POC详情: a66cf4f6ff7cf896aff089983ba5a81de79a7589

来源
https://github.com/thomaspatzke/Log4Pot
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
A honeypot for the Log4Shell vulnerability (CVE-2021-44228).
介绍
# Log4Pot

A honeypot for the Log4Shell vulnerability (CVE-2021-44228).

License: [GPLv3.0](https://www.gnu.org/licenses/gpl-3.0.html)

## Features

* Listen on various ports for Log4Shell exploitation.
* Detect exploitation in request line and headers.
* Download exploit payloads recursively.
* Log to file and Azure blob storage.

## Usage

1. Install Poetry: `curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python3 -`
2. Fetch this GitHub repository `git clone https://github.com/thomaspatzke/Log4Pot.git`
3. Change directory into the local copy with `cd Log4Pot`
4. Install pycurl dependencies (Debian / Ubuntu): `apt install libcurl4-openssl-dev libssl-dev python3-dev build-essential`
5. Install python dependencies: `poetry install`
6. Put parameters into log4pot.conf, see `poetry run python log4pot.py --help` for an overview.
7. Run: `poetry run python log4pot.py @log4pot.conf`

Alternatively, you can also run log4pot without external dependencies:
```
$ python log4pot.py @log4pot.conf
```
This will run log4pot without support for logging to Azure blob storage.

## Redirecting traffic / non-container setup

To redirect traffic to port 80 and 443 to Log4Pot, use following iptables commands:

`iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080`

`iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443`

## Log Analysis Tool

The script `log4pot-loganalyzer.py` extracts all payloads, decodes them with the current decoder and builds a timeline from both. Use is as follows:

```
python log4pot-loganalyzer.py -o <output directory> <input log files>
```

## Analyzing Logs with JQ

List payloads from exploitation attempts:
```
select(.type == "exploit") | .payload
```

Decode all base64-encoded payloads from JNDI exploit:
```
select(.type == "exploit" and (.payload | contains("Base64"))) | .payload | sub(".*/Base64/"; "") | sub ("}$"; "") | @base64d
```

Extract all SHA256 hashes from files downloaded from URLs:
```
[ .[] | select(.type == "payload") | .urls | select((. | length) > 0) | to_entries | .[].value | select((. | length) == 64) ] | unique | .[]
```
文件快照

 [4.0K]  /data/pocs/a66cf4f6ff7cf896aff089983ba5a81de79a7589
├── [  10]  default-url-allowlist
├── [ 144]  default-url-denylist
├── [ 34K]  LICENSE
├── [4.0K]  log4pot
│   ├── [2.3K]  deobfuscator.py
│   ├── [1.0K]  expression_parser.py
│   ├── [   0]  __init__.py
│   ├── [5.6K]  loganalyzer.py
│   ├── [9.8K]  payloader.py
│   └── [2.2K]  s3.py
├── [ 284]  log4pot.conf.example
├── [4.4K]  log4pot-loganalyzer.py
├── [ 10K]  log4pot-server.py
├── [ 36K]  poetry.lock
├── [ 460]  pyproject.toml
├── [2.1K]  README.md
├── [4.0K]  responses
│   ├── [  64]  default.json
│   ├── [ 12K]  sap-netweaver.html
│   ├── [1.9K]  tomcat-default.html
│   └── [3.8K]  vmware-esx-4.html
└── [4.0K]  test
    ├── [1.2K]  test_deobfuscation.py
    └── [ 482]  test_payloader.py

3 directories, 21 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。