POC详情: 26774c6963c4185ce84f8daccb237ed9897a97bc

来源
https://github.com/aajuvonen/log4stdin
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
A Java application intentionally vulnerable to CVE-2021-44228
介绍
# log4stdin — log4shell injection for anything with stdout

This repository contains a Java application intentionally vulnerable to CVE-2021-44228, colloquially known as log4shell.

log4stdin is quite literally nothing more than an stdin-reader, input of which is fed into a vulnerable log4j instance. The build ``log4stdin.jar`` uses Maven artefacts log4j-api 2.14.1 and log4j-core 2.14.1, and it uses a logging pattern which omits logging level and timestamp details. This version is Guaranteed Vulnerable:tm:.

In ``versions/`` folder builds using default logging pattern and log4j versions 2.0-beta9 to 2.20.0 can be found.


## How to use?

Use Unix pipes for input. For example to subject log entries to an injectability treatment, run 

```cat output.log | java -jar log4stdin.jar```

Alternatively, for real time log reading, run

```tail -f output.log | java -jar log4stdin.jar```

log4stdin prints whatever is fed to stdin but does nothing to handle user input. Therefore it is suitable for reading log files, as exemplified above, or to be used with software requiring no user interaction.

The contents of this repository are bound to be classified either as infected files or attempts of issuing malicious commands by AVs. It might be a good idea to exclude the target folder from AV scanning before cloning the repository. It might be an even better idea to try it out in a virtual environment with no network connections.


## What for?

Firsly, it may be used to explore the consequence of having a JNDI injection point practically anywhere, without the need to fork any existing pieces of software. It may be useful in  researching or testing protection methods.

Secondly, it is basically the "Hello World" of cybersec, written to underline both the simplicity and the severity of the vulnerability.

Thirdly, it may be used to test if an AV solution is able to detect software exploiting CVE-2021-44228. log4stdin.java or log4stdin.jar might be flagged as Generic.Zojfor.G, for example.


## It's on you

Anyway, whatever you decide to use this for makes you accountable for any consequences.


## Licenses

### log4stdin

MIT license. Read more in LICENSE.md.

It's not like there was much heavy lifting to do though, and feel free to reproduce the thing on your own accord, and no-one's going to come chasing after you.


### Apache Log4j2

Copyright 1999–2023 The Apache Software Foundation

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

 http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
文件快照

 [4.0K]  /data/pocs/26774c6963c4185ce84f8daccb237ed9897a97bc
├── [1.0K]  LICENSE.md
├── [4.0K]  log4stdin
│   ├── [1.9M]  log4stdin.jar
│   ├── [2.9K]  pom.xml
│   ├── [4.0K]  src
│   │   └── [4.0K]  main
│   │       ├── [4.0K]  java
│   │       │   └── [4.0K]  fi
│   │       │       └── [4.0K]  ajuvonen
│   │       │           └── [4.0K]  log4stdin
│   │       │               └── [ 690]  log4stdin.java
│   │       └── [4.0K]  resources
│   │           └── [ 409]  log4j2.xml
│   ├── [4.0K]  target
│   │   └── [4.0K]  classes
│   │       ├── [4.0K]  fi
│   │       │   └── [4.0K]  ajuvonen
│   │       │       └── [4.0K]  log4stdin
│   │       │           └── [1.6K]  log4stdin.class
│   │       └── [ 409]  log4j2.xml
│   └── [4.0K]  versions
│       ├── [888K]  log4stdin2.0.1.jar
│       ├── [889K]  log4stdin2.0.2.jar
│       ├── [774K]  log4stdin2.0-beta9.jar
│       ├── [882K]  log4stdin2.0.jar
│       ├── [803K]  log4stdin2.0-rc1.jar
│       ├── [870K]  log4stdin2.0-rc2.jar
│       ├── [1.8M]  log4stdin2.10.0.jar
│       ├── [1.8M]  log4stdin2.11.0.jar
│       ├── [1.8M]  log4stdin2.11.1.jar
│       ├── [1.8M]  log4stdin2.11.2.jar
│       ├── [1.8M]  log4stdin2.12.0.jar
│       ├── [1.9M]  log4stdin2.12.1.jar
│       ├── [1.9M]  log4stdin2.12.2.jar
│       ├── [1.9M]  log4stdin2.12.3.jar
│       ├── [1.9M]  log4stdin2.12.4.jar
│       ├── [1.9M]  log4stdin2.13.0.jar
│       ├── [1.9M]  log4stdin2.13.1.jar
│       ├── [1.9M]  log4stdin2.13.2.jar
│       ├── [1.9M]  log4stdin2.13.3.jar
│       ├── [2.0M]  log4stdin2.14.0.jar
│       ├── [1.9M]  log4stdin2.14.1.jar
│       ├── [2.0M]  log4stdin2.15.0.jar
│       ├── [2.0M]  log4stdin2.16.0.jar
│       ├── [2.0M]  log4stdin2.17.0.jar
│       ├── [2.0M]  log4stdin2.17.1.jar
│       ├── [2.0M]  log4stdin2.17.2.jar
│       ├── [2.1M]  log4stdin2.18.0.jar
│       ├── [2.1M]  log4stdin2.19.0.jar
│       ├── [940K]  log4stdin2.1.jar
│       ├── [2.1M]  log4stdin2.20.0.jar
│       ├── [942K]  log4stdin2.2.jar
│       ├── [945K]  log4stdin2.3.1.jar
│       ├── [949K]  log4stdin2.3.2.jar
│       ├── [944K]  log4stdin2.3.jar
│       ├── [1.1M]  log4stdin2.4.1.jar
│       ├── [1.1M]  log4stdin2.4.jar
│       ├── [1.2M]  log4stdin2.5.jar
│       ├── [1.3M]  log4stdin2.6.1.jar
│       ├── [1.3M]  log4stdin2.6.2.jar
│       ├── [1.3M]  log4stdin2.6.jar
│       ├── [1.5M]  log4stdin2.7.jar
│       ├── [1.5M]  log4stdin2.8.1.jar
│       ├── [1.6M]  log4stdin2.8.2.jar
│       ├── [1.5M]  log4stdin2.8.jar
│       ├── [1.7M]  log4stdin2.9.0.jar
│       └── [1.7M]  log4stdin2.9.1.jar
└── [2.9K]  README.md

14 directories, 54 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。