{"id":13834991,"url":"https://github.com/righettod/log4shell-payload-grabber","last_synced_at":"2025-07-10T07:31:10.072Z","repository":{"id":97551997,"uuid":"439697042","full_name":"righettod/log4shell-payload-grabber","owner":"righettod","description":"Tool to try to retrieve the java class used as dropper for the RCE in the context of log4shell vulnerability.","archived":true,"fork":false,"pushed_at":"2021-12-28T10:09:31.000Z","size":11489,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-11-20T20:38:58.031Z","etag":null,"topics":["incident-response-tooling","java-8","log4shell"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/righettod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-12-18T19:21:24.000Z","updated_at":"2023-10-15T16:16:37.000Z","dependencies_parsed_at":"2023-03-17T23:30:13.504Z","dependency_job_id":null,"html_url":"https://github.com/righettod/log4shell-payload-grabber","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/righettod/log4shell-payload-grabber","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Flog4shell-payload-grabber","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Flog4shell-payload-grabber/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Flog4shell-payload-grabber/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Flog4shell-payload-grabber/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/righettod","download_url":"https://codeload.github.com/righettod/log4shell-payload-grabber/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Flog4shell-payload-grabber/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264545157,"owners_count":23625403,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["incident-response-tooling","java-8","log4shell"],"created_at":"2024-08-04T14:00:54.618Z","updated_at":"2025-07-10T07:31:05.050Z","avatar_url":"https://github.com/righettod.png","language":"Java","funding_links":[],"categories":["Examples \u0026 Proofs of Concept"],"sub_categories":[],"readme":"# Objective\n\n[![Build package](https://github.com/righettod/log4shell-payload-grabber/actions/workflows/maven.yml/badge.svg?branch=main)](https://github.com/righettod/log4shell-payload-grabber/actions/workflows/maven.yml)\n\nTool to try to retrieve the java class used as dropper for the RCE.\n\nThe tool was tested again the following attacks kit:\n\n* [JNDI-Exploit-Kit](https://github.com/pimps/JNDI-Exploit-Kit).\n* [JNDIExploit](https://github.com/fengzhouc/JNDIExploit).\n* [Rogue-JNDI](https://github.com/veracode-research/rogue-jndi).\n\nIt is a [IntelliJ IDEA](https://www.jetbrains.com/idea/download) project.\n\n# Requirements\n\n[Java 8](https://adoptium.net/releases.html?variant=openjdk8) is required for compilation and execution because classes only present in this JDK are used for RMI information retieval.\n\nNeed Maven3+ for the building.\n\n# Usage\n\n```bash\n$ java -jar get-payload.jar\n[+] Missing LDAP/LDAPS/RMI URL or SER file!\n     URL: rmi://127.0.0.1:9997/gchero [--pause]\n          ldap://127.0.0.1:9998/gcherG\nSER file: 899f0d32098d4f3b8d54ffa21fe9b0b6.ser\n1) For RMI, if a second parameter, named '--pause', is specified then\nthe program wait the user press a key before to end the program allowing taking a heap dump\nof the JVM process to capture the loaded remote object.\n2) If a SER (serialized java object) file is passed then the program will load it\nand wait the user press a key before to end the program allowing taking a heap dump like for RMI.\n```\n\n![usage](usage.png)\n\nFull demonstration in [this video](demo-full.mp4).\n\nUse the following command to directly extract the download URL of the class when it is available:\n\n```bash\n$ java -jar get-payload.jar \"ldap://127.0.0.1:1389/Basic/TomcatMemshell\" | grep \"Direct URL\" | cut -d\" \" -f10\nhttp://127.0.0.1:8080/com.feihong.ldap.template.TomcatMemshellTemplate.class\n```\n\nFor RMI, a second optional parameter named **--pause**, can be used to add a \"virtual\" break point allowing to perform a memory dump of the JVM tool process in order to capture loaded remote object:\n\n![usage-rmi-01](usage-rmi-memory-dump01.png)\n\n![usage-rmi-00](usage-rmi-memory-dump00.png)\n\nOnce created, the memory dump can be analyzed with different tools like for example [jhat](https://docs.oracle.com/javase/7/docs/technotes/tools/share/jhat.html):\n\n![usage-rmi-00](usage-rmi-memory-dump02.png)\n\n![usage-ser-00](usage-ser-file00.png)\n\n# Compilation\n\nUse the script named [package.sh](package.sh) and the binary jar file will be present in the **target** folder.\n\n# Exploit class decompilation\n\nThe following tools can be used to achieve this task:\n- GUI: http://java-decompiler.github.io/\n- CMD: https://github.com/intoolswetrust/jd-cli\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Flog4shell-payload-grabber","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frighettod%2Flog4shell-payload-grabber","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Flog4shell-payload-grabber/lists"}