利用github上的log4j demo:
server.java:
taint-flow-config:
sources:
- { kind: call, method: "<Server: java.lang.String getInput()>", index: result }
sinks:
- { method: "<javax.naming.InitialContext: java.lang.Object lookup(java.lang.String)>", index: 0 }
transfers:
- { method: "<org.apache.logging.log4j.message.ReusableMessageFactory: org.apache.logging.log4j.message.Message newMessage(java.lang.String)>", from: 0, to: result, type: "org.apache.logging.log4j.message.ReusableSimpleMessage" }
- { method: "<org.apache.logging.log4j.core.impl.ReusableLogEventFactory: org.apache.logging.log4j.core.LogEvent createEvent(java.lang.String,org.apache.logging.log4j.Marker,java.lang.String,org.apache.logging.log4j.Level,org.apache.logging.log4j.message.Message,java.util.List,java.lang.Throwable)>", from: 4, to: result, type: "org.apache.logging.log4j.core.impl.MutableLogEvent" }
- { method: "<org.apache.logging.log4j.core.impl.MutableLogEvent: void formatTo(java.lang.StringBuilder)>", from: base, to: 0 }
- { method: "<java.lang.StringBuilder: void <init>(java.lang.String)>", from: 0, to: base }
- { method: "<java.lang.StringBuilder: java.lang.String substring(int,int)>", from: base, to: result }
- { method: "<java.lang.StringBuilder: void getChars(int,int,char[],int)>", from: base, to: 2 }
- { method: "<java.lang.String: java.lang.String substring(int)>", from: base, to: result }
- { method: "<java.lang.String: void <init>(char[],int,int)>", from: 0, to: base }
反射配置:
Method.invoke;<org.apache.logging.log4j.core.config.LoggerConfig$RootLogger: org.apache.logging.log4j.core.config.LoggerConfig createLogger(java.lang.String,org.apache.logging.log4j.Level,java.lang.String,org.apache.logging.log4j.core.config.AppenderRef[],org.apache.logging.log4j.core.config.Property[],org.apache.logging.log4j.core.config.Configuration,org.apache.logging.log4j.core.Filter)>;org.apache.logging.log4j.core.config.plugins.util.PluginBuilder.build;136;isAccessible=false;
Method.invoke;<org.apache.logging.log4j.core.config.LoggersPlugin: org.apache.logging.log4j.core.config.Loggers createLoggers(org.apache.logging.log4j.core.config.LoggerConfig[])>;org.apache.logging.log4j.core.config.plugins.util.PluginBuilder.build;136;isAccessible=false;
Method.invoke;<org.apache.logging.log4j.core.pattern.MessagePatternConverter: org.apache.logging.log4j.core.pattern.MessagePatternConverter newInstance(org.apache.logging.log4j.core.config.Configuration,java.lang.String[])>;org.apache.logging.log4j.core.pattern.PatternParser.createConverter;591;isAccessible=false;
Array.newInstance;org.apache.logging.log4j.core.config.LoggerConfig[];org.apache.logging.log4j.core.config.plugins.visitors.PluginElementVisitor.visit;82;;
options.yml:
optionsFile: null
printHelp: false
classPath: []
appClassPath:
- java-benchmarks/log4j/2.14.0
- java-benchmarks/log4j/2.14.0/log4j-api-2.14.0.jar
- java-benchmarks/log4j/2.14.0/log4j-core-2.14.0.jar
mainClass: Server
inputClasses: []
javaVersion: 8
prependJVM: false
allowPhantom: true
worldBuilderClass: pascal.taie.frontend.soot.SootWorldBuilder
outputDir: output
preBuildIR: false
worldCacheMode: false
scope: APP
nativeModel: true
planFile: null
analyses:
pta: cs:ci;implicit-entries:false;distinguish-string-constants:null;reflection-inference:solar;taint-config:java-benchmarks/log4j/2.14.0/taint-config.yml;reflection-log:java-benchmarks/log4j/2.14.0/refl.log; #dump-ci:true;
onlyGenPlan: false
keepResult:
- $KEEP-ALL
测试结果:
web注入:
测试的时候需让数据库开启gbk编码,如果有这些网站的源码作为靶场就会方便很多: