GitBook: [#2918] No subject

pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md

@@ -78,6 +78,14 @@ Note that **even if a DNS request is received that doesn't mean the application
 Remember that to **exploit version 2.15** you need to add the **localhost check bypass**: ${jndi:ldap://**127.0.0.1#**...}
 {% endhint %}
 
+#### **Local Discovery**
+
+Search for **local vulnerable versions** of the library with:
+
+```bash
+find / -name "log4j-core*.jar" 2>/dev/null | grep -E "log4j\-core\-(1\.[^0]|2\.[0-9][^0-9]|2\.1[0-6])"
+```
+
 ### **Verification**
 
 Some of the platforms listed before will allow you to insert some variable data that will be logged when it’s requested.\