POC详情: 8d8492c743c7a6dbbd02b1c2755c1d3c621cf29f

来源
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
Log4Shell mitigation (CVE-2021-44228) - search and remove JNDI class from *log4j*.jar files on the system with Powershell (Windows)
介绍
# Fix-Log4j-PowershellScript (CVE-2021-44228)

[![PSScriptAnalyzer](https://github.com/sysadmin0815/Fix-Log4j-PowershellScript/actions/workflows/powershell-analysis.yml/badge.svg)](https://github.com/sysadmin0815/Fix-Log4j-PowershellScript/actions/workflows/powershell-analysis.yml)

<b>search and remove JNDI Lookup Class from *log4j*.jar files on the system with Powershell (Windows) </b> <br>
make sure you use the latest script release! <br>

## Release version 1.6.2 and above
Killmode for Java processes implemented. ($killMode)<br>
<b>defaults to $false</b> if not changed manually! Be careful using this feature!<br>
<br>
<h3>the script can be deployed manually, with GPO or deployment tools like SCCM.</h3>
<br>
<h3> Features and Info:</h3>
<b> by default the script searches on C:\ </b> if not changed<br>
 -can be changed to search on all local drives with $searchAllDrives = $true in the script<br>
 -can be changed to search a specific path with $searchPath = "C:\your\folder\to\search\ <br><br>

<b>by default the script creates a backup</b> of the file(s) in the same folder were the jar files was found, before removing the class<br>
 -can be disabled with $enableBackup set to $false in the script<br>

<b>by default the script validates if the jndilookup.class has been removed</b> from the jar file <br> <br>
<b> by default if the class is still detected</b> and the jar file was not modified, the backup file will be cleaned up.<br>
 -can be disabled with $removeBkOnFailure set to $false<br>
 
<b> by default the script searches for running java processes</b> and write a warning in the log and console.<br>
 -KillMode for java prcesses can be enabled by $killMode set to $true - be careful with that!<br>

<b>Generate a log file</b> in the scripts root directory <br><br>
<b>Generate readable console output</b> <br> <br> 

<h3> How to run the script:</h3>
<b> Please read the script and modify it if needed before you execute it!</b><br>
execute the script with elevated Powershell.exe or with deploment tools like SCCM.<br>
"powershell.exe -file "C:\Path\To\Script\Fix-log4j_jndi_7zip.ps1" -executionpolicy Bypass"
<br>
<br>
Tested on Windows 10, Server 2012R2, 2016 and 2019.<br>

<h3>Credits:</h3>

7-Zip is used to delete the class in the jar file and verify the removal.
>  Source: https://www.7-zip.org/ <br>
>  7-Zip Copyright (C) 1999-2021 Igor Pavlov.

<br>
<br>
<b>THE SCRIPT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND.</b> <br>
文件快照

[4.0K] /data/pocs/8d8492c743c7a6dbbd02b1c2755c1d3c621cf29f ├── [4.0K] 7-Zip │   ├── [269K] 7za.dll │   ├── [772K] 7za.exe │   ├── [160K] 7zxa.dll │   ├── [4.0K] Far │   │   ├── [2.3K] 7-ZipEng.hlf │   │   ├── [2.9K] 7-ZipEng.lng │   │   ├── [456K] 7-ZipFar64.dll │   │   ├── [272K] 7-ZipFar.dll │   │   ├── [2.1K] 7-ZipRus.hlf │   │   ├── [3.0K] 7-ZipRus.lng │   │   ├── [2.7K] 7zToFar.ini │   │   ├── [3.0K] far7z.reg │   │   └── [2.4K] far7z.txt │   ├── [7.5K] history.txt │   ├── [1.1K] License.txt │   ├── [4.3K] readme.txt │   └── [4.0K] x64 │   ├── [376K] 7za.dll │   ├── [1.2M] 7za.exe │   └── [210K] 7zxa.dll ├── [ 15K] Fix-log4j_jndi_7zip.ps1 ├── [ 34K] LICENSE └── [2.4K] README.md 3 directories, 21 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。