Log4j2 JNDI RCE分析(已打码处理)

admin 2021年12月10日12:52:08代码审计评论1,370 views2760字阅读9分12秒阅读模式
# 本文仅供安全研究使用 👮这里想提一下,看到很多人在"疯狂"地测dnslog,其实还是希望在没有授权情况下最好不要进行漏洞探测/攻击行为,毕竟"自律才是自由的基础"! 👮

写在前面

写这篇文章单纯为了记录这个注定创造历史的漏洞!!!

漏洞分析

根据流传的payload搭建测试环境

  • log4j_rce.java

import org.apache.logging.log4j.LogManager;import org.apache.logging.log4j.Logger;
public class log4j_rce { private static final Logger logger = LogManager.getLogger(log4j_rce.class); public static void main(String[] args) { logger.error("暂时打码处理"}"); }}


一步一步跟进,最后跟到

  • org.apache.logging.log4j.core.lookup.Interpolator#lookup

Log4j2 JNDI RCE分析(已打码处理)

似乎就是这里,测下断点,调试

Log4j2 JNDI RCE分析(已打码处理)

答案呼之欲出,lookup + jndi!

整个调用栈为

lookup:217, Interpolator (org.apache.logging.log4j.core.lookup)resolveVariable:1116, StrSubstitutor (org.apache.logging.log4j.core.lookup)substitute:1038, StrSubstitutor (org.apache.logging.log4j.core.lookup)substitute:912, StrSubstitutor (org.apache.logging.log4j.core.lookup)replace:467, StrSubstitutor (org.apache.logging.log4j.core.lookup)format:132, MessagePatternConverter (org.apache.logging.log4j.core.pattern)format:38, PatternFormatter (org.apache.logging.log4j.core.pattern)toSerializable:345, PatternLayout$PatternSerializer (org.apache.logging.log4j.core.layout)toText:244, PatternLayout (org.apache.logging.log4j.core.layout)encode:229, PatternLayout (org.apache.logging.log4j.core.layout)encode:59, PatternLayout (org.apache.logging.log4j.core.layout)directEncodeEvent:197, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender)tryAppend:190, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender)append:181, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender)tryCallAppender:156, AppenderControl (org.apache.logging.log4j.core.config)callAppender0:129, AppenderControl (org.apache.logging.log4j.core.config)callAppenderPreventRecursion:120, AppenderControl (org.apache.logging.log4j.core.config)callAppender:84, AppenderControl (org.apache.logging.log4j.core.config)callAppenders:543, LoggerConfig (org.apache.logging.log4j.core.config)processLogEvent:502, LoggerConfig (org.apache.logging.log4j.core.config)log:485, LoggerConfig (org.apache.logging.log4j.core.config)log:460, LoggerConfig (org.apache.logging.log4j.core.config)log:63, DefaultReliabilityStrategy (org.apache.logging.log4j.core.config)log:161, Logger (org.apache.logging.log4j.core)tryLogMessage:2198, AbstractLogger (org.apache.logging.log4j.spi)logMessageTrackRecursion:2152, AbstractLogger (org.apache.logging.log4j.spi)logMessageSafely:2135, AbstractLogger (org.apache.logging.log4j.spi)logMessage:2011, AbstractLogger (org.apache.logging.log4j.spi)logIfEnabled:1983, AbstractLogger (org.apache.logging.log4j.spi)fatal:1053, AbstractLogger (org.apache.logging.log4j.spi)main:14, log4j_rce

其实这里可以触发的不只是error,默认情况下fatal也可以,即便实际的业务场景肯定会有所不同(只会更多)。

漏洞复现

起一个恶意的LDAPRefServer、恶意类Evil

Log4j2 JNDI RCE分析(已打码处理)

然后触发即可

Log4j2 JNDI RCE分析(已打码处理)

参考

https://github.com/pen4uin/JavaSec/tree/main/vulnerability-analysis/log4j2


原文始发于微信公众号(pen4uin):Log4j2 JNDI RCE分析(已打码处理)

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年12月10日12:52:08
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  Log4j2 JNDI RCE分析(已打码处理) http://cn-sec.com/archives/669052.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: