Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/vulnerable-apps/log4shell-honeypot
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Java application vulnerable to the CVE-2021-44228 (a.k.a log4shell) vulnerability
Readme
# Log4Shell Honeypot

This demo application is vulnerable to the [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228),
also known as Log4Shell. For example, it can be used to validate a detection or remediation script.

## How to launch

Build the application:

    mvn clean package
    
Or, alternatively, download the [pre-built JAR](https://github.com/GroupePSA/log4shell-honeypot/releases/download/1.0.0-SNAPSHOT/log4shell-honeypot-capsule.jar).

Run the application (in the `target` subdirectory if you built it locally):

    java -Dlog4shell.all -jar log4shell-honeypot-capsule.jar

> The application is not vulnerable by default. You need to set the `log4shell.all` system property to enable 
> vulnerabilities (or you can use vulnerability-specific options, see below).

### Vulnerability options

* Set `log4shell.userAgent` system property to log the `User-Agent` HTTP header.
* Set `log4shell.authorization` system property to log the `Authorization` HTTP header.
* Set `log4shell.basicAuth` system property to log the user/password pair decoded from basic authentication.
* Set `log4shell.urlPath` system property to log the URL path.
* Set `log4shell.urlQuery` system property to log the URL query string.
* Set `log4shell.all` system property to log all the above.

An empty property value is enough.

### Security options

To enable basic authentication on the application, active the `basicAuth` configuration profile:

    java -Dseedstack.profiles=basicAuth -Dlog4shell.all -jar target/log4shell-honeypot-capsule.jar

* User is `demo`
* Password is also `demo`

> When basic authentication is enabled, the application cannot be vulnerable to the user/password injection.

## How to use

Do a GET or POST request on any path with a malicious payload located in accordance with the options above:

Example with `User-agent` header:

    curl http://localhost:8080 -A "<malicious-user-agent>"

The app will issue a 302 to `/test` which contains the vulnerability.
File Snapshot

 [4.0K]  /data/pocs/80f58476569d3c8cbd6356ee8d4d0ab12cb99caf
├── [1.0K]  LICENSE
├── [3.9K]  pom.xml
├── [2.0K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  org
        │       └── [4.0K]  seedstack
        │           └── [4.0K]  samples
        │               └── [4.0K]  log4shell
        │                   ├── [ 526]  RedirectServlet.java
        │                   └── [2.8K]  VulnerableServlet.java
        └── [4.0K]  resources
            ├── [ 510]  application.yaml
            └── [ 398]  log4j2.xml

8 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →