[Discussion] Way to setup a vulnerable test environment

[Matioupi]

Hello,

nice tool and thanks for sharing.

Is there an easy way to setup a purposely vulnerable test environment ?
I tried setting up several images from https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/ that should be vulnerable (even user older than disclosure tags).
Despite the effort, I've not been able to trigger a vulnerability detection which I'd like to see for validation purposes.

Regards

[n2x4]

Install an old version of apache Solr, like 8.9.0. It's vulnerable out of the box. the install is like 4 commands in ubuntu - follow this guide: https://www.osradar.com/install-apache-solr-ubuntu-20-04/

[zsolt-halo]

I did this last night, does the job for me: https://github.com/zsolt-halo/CVE-2021-44228-Spring-Boot-Test-Service

[Matioupi]

Thanks a lot, I had no chance with solr 8.9.0, but @zsolt-halo worked like a charm !

[mazen160]

Awesome thread :)
I tested it with: https://github.com/christophetd/log4shell-vulnerable-app
by @christophetd

[christophetd]

https://github.com/christophetd/log4shell-vulnerable-app should make it easy, just run:

docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app

... and you have a vulnerable Spring Boot application running on port 8080!

[zx153wet]

I try 3000 IPs ,but always retrun message "Targets does not seem to be vulnerable". Is my setting wrong?

[sickcodes]

Edit: wrong thread sorry