Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Discussion] Way to setup a vulnerable test environment #25

Open
Matioupi opened this issue Dec 13, 2021 · 7 comments
Open

[Discussion] Way to setup a vulnerable test environment #25

Matioupi opened this issue Dec 13, 2021 · 7 comments

Comments

@Matioupi
Copy link

Hello,

nice tool and thanks for sharing.

Is there an easy way to setup a purposely vulnerable test environment ?
I tried setting up several images from https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/ that should be vulnerable (even user older than disclosure tags).
Despite the effort, I've not been able to trigger a vulnerability detection which I'd like to see for validation purposes.

Regards

@n2x4
Copy link

n2x4 commented Dec 13, 2021

Install an old version of apache Solr, like 8.9.0. It's vulnerable out of the box. the install is like 4 commands in ubuntu - follow this guide: https://www.osradar.com/install-apache-solr-ubuntu-20-04/

@zsolt-halo
Copy link

I did this last night, does the job for me: https://github.com/zsolt-halo/CVE-2021-44228-Spring-Boot-Test-Service

@Matioupi
Copy link
Author

Thanks a lot, I had no chance with solr 8.9.0, but @zsolt-halo worked like a charm !

@mazen160
Copy link
Contributor

Awesome thread :)
I tested it with: https://github.com/christophetd/log4shell-vulnerable-app
by @christophetd

@mazen160 mazen160 changed the title Way to setup a vulnerable test environment [Discussion] Way to setup a vulnerable test environment Dec 14, 2021
@christophetd
Copy link

https://github.com/christophetd/log4shell-vulnerable-app should make it easy, just run:

docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app

... and you have a vulnerable Spring Boot application running on port 8080!

@zx153wet
Copy link

I try 3000 IPs ,but always retrun message "Targets does not seem to be vulnerable". Is my setting wrong?

@sickcodes
Copy link

sickcodes commented Dec 31, 2021

Edit: wrong thread sorry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants