POC详情: f2daf7abde05d97ca530134a7b728065997ee16e

来源
https://github.com/sandarenu/log4j2-issue-check
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
Demo project to evaluate Log4j2 Vulnerability | CVE-2021-44228
介绍
# Evaluate the Log4Shell: RCE 0-day  Issue

This repo contains the code to evaluate Log4j2 issue CVE-2021-44228 

## More details

* https://www.lunasec.io/docs/blog/log4j-zero-day/

## How to Test

Send GET request with query parameter as `${jndi:ldap://127.0.0.1:3089/}`. 

```
http://localhost:10000/test?userParam=%24%7Bjndi%3Aldap%3A%2F%2F127.0.0.1%3A3089%2F%7D
```

When above request is sent application tries to connect to ldap url and following errror is printed since that 
is not running in my machine. 

```
2021-12-14 09:10:25,055 http-nio-10000-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1:3089/]. javax.naming.CommunicationException: 127.0.0.1:3089 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]
	at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:237)
	at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
	at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1610)
	at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2752)
	at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
	at java.naming/com.sun.jndi.url.ldap.ldapURLContextFactory.getUsingURLIgnoreRootDN(ldapURLContextFactory.java:60)
	at java.naming/com.sun.jndi.url.ldap.ldapURLContext.getRootURLContext(ldapURLContext.java:61)
	at java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:204)
	at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:94)
	at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409)
	at org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172)
	at org.apache.logging.log4j.core.lookup.JndiLookup.lookup(JndiLookup.java:56)
	at org.apache.logging.log4j.core.lookup.Interpolator.lookup(Interpolator.java:221)
```

## Temporary Fix

### Fix 1

If the `log4j-core` version is `>=2.10` by adding following JVM parameter this JNDI lookup can be disabled.

```
-Dlog4j2.formatMsgNoLookups=true
```

### Fix 2

We can update the `log4j2.xml` file with `{nolookups}` in log message pattern. Check branch `update-log4j2-config` for the fix.

## Permanent Fix

* Update the log4j version to `2.15.0`. Check the fix in branch `update-log4j-to-2.15.0`
文件快照

 [4.0K]  /data/pocs/f2daf7abde05d97ca530134a7b728065997ee16e
├── [1.8K]  pom.xml
├── [2.2K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  org
        │       └── [4.0K]  sansoft
        │           └── [4.0K]  log4j2issuecheck
        │               ├── [ 341]  Log4j2IssueCheckApplication.java
        │               └── [ 685]  TestController.java
        └── [4.0K]  resources
            ├── [  18]  application.properties
            └── [1.3K]  log4j2.xml

7 directories, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。