log4shell POC:无HTTP重定向
我正在尝试使用此 poc 以及来自<< a href =“ https://github.com/mbechler/marshalsec” rel =“ nofollow noreferrer”> Marshalsec 。
为此,我已经下载了Ghidra v10.0.4,这说明(在Ghidra下载页面上)很容易受到log4shell的影响。将其安装在Ubuntu VM上,以及Java 1.8(如POC中所述),并加载了POC + Marshalsec快照。
试图启动Ghidra,说需要Java 11,因此,尽管我已经安装了Java 1.8,但我仍然下载了Java 11,当您启动Ghidra时,它说已安装的版本还不够好,并要求通往Java11版本的路径;因此,我只是给了他通往JDK11目录的道路,这似乎对此感到满意。吉德拉开始好。
然后设置我的侦听器并启动了POC,在Ghidra中获得了有效负载字符串以复制/粘贴,并在LDAP侦听器中得到了回复,说它会将其发送给HTTP。但仅此而已。结尾。
由于HTTP服务器是由同一POC设置的,因此我认为也许我只是看不到重定向,因此我自己启动了HTTP服务器,使用Marshalsec自己启动了LDAP服务器,然后重新测试(请参阅下面的PICS,有关确切的命令/输出)。
设置http服务器:
设置侦听器:
在Ghidra中发送有效载荷字符串(在帮助/搜索部分,如图所示, Kozmer POC);立即得到答案:
我仍然在LDAP侦听器上收到一个响应(实际上是两个很奇怪),但HTTP上没有什么。吉德拉(Ghidra)从未加载过漏洞类别(直接向我发送了一个弹出式搜索,说找不到搜索,我认为应该等待服务器回答吗?
请注意,我不太了解这个元帅/LDAP的事情,所以我不确定这里发生了什么。如果有人有时间解释它会很好。我已经阅读了很多有关vuln的内容,但很少深入详细信息(大多数类似:有效载荷字符串将请求发送到LDAP服务器,该请求将其重定向到HTTP服务器,将其重定向到HTTP服务器,该服务器将在弱点应用程序上上传exploit类并提供。你是外壳)。
注意:我已经检查过,HTTP服务器已启动且可访问,exploit.class文件在这里并且可以下载。
I am trying to understand/reproduce Log4shell vulnerability, using this poc and also information from Marshalsec.
To do that, I've downloaded Ghidra v10.0.4, which is said (on Ghidra download page) to be vulnerable to log4shell. Installed it on an ubuntu VM, along with java 1.8 (as stated in POC), and loaded the Poc + marshalsec snapshot.
Tried to start Ghidra, it said java 11 was needed, so although I've installed java 1.8 I still downloaded java 11 and, when you start ghidra, it says the installed version is not good enough and ask for the path to a java11 version; so I just gave him path to the jdk11 directory and it seems happy with it. Ghidra starts alright.
Then set up my listener and launched the poc, got the payload string to copy/paste in ghidra, and got a response in the ldap listener saying it'll send it to HTTP. But nothing more. The end.
Since the HTTP server is set up by the same POC, I thought maybe I just couldn't see the redirection, so I started the http server myself, started the ldap server myself with marshalsec, and retried (see pics below for exact commands/outputs).
Setting http server:
Set listener:
Setting LDAP server:
Send payload string in Ghidra (in the help/search part, as shown in kozmer POC); immediately got an answer:
I still receive a response on the LDAP listener (two, in fact, which seems weird), but nothing on the HTTP. The the Exploit class is never loaded in ghidra (it directly sends me a pop-up saying search not found, I think it is supposed to wait for the server answer to do that?), and I get nothing back in my listener.
Note that I don't really understand this Marshalsec/LDAP thing so I'm not sure what's happening here. If anyone have time to explain it will be nice. I've read lot of stuff about the vuln but it rarely goes deeply into details (most is like: the payload string send a request to LDAP server, which redirect to HTTP server, which will upload the Exploit class on the vulnerable app and gives you a shell).
Note: I've checked, the http server is up and accessible, the Exploit.class file is here and can be downloaded.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
解决了。
原来是log4shell工作,您需要一个脆弱的应用程序和易受伤害的Java版本;我以为我有,但是不。我有Java 11.0.15,并且需要Java 11(Ghidra需要Java 11的最小值,仅Java 11的弱势版本是第一个)。
下载并安装了Java 11,POC工作完美。
Solved it.
Turned out for log4shell to work you need a vulnerable app and a vulnerable version of Java; which I thought I had, but nope. I had Java 11.0.15, and needed Java 11 (Ghidra need Java 11 minimum, only vulnerable version of Java 11 is the first one).
Downloaded and installed Java 11, POC working perfectly.