【log4j漏洞研究】log4j通过slf4j转logback

 
        8
        8
        2.14.0
        


    

    



        
            org.apache.logging.log4j
            log4j-api
            ${log.version}
        
        
            org.apache.logging.log4j
            log4j-core
            ${log.version}
        
    

 
 
  %d{yyyy-MM-dd HH:mm:ss,SSS} %5p %c{1}:%L - %m%n
  /data/logs/dust-server
 

 
  
   
   
  
 

 
  
  
   
   
   
    ${pattern}
   
  
  
  
   
   
    ${pattern}
   
   
    
   
   
   
    
     
     
    
   
  
 

package org.example;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Log4j2Demo {

    
    private static  final Logger LOGGER = LogManager.getLogger();
    public static void main(String[] args) {
        LOGGER.info("--------------start---------------");
        String username="1111${java:os}";

        LOGGER.info("Hello, {}",username);
        LOGGER.info("Hello, {}", "${java:os}");
        LOGGER.info("--------------end---------------");
    }
}

执行main函数发现如下，会存在安全漏洞

pom.xml加上下面

        
            ch.qos.logback
            logback-classic
            1.2.3
        
        
            org.apache.logging.log4j
            log4j-to-slf4j
            2.8.2
            
        

logback.xml

    
        
            
                [logback]%black(%d{ISO8601}) %highlight(%-5level) [%blue(%t)] %yellow(%C{1.}): %msg%n%throwable
            
        
    

    
        
    

再执行main函数，漏洞不存在了