# 本文仅供安全研究使用 👮这里想提一下,看到很多人在"疯狂"地测dnslog,其实还是希望在没有授权情况下最好不要进行漏洞探测/攻击行为,毕竟"自律才是自由的基础"! 👮
写在前面
写这篇文章单纯为了记录这个注定创造历史的漏洞!!!漏洞分析
根据流传的payload搭建测试环境
-
log4j_rce.java
import org.apache.logging.log4j.LogManager;import org.apache.logging.log4j.Logger;public class log4j_rce {private static final Logger logger = LogManager.getLogger(log4j_rce.class);public static void main(String[] args) {logger.error("暂时打码处理"}");}}
一步一步跟进,最后跟到
-
org.apache.logging.log4j.core.lookup.Interpolator#lookup
似乎就是这里,测下断点,调试
答案呼之欲出,lookup + jndi!
整个调用栈为
lookup:217, Interpolator (org.apache.logging.log4j.core.lookup)resolveVariable:1116, StrSubstitutor (org.apache.logging.log4j.core.lookup)substitute:1038, StrSubstitutor (org.apache.logging.log4j.core.lookup)substitute:912, StrSubstitutor (org.apache.logging.log4j.core.lookup)replace:467, StrSubstitutor (org.apache.logging.log4j.core.lookup)format:132, MessagePatternConverter (org.apache.logging.log4j.core.pattern)format:38, PatternFormatter (org.apache.logging.log4j.core.pattern)toSerializable:345, PatternLayout$PatternSerializer (org.apache.logging.log4j.core.layout)toText:244, PatternLayout (org.apache.logging.log4j.core.layout)encode:229, PatternLayout (org.apache.logging.log4j.core.layout)encode:59, PatternLayout (org.apache.logging.log4j.core.layout)directEncodeEvent:197, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender)tryAppend:190, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender)append:181, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender)tryCallAppender:156, AppenderControl (org.apache.logging.log4j.core.config)callAppender0:129, AppenderControl (org.apache.logging.log4j.core.config)callAppenderPreventRecursion:120, AppenderControl (org.apache.logging.log4j.core.config)callAppender:84, AppenderControl (org.apache.logging.log4j.core.config)callAppenders:543, LoggerConfig (org.apache.logging.log4j.core.config)processLogEvent:502, LoggerConfig (org.apache.logging.log4j.core.config)log:485, LoggerConfig (org.apache.logging.log4j.core.config)log:460, LoggerConfig (org.apache.logging.log4j.core.config)log:63, DefaultReliabilityStrategy (org.apache.logging.log4j.core.config)log:161, Logger (org.apache.logging.log4j.core)tryLogMessage:2198, AbstractLogger (org.apache.logging.log4j.spi)logMessageTrackRecursion:2152, AbstractLogger (org.apache.logging.log4j.spi)logMessageSafely:2135, AbstractLogger (org.apache.logging.log4j.spi)logMessage:2011, AbstractLogger (org.apache.logging.log4j.spi)logIfEnabled:1983, AbstractLogger (org.apache.logging.log4j.spi)fatal:1053, AbstractLogger (org.apache.logging.log4j.spi)main:14, log4j_rce
其实这里可以触发的不只是error,默认情况下fatal也可以,即便实际的业务场景肯定会有所不同(只会更多)。
漏洞复现
起一个恶意的LDAPRefServer、恶意类Evil
然后触发即可
参考
https://github.com/pen4uin/JavaSec/tree/main/vulnerability-analysis/log4j2原文始发于微信公众号(pen4uin):Log4j2 JNDI RCE分析(已打码处理)
特别标注:
本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
- 我的微信
- 微信扫一扫
-
- 我的微信公众号
- 微信扫一扫
-
评论