当前位置:网站首页>Application Security Series 37: log injection
Application Security Series 37: log injection
2022-07-06 05:32:00 【jimmyleeee】
The parameters entered by the user are directly written to the log file without any verification , Cause attackers to pass special characters (\r \n) Inject new log entries into the log , Destroy the integrity of the system log . for example :test failed to log in. If test It's controllable , You can input (admin login successfully.\r\n test) Modify the log to :admin login successfully.\r\n Info:test failed to log in. Just inject a log . once The integrity of the log cannot be guaranteed , that , Will affect its validity as evidence .
The sample code of log injection is as follows :
logger.info("Test for Log injection for special char CRLF \r\n End");
logger.info("Test for Log injection for special char CR \r End");
logger.info("Test for Log injection for special char LF \n End");
stay windows Under the system , Run this code , The results are as follows :
It can be seen from the displayed results , It was originally a line of logs , But it shows two lines in the log , That is, a line of log is injected . What's strange here is , When using \r when , all \r All previous logs are not displayed . in other words , Whether the attacker can hide his traces through this method ???
Line breaks vary from system to system , therefore , You can also filter according to different systems .
operating system | File newline |
Windows | \r\n |
Linux | \n |
Mac | \r\n |
One of the ways to prevent Namely , escape , take \r Replace the character with \\r,\n Replace with \\n, This can make \r perhaps \n Handle as characters that are not newlines , The sample code is as follows :
logger.info("Test for Log injection for special char CRLF \\r\\n End");
logger.info("Test for Log injection for special char CR \\r End");
logger.info("Test for Log injection for special char LF \\n End");
The result is :
You can see here , take \r and \n Print out as specific characters .
The second method of prevention Is the use Log4j The configuration of automatically handles the processing of the characters that cause the injection , Although the principle will \r Replace with \\r,\n Replace with \\n, however , It's easier to use , For details, please refer to : Log4j – Log4j 2 Layouts
have access to %enc{%m}{CRLF} Replace line breaks . The specific configuration is as follows :
<Appenders>
<Console name="console" target="SYSTEM_OUT" follow="true">
<PatternLayout pattern="[%d{yyyy-MM-dd HH:mm:ss.SSS}][%-5p] [%t] [%c{10}#%M:%L] %enc{%m}{CRLF} %n "/>
</Console>
</Appenders>
It can also be used log4j The security measures provided by the framework realize automatic replacement .
Another attack against log injection , When the system maintenance personnel check the log , The log may be displayed in web On the page , If the log contains html label , May lead to XSS attack . This point , stay Log4j 2 Layouts It is also described in , have access to HTML Code to achieve , for example :%enc{%m}{HTML}.
边栏推荐
- Huawei od computer test question 2
- [force buckle]43 String multiplication
- The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
- Safe mode on Windows
- Pointer classic written test questions
- February 12 relativelayout
- 2022半年总结
- Promotion hung up! The leader said it wasn't my poor skills
- jdbc使用call调用存储过程报错
- Oracle deletes duplicate data, leaving only one
猜你喜欢
Fluent implements a loadingbutton with loading animation
SQLite add index
Figure database ongdb release v-1.0.3
Vulhub vulnerability recurrence 67_ Supervisor
Problems encountered in installing mysql8 on MAC
Game push image / table /cv/nlp, multi-threaded start
How to use PHP string query function
Implementing fuzzy query with dataframe
29io stream, byte output stream continue write line feed
Graduation design game mall
随机推荐
Promotion hung up! The leader said it wasn't my poor skills
Huawei equipment is configured with OSPF and BFD linkage
Jvxetable implant j-popup with slot
[detailed explanation of Huawei machine test] check whether there is a digital combination that meets the conditions
Codeforces Round #804 (Div. 2) Editorial(A-B)
Easy to understand I2C protocol
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
毕业设计游戏商城
Game push: image / table /cv/nlp, multi-threaded start!
Codeforces Round #804 (Div. 2) Editorial(A-B)
Mongodb basic knowledge summary
Huawei od computer test question 2
ARTS Week 25
How to use PHP string query function
Figure database ongdb release v-1.0.3
浅谈镜头滤镜的类型及作用
Hyperledger Fabric2. Some basic concepts of X (1)
ByteDance program yuan teaches you how to brush algorithm questions: I'm not afraid of the interviewer tearing the code
Jvxetable用slot植入j-popup
应用安全系列之三十七:日志注入