

Fofa api requires membership. I don’t want to enroll.

You first test on your vulnerable machine/app, develop scanner, exploiter and listener, then mass exploit to millions.

All recorded here: hack_all_the_thing/tests/get_log4j_vuln

zoomeye search for log4j

seebug

shodan query for log4j2 (or anything)

狮子鱼团购 fofa查询漏洞

Sqlmap post data inject

To generate password dictionary without oom: itertools.product(chrs, repeat=r)

search log4j2 in browser after login

info page of my first target (login first!)

fofa usage examples

My first target login page

gov site?

Bing-upms the system used by my first target

password dictionary topic in github