use strict;
my $str = 'Sample Log4j strings:
${JNDI:LDAP://
${JNDI:LDAPS://
${JNDI:RMI://
${JNDI:DNS://
${JNDI:NIS://
${JNDI:IIOP://
${JNDI:CORBA://
${JNDI:NDS://
${JNDI:HTTPS://
${JNDI:HTTP://
$ { JNDI :LDAPS://
$ { JNDI :LDAPS://
${jNDi:l%252564ap://
JNDI = %6A%6E%64%69
jndi = %4A%4E%44%49
Multi-encoding log4j strings (without spaces):
%24%7B%6A%6E%64%69%3A%2F
%2524%257B%256A%256E%2564%2569%253A
%2524%257B%256A%256E%2564%2569%253A%252F
%252524%25257B%25256A%25256E%252564%252569%25253A%25252F
Multi-URL Encoded string characters:
(?i)
(%(25){0,}20|\\s)*
(%(25){0,}24|$)
(%(25){0,}20|\\s)*
(%(25){0,}7B|{)
(%(25){0,}20|\\s)*
(%(25){0,}(6A|4A)|J)
(%(25){0,}(6E|4E)|N)
(%(25){0,}(64|44)|D)
(%(25){0,}(69|49)|I)
(%(25){0,}20|\\s)*
(%(25){0,}3A|:)
(%(25){0,}2F|\\/)
[\\w\\%]+
(%(25){0,}3A|:)
(%(25){0,}2F|\\/)
';
my $regex = qr/(?i)(%(25){0,}20|\s)*(%(25){0,}24|\$)(%(25){0,}20|\s)*(%(25){0,}7B|{)(%(25){0,}20|\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\s)*(%(25){0,}3A|:)[\w\%]+(%(25){1,}3A|:)(%(25){1,}2F|\/)[^\n]+/mp;
if ( $str =~ /$regex/g ) {
print "Whole match is ${^MATCH} and its start/end positions can be obtained via \$-[0] and \$+[0]\n";
# print "Capture Group 1 is $1 and its start/end positions can be obtained via \$-[1] and \$+[1]\n";
# print "Capture Group 2 is $2 ... and so on\n";
}
# ${^POSTMATCH} and ${^PREMATCH} are also available with the use of '/p'
# Named capture groups can be called via $+{name}
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Perl, please visit: http://perldoc.perl.org/perlre.html