Rapid7 Vulnerability & Exploit Database

Log4Shell HTTP Header Injection

Back to Search

Log4Shell HTTP Header Injection



Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit and load a payload. The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP server in addition to the LDAP server that the target can connect to. The targeted application must have the trusted code base option enabled for this technique to work. The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target application in this case must be compatible with the user-specified JAVA_GADGET_CHAIN option.


  • Michael Schierl
  • juan vazquez <juan.vazquez@metasploit.com>
  • sinn3r <sinn3r@metasploit.com>
  • Spencer McIntyre
  • RageLtMan <rageltman@sempervictus>


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/log4shell_header_injection
msf exploit(log4shell_header_injection) > show targets
msf exploit(log4shell_header_injection) > set TARGET < target-id >
msf exploit(log4shell_header_injection) > show options
    ...show and set options...
msf exploit(log4shell_header_injection) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security