8
8
2.14.0
org.apache.logging.log4j
log4j-api
${log.version}
org.apache.logging.log4j
log4j-core
${log.version}
%d{yyyy-MM-dd HH:mm:ss,SSS} %5p %c{1}:%L - %m%n
/data/logs/dust-server
${pattern}
${pattern}
package org.example;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Log4j2Demo {
/**
* 版本2.14.0:
* 2022-03-08 10:44:15,130 INFO Log4j2Demo:10 - --------------start---------------
* 2022-03-08 10:44:15,140 INFO Log4j2Demo:13 - Hello, Windows 10 10.0, architecture: amd64-64
* 2022-03-08 10:44:15,140 INFO Log4j2Demo:14 - --------------end---------------
*
* 升级到2.15.0|2.17.1版本后:
* 2022-03-08 10:49:42,866 INFO Log4j2Demo:19 - Hello, ${java:os}
*
*/
private static final Logger LOGGER = LogManager.getLogger();
public static void main(String[] args) {
LOGGER.info("--------------start---------------");
String username="1111${java:os}";
LOGGER.info("Hello, {}",username);
LOGGER.info("Hello, {}", "${java:os}");
LOGGER.info("--------------end---------------");
}
}
执行main函数发现如下,会存在安全漏洞
pom.xml加上下面
ch.qos.logback
logback-classic
1.2.3
org.apache.logging.log4j
log4j-to-slf4j
2.8.2
logback.xml
[logback]%black(%d{ISO8601}) %highlight(%-5level) [%blue(%t)] %yellow(%C{1.}): %msg%n%throwable
再执行main函数,漏洞不存在了
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)