{"id":13834986,"url":"https://github.com/righettod/log4shell-analysis","last_synced_at":"2025-07-10T07:31:15.790Z","repository":{"id":41471803,"uuid":"439387308","full_name":"righettod/log4shell-analysis","owner":"righettod","description":"Contains all my research and content produced regarding the log4shell vulnerability","archived":true,"fork":false,"pushed_at":"2022-01-22T08:14:16.000Z","size":24793,"stargazers_count":32,"open_issues_count":0,"forks_count":6,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-11-20T20:38:57.703Z","etag":null,"topics":["development","log4j2","log4shell"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/righettod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-17T16:02:58.000Z","updated_at":"2024-02-16T09:51:03.000Z","dependencies_parsed_at":"2022-09-09T07:00:46.974Z","dependency_job_id":null,"html_url":"https://github.com/righettod/log4shell-analysis","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/righettod/log4shell-analysis","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Flog4shell-analysis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Flog4shell-analysis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Flog4shell-analysis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Flog4shell-analysis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/righettod","download_url":"https://codeload.github.com/righettod/log4shell-analysis/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Flog4shell-analysis/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264545160,"owners_count":23625404,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["development","log4j2","log4shell"],"created_at":"2024-08-04T14:00:54.574Z","updated_at":"2025-07-10T07:31:10.783Z","avatar_url":"https://github.com/righettod.png","language":"Java","readme":"# Objective\n\n[![Test detection regex for bypass](https://github.com/righettod/log4shell-analysis/actions/workflows/test-detection-regex-for-bypass.yml/badge.svg?branch=main)](https://github.com/righettod/log4shell-analysis/actions/workflows/test-detection-regex-for-bypass.yml)\n\nContains all my research and content produced regarding the [log4shell](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) vulnerability.\n\n# Content\n\n## Folder \"analysis\"\n\nContain the information that I gather about the vulnerability, affected versions, exploitation context/requirements, remediation plan proposal and so on...\n\nThis content is created using [Joplin](https://joplinapp.org/) and then exported as markdown to the **analysis** folder.\n\n➡️ [Access to the content](analysis/06-STUDIES/04-Log4Shell_Vulnerability.md).\n\n💡 Use the **TOC feature** of Github the navigate in the content (icon on top left):\n\n![toc](toc-location.png)\n\n## Folder \"payloads\"\n\nContain a collection of [log4shell](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) payloads seen on my twitter feeds.\n\nThe goal is to allows testing detection regexes defined in protection systems against payloads effectively used.\n\n➡️ [Access to the content](payloads/README.md).\n\n## Folder \"playground\"\n\nContains sample java files used to test my scripts.\n\nPrecisely, contains *log4j-core* instances of the library including ones hidden in WAR/EAR archives as well as nested jars.\n\nThe 6 files are named from `AAlog4j...` to `FFlog4j...` to faciliate the review of the test results.\n\n## Folder \"sandbox\"\n\nContains a maven project used to perform testing with the log4j2 library as well as working on protection/detection technical material, like unit test cases.\n\nIt is a [IntelliJ IDEA](https://www.jetbrains.com/idea/download/#section=windows) project.\n\n## Folder \"scripts\"\n\n\u003e 💡 For Windows target: You can use the **bash** provided by [Git portable for Windows](https://git-scm.com/download/win) to run all the scripts.\n\nContains utility script provided to help addressing this vulnerability.\n\n* [identify-log4j-class-location.sh](scripts/identify-log4j-class-location.sh): Bash script to identify Log4J affected class for CVE-2021-44228 in a collection of EAR/WAR/JAR files.\n\n```bash\n$ bash identify-log4j-class-location.sh ../playground/\n[+] Searching class 'org/apache/logging/log4j/core/lookup/JndiLookup.class' across '../playground/' folder...\n[*] Inspecting file: BBlog4j - core - 2.14.1.jar                                                             \n[!] Class found in the file '../playground/BBlog4j - core - 2.14.1.jar'.\n[+] Try to find the Maven artefact version...\nFile          : ../playground/BBlog4j - core - 2.14.1.jar\nMetadata file : META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\nLog4J version : 2.14.1\n[*] Inspecting file: dom4j-1.1.jar\n...\n[!] Inspection finished - Class found!\n```\n\n* [identify-tcm-expressions-usage.sh](scripts/identify-tcm-expressions-usage.sh): Bash script to identify code prone to CVE-2021-45046/CVE-2021-45105 in a collection of EAR/WAR/JAR files.\n\nℹ️ A release jar file of this [java decompiler](https://github.com/intoolswetrust/jd-cli) must be present in the current folder as well as [java](https://adoptium.net/?variant=openjdk11) (JRE) in the `$PATH`.\n\n```bash\n$ bash identify-tcm-expressions-usage.sh ../playground/\n[+] Include Log4J artefacts.\n[+] Searching for Log4J2 Thread Context Map or Log4J2 Expressions usage across '../playground/' folder...\n[*] Inspecting file: BBlog4j - core - 2.14.1.jar\n[!] Usage of the Thread Context Map identified in decompiled sources of the jar file '../playground/BBlog4j - core - 2.14.1.jar':\n/tmp/jarsrcwork/org/apache/logging/log4j/core/LogEvent.java:7:import org.apache.logging.log4j.ThreadContext;\n/tmp/jarsrcwork/org/apache/logging/log4j/core/layout/AbstractJacksonLayout.java:19:import org.apache.logging.log4j.ThreadContext;\n...\n[!] Inspection finished - Usage found!\n```\n\n```bash\n$ bash identify-tcm-expressions-usage.sh ../playground/ --ignore-log4j2-artefacts\n[+] Exclude Log4J artefacts.\n[+] Searching for Log4J2 Thread Context Map or Log4J2 Expressions usage across '../playground/' folder...\n[V] Inspection finished - No usage found!\n```\n\n## Folder \"videos\"\n\nContains videos of demonstrations and technical tests performed during the analysis.\n\n# Misc\n\nA companion tool was developed alongside this analysis to help the defender side: [log4shell-payload-grabber](https://github.com/righettod/log4shell-payload-grabber).\n","funding_links":[],"categories":["Examples \u0026 Proofs of Concept"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Flog4shell-analysis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frighettod%2Flog4shell-analysis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Flog4shell-analysis/lists"}