Share
## https://sploitus.com/exploit?id=1047C7D6-B286-5E08-945F-45DD10BF09F4
# CVE-2021-44228 Log4Shell POC
## Overview
Proof of Concept for Remote Code Execution via JNDI Injection vulnerability in Apache Log4j 2.14.1.
Web Hacking Course - Week 11 Assignment.
## Environment
| Role | Software | Version |
|----------------|---------------------|----------------|
| Victim Server | Spring Boot + Log4j | 2.6.1 + 2.14.1 |
| Victim JDK | OpenJDK | 1.8.0_181 |
| LDAP Server | marshalsec | 0.0.3 |
| Attacker OS | Kali Linux | - |
## File Structure
```
log4shell-poc/
โโโ vulnerable-server/ # Vulnerable Spring Boot server
โ โโโ pom.xml
โ โโโ src/main/java/com/example/vulnerable/
โ โโโ App.java
โ โโโ MainController.java
โโโ exploit/
โ โโโ Exploit.java # Malicious class source
โโโ attacker/
โโโ commands.md # Attack commands reference
```
## How to run
### Start Vunlerable Server
```bash
cd vulnerable-server
mvn clean package -DskipTests
/opt/jdk1.8.0_181/bin/java -jar target/log4shell-vuln-0.0.1-SNAPSHOT.jar
```
### Run Attack
See attacker/commands.md for step-by-step attack commands.
## Attack Flow
1. Send JNDI payload via X-Api-Version HTTP header using curl
2. Log4j parses the payload and triggers JNDI lookup automatically
3. marshalsec LDAP server responds with Exploit.class URL
4. Victim JVM downloads and loads Exploit.class from HTTP server
5. Static block executes automatically, connecting reverse shell to nc listener
6. RCE achieved - arbitrary command execution on victim server
## Key Technical Details
- **Vulnerable point**: `logger.info()` passes user input directly to Log4j without sanitization
- **Root cause**: Log4j 2.x evaluates `${...}` expressions inside log messages
- **JDK requirement**: JDK 8u181 or lower required (`trustURLCodebase=true` by default)
- **Patch**: Log4j 2.15.0+ disables JNDI lookup by default
## Disclaimer
This POC is for educational purposes only.
Do NOT use against systems without explicit permission.